RDS with IP Virtualization

[nern...@gmail.com]

Hi Jinhee,

I'm trying to setup Nxfilter to work for AD environment. My users are logged onto RDS (terminal service) servers (Windows 2008 R2). I use nxlogon.exe to pass SSON which works fine. However usernames are all mixed up if they are from same server on which their client IP are same. I researched other posts and realised nxfilter uses IP address to identify user sessions so it won't identify usernames properly under RDS. 

There is a feature called IP Virtualization for RDS since 2008 R2. I wondered if this can give every user sessions on RDS server a unique IP so Nxfilter can identify users properly. Then I set it up. But in my test Nxfiler log still shows clients are coming from server's main IP not the session virtual IPs they are assigned to by RDS. Also it seems prevents nxlogon to work properly (all request are blocked with 'Your request has been blocked without a reason.').

Below is what Citrix has described in their documentation for Virtual IP (I'm using XenApp which leverage RDS on 2008 R2). Link http://support.citrix.com/proddocs/topic/xenapp6-w2k8-admin/ps-pub-virtual-ip-how.html

• • After an address is assigned to a session, it uses the virtual address rather than the primary IP address for the system whenever the following calls are made:

     Bind¸closesocket¸connect, WSAConnect, WSAAccept, getpeername, getsockname, 
    sendto, WSASendTo, WSASocketW, gethostbyaddr, getnameinfo, getaddrinfo

• XenApp extends the Windows virtual IP feature by allowing the gethostbyname API to return the virtual IP address. In addition, XenApp adds virtual loopback to all APIs.

I'm not sure what caused nxlogon not able to send from virutal IPs. Can you please see whether the method nxlogon uses to retrieve IP info is in the list above. Really want to get it working under RDS. Thanks!

Regards,

Yong Chen

[Jinhee]

I am getting the IP address from the client socket.
So I guess the API listed are irrelevant.
What if you use login-page then?
On the browser try 'login.nxfilter.org'.
And then you can go thru login process with AD credential.
If the browser gets the correct virtual IP address.
You can go on from there.

Jinhee

[nern...@gmail.com]

Thanks for prompt reply. I just tried with login page. AD credential didn't work. Login failed.

Is there any chance to get nxlogon using one of the APIs? Alternatively maybe NTML pass-through via browser? Sorry maybe too much to ask but I really want to get it working with RDS. Nxfilter is an elegant software and I like it.

Yong

[Jinhee]

So you're saying that you couldn't get thru login-page?
It's a different issue then.
You should be able to get thru it.

Try to make ip-user based on virtual IP address.
Or disable authentication and try to use some website from you RDS.
Then you can view the client IP logged on history.
If they're being logged with correct virtual IP addresses then the next thing would be making login-page working.
Maybe you can create password-user.

Jinhee