Jump to content
Welcome to our new Citrix community!
  • 0

Map users to specific outgoing ports (Ephemeral port)


Thomas Faddegon

Question

Hi Everyone,

 

I'm new at the Citrix forums so maybe this is a silly question (or have I posted it wrong). Please correct me then :)

 

My use case:

For a customer of ours, we monitor all the outgoing traffic through a port mirror on the firewall port. When an endpoint connecting to a suspicious webserver we get an alert. But sometimes the endpoint is a Citrix Terminal server. So it could be one of the 25 users on that Citrix server. I heard (but I don't know it is true) it must be possible to map specific TCP ports to an end-user on a Citrix server. If that is possible we can see the outgoing TCP port on the server that is responsible for contacting a suspicious webserver so we can trace the port back to the specific user (so we can contact the user).

 

My question:

Does somebody know this is true and how I can map the servers? Or are there other ways (besides using a proxy) to map every user to an IP address for example?

 

Regards,

Thomas

Link to comment

2 answers to this question

Recommended Posts

  • 0

Hi Thomas,

Not entirely sure if that is possible, but what is the network scenario?
Is the user connecting from the office network to a office Citrix worker?
Or is the user connecting from home to a office/remote Citrix worker?
There is a default set of ports used depending on the scenario, maybe you can whitelist those somehow?

If you provide me the scenario I will try and help you find what you need :).

Kind Regards,

Mick Hilhorst

Link to comment
  • 0
On 6/7/2021 at 10:45 AM, Mick Hilhorst said:

Hi Thomas,

Not entirely sure if that is possible, but what is the network scenario?
Is the user connecting from the office network to a office Citrix worker?
Or is the user connecting from home to a office/remote Citrix worker?
There is a default set of ports used depending on the scenario, maybe you can whitelist those somehow?

If you provide me the scenario I will try and help you find what you need :).

Kind Regards,

Mick Hilhorst

 

Tnx for your feedback :)

 

Here I have a screenshot of the use case. This is an alarm of a multi session host connecting to a suspicious webserver:

 

afbeelding.thumb.png.fc95a79ce7924e3c38ed905a2ef27e40.png

 

I had a Citrix course this week and I ask my course leader if he had an answer for this use case. He told me that I have to look to RDS virtual IP (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/virtual-ip-virtual-loopback.html).  When I can give every user on the rds/citrix server his own IP I can trace the web traffic back to the user.

The only thing I had to do afterwards is creating a database of users and there "own" virtual IP for tracing purposes.

 

 

Edited by Thomas Faddegon
typo
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...