Windows multi-user Client

  • 5 minute read
Prev Next

The multi-user Client is designed to be installed on multi-user machines such as terminal servers.

How does it work?

Typically when users run their desktop or published  applications on multi-user machines, such as Citrix XenDesktop or Windows Terminal Server, access from the terminal server into the trusted network must be allowed for all applications/users by any internal firewall. This means when users with different roles share the same OS (like Windows TS), it is not possible to perform network layer segmentation.

Network diagram illustrating routing table and SNAT configuration for multiple users.

Appgate SDP can still capture the individual user’s network traffic because each user has to sign-in to their own Appgate SDP Client within the Citrix XenApp or Windows Terminal server session.

When the first user signs in then shared multi-tunnel virtual network adapter starts. The first thing it does is to intercept ALL the routed traffic for destinations defined in the user's Sites/ (to be clear this includes traffic from the system, all applications and any other users). It then tries to performs a SNAT operation on this intercepted traffic substituting in the appropriate user's tunIP address. Because we intercept ALL the routed traffic, when the multi-tunnel virtual network adapter encounters traffic from a source that does not have a matching tunIP address (i.e., not an Appgate SDP user) the traffic will be dropped. This means the behavior of the multi-user host system (for non signed-in users) may change when the first user signs in - as now ALL traffic destined for a host behind the Appgate SDP system will now be intercepted by the Appgate SDP system and may be dropped.

Here are a couple of examples of what effect this might have:

  • Example 1: The first user signs in to Appgate SDP on the multi-user host (e.g. Citrix server) and receives an Entitlement for the same DNS server IP’s that are assigned to the operating system of the multi-user host (e.g. Citrix server). Appgate SDP has a higher route priority than the system so the DNS server requests are now intercepted by the multi-tunnel virtual network adapter and dropped except for the traffic originating from the signed in user. The host operating system will no longer be able to resolve DNS queries.

  • Example 2:  If a user signs in to Appgate SDP on the multi-user host (e.g. Citrix server) and receives an entitlement for a webserverA1 server on 10.10.10.100, then non Appgate SDP user's on the same multi-user system will loose the ability to send traffic to webserverA1.   

The traffic is then routed to that specific user's tunnel(s) just as in the single user case. These tunnels will be established when the user signs in into their Appgate SDP Client, one to an available Gateway on each of the allowed Sites.

The user's application traffic is routed through their specific encrypted tunnel into the Gateway where firewall and application rule sets, unique to the user are dynamically applied. This means that even when users with different roles share the same OS (like Windows TS) it is now possible to enforced network layer segmentation. This would help customers that require for example, PCI DSS certification for certain user roles.

Because the operation of the Appgate SDP system is essentially the same as for the single user case, there are no configuration settings required to support this mode of operation beyond installing the Client with the multi-user option. However the system includes the device claim isMultiUser which will return true/false - this provides the ability to easily alter the configuration if required. This might for instance be used to remove the user's DNS Entitlement as the multi-user Client uses the operating system's DNS setting.

Background information

System limitations

  • When using the multi-user Client the IdP DNS settings (including Block Local DNS Requests) are not applied on Client's multi-user host device.

  • DNS resolution by the multi-user Client will always use the DNS settings set by the operating system of the device.  

  • Because we are routing only user traffic, any system traffic such as ICMP (ping) or SMB (file shares) that are captured by the adapter will not have a matching user's tunnel IP address because the traffic is not seen as coming from a specific user. The packet will therefore be dropped by tun driver as it routes traffic based on matching the user's source IP address. This is a limitation of Windows and not something AppGate can do anything about.

  • The use of Route all traffic through tunnel is NOT RECOMMENDED for the multi-user Client. This would effectively prevent the multi-user host operating system from sending traffic to any network destination, with the exception of the Appgate SDP appliances, which are automatically excluded from tunnel traffic. 

  • Appgate SDP requires access to a full desktop. Because our application is interactive (user may be required to enter an OTP at any time) then it will not work correctly if the user only has access to one published application.

The Windows multi-user Client uses standard executables:

  • Kernel Filter - is added to tag the different user's traffic that will run as SYSTEM.

Once installed the Client will look and behave exactly like the normal full Client.

Installation and uninstallation

How to install

The filter driver in the Client cannot be installed on systems with SecureBoot enabled. If your system uses SecureBoot then disable it and reinstall the Client, then re-enable SecureBoot again.

To install the Client as a service the installation needs to be run with the switch /M.  It is recommended to run it using the /S (silent installation) switch. Refer to Windows Client for a full explanation of all the installation switch options. So run the following command from command prompt to install the Windows multi-user Client in silent mode. Type:

start "" /WAIT "AppGate-SDP-x.y.z-Installer.exe" /M /S /P="appgate://url.com"

Powershell requires slightly diffferent syntax:

start "Appgate-SDP-x.y.z-Installer.exe" -ArgumentList ' /M /S /P="appgate://url.com" '

NOTE

The profile link included after the /P switch can be obtained from the Client Profiles UI.

How to uninstall

To uninstall the headless client simply run uninstaller from start menu shortcut or Windows `Add or Remove Programs`. Notice that any configuration of the headless Client will not be removed on uninstall, only the headless Client binaries.

Related articles
  • Windows Clients
    Admin Guide > Admin Guide v6.5 > General administration > Client deployment and management > Windows Clients
  • Windows multi-user Client
    Admin Guide > Admin Guide v6.6 > General administration > Client deployment and management > Windows Clients
  • Windows multi-user client
    Admin Guide > Admin Guide v6.7 > General administration > Client deployment and management > Windows clients