Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Sykes
Participant

Identity Awareness and Dell Wyse Terminals

Hi everyone,

I have a situation where we have a number of Dell Wyse Terminals that are not being recognized by an Access Role I have created.  The Access Role is configured for 'Networks' and 'Machines', but the rule it is applied to is not being hit when in the policy.

The Network section is populated by a User LAN and the Machine section is pointing to an AD OU specifically created for Dell Wyse Terminals.

These terminals just have their standard OS and are configured to boot to a web page that has the look and feel of a standard Windows desktop.  This is a virtual desktop and then the users logs on to that.

The users do not authenticate when logging onto the Wyse client - only when they hit the VDI page.

The Wyse terminals are on various user networks (shared with other user machines) and are able to reach the DHCP and DNS servers, however, the user network and VDI network mentioned above are different.

Do you know why when the Wyse terminal traverses the FW policy it is not recognized by the IA role?  It is permitted if I allow the network the terminal is sitting on, just not being seen by IA.

What do machines, of any sort, need on them/be part of, to be recognized by IA?  It seems an OU in AD is not enough.

I should add, we have plenty of Access Roles working as expected, configured using Network, Users and Machines.

Also, do you have any suggestions of a way around this?

Many thanks

Alex

Labels (1)
0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Generally in Identity Awareness, we're tracking login actions from IP addresses via the identity source (usually AD).
I assume it's because we see the logins from the VDI IP, not from the IP of the terminal itself.
You said the terminal has a web browser, no?
You could trigger a Captive Portal login and get a direct user/IP association that way.

0 Kudos
Alex_Sykes
Participant

Hi PhoneBoy,

Thanks for your response.

Unfortunately, even though it is a web browser the terminal boots into there are also other resources it needs to connect to.  And there are other devices that connect quite happily to the web page for the VDI session so if I did try captive portal other users would be impacted too.  It's not a deal breaker, but something I would prefer to avoid.

I was hoping that the Access Role would pick up the identity of the machine from the OU and then I would be able to apply policy specifically for these terminals.

Thanks again for your input.

Kind regards

Alex

 

0 Kudos
PhoneBoy
Admin
Admin

This does seem like an interesting use case.
@Royi_Priov any suggestions here?

0 Kudos