Справочник Пользователя для SonicWALL 5.8.1
User Management
1012
SonicOS 5.8.1 Administrator Guide
Multiple TSA Support
To accommodate large installations with thousands of users, SonicWALL network security
appliances are configurable for operation with multiple terminal services agents (one per
terminal server). The number of agents supported depends on the model, as shown in
appliances are configurable for operation with multiple terminal services agents (one per
terminal server). The number of agents supported depends on the model, as shown in
Table 3
Multiple TSA Support per Model
For all SonicWALL network security appliance models, a maximum of 32 IP addresses is
supported per terminal server.
supported per terminal server.
Encryption of TSA Messages and Use of Session IDs
SonicWALL TSA uses a shared key for encryption of messages between the TSA and the
SonicWALL appliance when the user name and domain are contained in the message. The first
open notification for a user is always encrypted, because the TSA includes the user name and
domain.
SonicWALL appliance when the user name and domain are contained in the message. The first
open notification for a user is always encrypted, because the TSA includes the user name and
domain.
Note
The shared key is created in the TSA, and the key entered in the SonicWALL appliance
during SSO configuration must match the TSA key exactly.
during SSO configuration must match the TSA key exactly.
The messages between the appliance and the TS agent (and the SSO agent too) are DES
encrypted (using triple-DES) and DES uses a numeric key that can be represented by a
hexadecimal string. Each octet of the key requires two hex digits to represent its value, hence
the key needs to be a even number of hex digits.
encrypted (using triple-DES) and DES uses a numeric key that can be represented by a
hexadecimal string. Each octet of the key requires two hex digits to represent its value, hence
the key needs to be a even number of hex digits.
Using a hexadecimal key contributes to the encryption strength. For example, if a pass-phrase
was used instead and converted to a numeric key, the end-result would be no different than
using the numeric-key directly and the pass-phrase would be more guessable than the hex
representation of the key.
was used instead and converted to a numeric key, the end-result would be no different than
using the numeric-key directly and the pass-phrase would be more guessable than the hex
representation of the key.
And also note that the information that we are “protecting” here is actually not very sensitive. It
is simply a mapping between user names and TCP/UDP connections (TSA) or user names and
IP addresses (SSO). No sensitive data like passwords is transferred.
is simply a mapping between user names and TCP/UDP connections (TSA) or user names and
IP addresses (SSO). No sensitive data like passwords is transferred.
The TSA includes a user session ID in all notifications rather than including the user name and
domain every time. This is efficient, secure, and allows the TSA to re-synchronize with Terminal
Services users after the agent restarts.
domain every time. This is efficient, secure, and allows the TSA to re-synchronize with Terminal
Services users after the agent restarts.
SonicWALL Appliance Model
TS Agents Supported
NSA E7500/E8500
256
NSA E6500
128
NSA E5500
64
NSA 5000
32
NSA 4500
16
NSA 3500
16
NSA 2400
8
NSA 240
4
TZ 210 Series
4
TZ 200 Series
Not supported
TZ 100 Series
Not supported