Re: RDP Printing by station

1.) My thought behind static ips was that you could use multiple TS listeners on the same ip. For example, port 3389 would have print redirection enabled, whereas port 3390 would have print redirection disabled. Using IPSec, we could define which ip addresses were permitted to connect to each listener. In that way, we could control which stations were allowed to print, and which were not--without any modifications to your software.

I am not sure this is a possible solution anymore, because you said that there would be printing to not only redirected printers but network printers as well. Redirected printers would not appear [when connecting from a disallowed machine], but the network printers would still be there. You could still disable printing in your application if they were connected via the "printing disabled" listener.

Also, what if there are several machines behind a NAT and some allow printing whereas some do not? In this case all machines would have the same public ip so IPSec would treat them the same.

The other concern I have is if you need printing to be disabled on a particular station for one user, but for another user they should be able to print from the same station. In this case the above ipsec solution would not work.

You can obtain the client name and ip address using WTSQuerySessionInformation. Keep in mind that the ip address is the client's *local* ip address, which may not be the real ip address if they are behind a NAT device.
For example, on a TS server with 100 users connected from various different offices, there may be several of them that have ip address 192.168.1.100.

You need to account for session disconnects/reconnects. In this case, the user could originally connect from an ip that is permitted, disconnect their session, and reconnect from an ip that is not permitted. If your software only checks permissions at startup, it would still think they can print. This is easily solvable as well by changing timeout settings, handling the disconnect/reconnect events, etc.

2.) Virtual channels run within each TS session. The traffic is encrypted along with the other TS traffic. Basically they are a way that you can use for a program on the local PC to send/receive data to/from a program running in the user's session on the server. For example, in your case you may create a VC named Jefchn1. Your client software would use this channel to send the local MAC address to your server software.

Terminal Services Virtual Channels

http://msdn2.microsoft.com/en-gb/library/aa383509.aspx

Scriptable Virtual Channels (easier than above)

http://msdn2.microsoft.com/en-gb/library/aa383253.aspx

-TP

flippergonzo wrote:
Hey TP;

yes, that assumption is correct, my apologies for not being clearer
about that. Some stations can print, others can not. Additionally,
some users can print and others can not. Basically, the most
restrictive of the combo 'wins' and the user can either print or not
print. IP addresses will more often than not be dynamic addresses.

1) It's "possible" that we could force all non-printing computers to
use a static address. That and/or the clientname could be used in
much the same way as I'd thought about for the MAC address. Is it
possible to obtain either the client name or ip address (ip address
would work better, but I'll have to go over the ramifications of
both) from within the session through an API call?

2) I'll have to do some research into the Virtual Channel option. You kind lost me there... I'm guessing here, but are you referring
to something similar to a VPN tunnel where if a TS client session
authenticates to a 3rd party software then this virtual session is
created and you can print through it?

Using option 1 and writing the requirement for a static IP and/or
clientname for printing machines as part of the contract when a client
buys the software sounds easier!

Cheers, Jef
.

Relevant Pages

  • Re: printing from Terminal Server
    ... will the printer remain as an option when printing ... What you could do is to share the printer on client A, ... MCSE, CCEA, Microsoft MVP - Terminal Server ... printing across session in this manner is possible. ...
    (microsoft.public.windows.terminal_services)
  • Re: [PHP] Re: a question on session ID and security
    ... hash key" to the client when it doesn't need it? ... But by doing that you're exposing how your app validates the authentication key, leaving it open to being transferred to another machine. ... tutorial on PHP session security is helpful. ...
    (php.general)
  • RE: ISA 2004 Firewall client
    ... The green arrow only shows up when the client needs to initiate a ... firewall session. ... Part 3: I want to explain How the logs and sessions work: ... Collect the ISA firewall client configuration information ...
    (microsoft.public.windows.server.sbs)
  • Re: Database design
    ... Is each session related to a client? ... Yes, each session is related to a single client, or so I anticipate. ... (fsubSession and fsubProduct) ...
    (microsoft.public.access.tablesdbdesign)
  • Re: PHP & MySQ + unique keys
    ... :>> I'm trying to write a system thats used for about 50 clients that uses ... The problem is that when a client ... :>> when you refresh the page that the unique key is incremented as you ... session is using. ...
    (comp.lang.php)
Loading