Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
4
Replies

The Windows user remotes into a workstation with RDS/Remote Desktop that is on a different VLAN than what the user belongs to. Connection is dropped

Go to solution
AndrewWestPMP60307
Level 1
Level 1

‎01-29-2020 09:55 AM - edited ‎01-29-2020 09:55 AM

RDS-RDP loses connection.PNGThe Windows user remotes into a workstation with RDS/Remote Desktop that is on a different VLAN than what the user belongs to. The user's remote desktop connection is then dropped, and they have to reestablish RDS/Remote Desktop the connection.  Please provide some configuration changes and solutions to this scenario.

RDS/Remote Desktop connection is droppedRDS/Remote Desktop connection is dropped

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎01-29-2020 10:23 AM

What behavior are you wanting it to do?  Do you want it to stay in its current VLAN (i.e. 666)?  Or do you want it to change based on the user but NOT drop the RDP connection?  The challenge with that is anytime you change VLAN's, you are also changing subnets.  The IP on the PC changes and the RDP connection drops.  There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue.  A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address.  Downloadable ACL's are more appropriate.  I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎01-29-2020 11:45 AM

@Colby LeMaire wrote:

What behavior are you wanting it to do?  Do you want it to stay in its current VLAN (i.e. 666)?  Or do you want it to change based on the user but NOT drop the RDP connection?  The challenge with that is anytime you change VLAN's, you are also changing subnets.  The IP on the PC changes and the RDP connection drops.  There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue.  A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address.  Downloadable ACL's are more appropriate.  I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

Agree, nothing besides switching to ACLs or start using Scalable Group Tags (SGT) which are even more recommended

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎01-29-2020 10:23 AM

What behavior are you wanting it to do?  Do you want it to stay in its current VLAN (i.e. 666)?  Or do you want it to change based on the user but NOT drop the RDP connection?  The challenge with that is anytime you change VLAN's, you are also changing subnets.  The IP on the PC changes and the RDP connection drops.  There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue.  A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address.  Downloadable ACL's are more appropriate.  I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

0 Helpful

Go to solution
AndrewWestPMP60307
Level 1
Level 1
In response to Colby LeMaire

‎01-29-2020 10:44 AM

Users workstations are placed into the appropriate VLAN depending on their ISE group membership. The workstation is either in the quarantine VLAN or in a VLAN other than the users final VLAN. With the initial connection, traffic flows between the RDS/ Remote Desktop(RDP) PC and the workstation on the old IP address. The workstation then goes through the ISE authentication process and ends up changing the IP address. When this happens, the already established connection is lost as the workstation's IP address has changed. First, the device will attempt to reestablish the connection automatically and will succeed. The user will see the screen go black and they will see the reestablishing connection prompt and will get back to their device once it reconnects. The second possibility is that the connection will drop, and the device will not be able to reestablish the connection automatically. This will requires the RDS/ Remote Desktop(RDP) user to reestablish the connection manually as well as enter their credentials again.
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to AndrewWestPMP60307

‎01-29-2020 11:06 AM

Yes, that would be expected behavior as I explained in my earlier response.  Whether the reconnect happens automatically or the user has to connect again manually is likely dependent on how quickly Dynamic DNS is updated to the PC's new IP address.  As long as it happens before the RDP timeout, then the connection can re-establish.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎01-29-2020 11:45 AM

@Colby LeMaire wrote:

What behavior are you wanting it to do?  Do you want it to stay in its current VLAN (i.e. 666)?  Or do you want it to change based on the user but NOT drop the RDP connection?  The challenge with that is anytime you change VLAN's, you are also changing subnets.  The IP on the PC changes and the RDP connection drops.  There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue.  A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address.  Downloadable ACL's are more appropriate.  I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

Agree, nothing besides switching to ACLs or start using Scalable Group Tags (SGT) which are even more recommended

0 Helpful
Customers Also Viewed These Support Documents