Better control over source IP's and possibility for GEO fencing.

We are a hosting company that serves desktop- and application as a service to our customers.

As so many other in our industry, we have lately moved away from the Citrix suite, and settled on Parallels RAS.
I am very happy with this change, as RAS really makes most of the core business a lot easier to manage.

However, I am seeing some lack of feature regarding having control of where our users log on from.

In Citrix, Exchange OnPrem or other platforms, we can control where our usres are logging on from, and seeing their WAN IP address.
Based on this information we can grant or deny access, or require more complex factors for login etc.

A lot of this is done with Entrust Security Essentials (formerly SMSPASSCODE).

In Netscaler/Citrix Access Gateway, we use RADIUS with Attribute 31 - Calling.Station.ID to send end users routable WAN address to RADIUS, witch in it's case will determine if login is allowed. (most customers are allowed to login only from a few countries in europe)

For Microsoft Exchange OnPrem or other Web based applications, we will insert HTTP "X-Forwarded-For" in header so that this information could be added to logging, and also being used to determine grant/deny or 2FA requirements.

In Parallels RAS, we cannot find any way of seeing or controlling the users source address.
We can check for what RAS Gateway Server is being used, so dermine inside/outside is doable.
But we cannot see if the user is connected from a known source (office) a know country, or from Russia/NorthKorea or any other country.

We are utilizing HALB for VRRP LB in front. This device WILL know about the users source IP address, (else it would not be able to route any of the traffic.) However after proxying the traffic inbound all the useful information regarding the actual source is missing. Leaving only the client LAN IP address and other parts of information that is bundled from the client. (127.0.0.1 in case of HTML5).

At the same time, The Generic RADIUS MFA provider in Parallels RAS supports all RADIUS Attributes, but does not have the ability to forward dynamic variable information like the client source address to the RADIUS server.

Witch condenses to my feature request:
If HALB or/and GW servers could get the actual Client IP address from session table and attach to the RAS Session, this would open up for a lot more feature to secure the RAS installation.
1. We would KNOW where the client is connected from.
In support, we could know that he is in office and we could call the office number to support, or connecting from home or vacation.

2. Parallels RAS could add some IP_GEO features, setting limitations for Themes or even Published Resources like Applications/desktops.
A Theme could be limited to a set of countries or even be limited to the customer offices.
Some applications could be available from the "wide world", while other more critical applications would need to be sourced from their Office or a defined country

3. This information could be passed to RADIUS in Attributes, so that grant/deny/MFA could be determined by more complex systems with wider overview of the setup. (and would also gather all logs for SIEM from one source)

I know that VPN's exist, and that most threat actors would source all traffic from other countries. Either way, a knowledge of the end users WAN/Routeable IP address would be very useful. Parallels RAS could also implement features for Geo-Distance to allow or deny logins when the travel distance between two logins is too large.

Today, we have been restricted to only allow SAML authentications/Conditional Access to be able to meet the security requirements for Logins/MFA, but this does not always match all customers.

Solving the lack of WAN IP knowledge would greatly help us

Happy hollidays and Best regards from,
Runar Verwaal

 

Thank you for your feedback. We have moved this request for under consideration.

 

Implementing geo-fencing and enhanced control over source IPs in Parallels RAS is indeed a valuable security measure.
https://www.dcorehost.com/cloud-hosting-2