Deploying Antivirus and Web Security into a Virtual Environment such as a Terminal Server

Disclaimer: This article assumes that you have basic understanding of the iSheriff Cloud products.  Please contact iSheriff Technical Support Team should you need a more in-depth walk through.

In order to ensure each user connecting to a Terminal Server (TS), for instance, gets filtered & protected based on his/her unique username, browsing data is available for each unique user for reporting purpose, and the TS is locally protected from Malware threats; please follow the instructional steps below.


  1. Login to the iSheriff Cloud UI.

  2. Go to Filter Management à Web Filter à Setup and add all of the external or public facing IP addresses that are used for your environment under the Source IP section. 


    You will receive a ‘block all’ policy if the iSheriff Cloud receives web traffic from a user behind an unknown or unlisted IP address.

  3. Upload/Add all users under Filter Management à User Management à Users. This can be accomplished in a few different ways.

    1. Add users manually under Filter Management à User Management à Users by clicking on “Add a User” button.

    2. Upload Users using CVS or TXT file. Refer to the Users section in the iSheriff UI for the file format examples.

    3. Integrating into a directory environment such as Microsoft Active Directory (AD). To integrate, one of the following two methods can be used:

      1. Pull Method: Configure a directory connector under Filter Management à User Management à Directory Services. Refer to the product documentation for detailed information or configuration steps. 



        You might have to configure One-to-One Network Address Translation (NAT) in your firewall allowing inbound LDAP connection over ports 389 (ldap) or 636 (ldaps) from the iSheriff Cloud Servers to your internal AD Server.

      2. Push Method: Configure and download “Remote Synchronization Tool” also referred to as CloudRad. Once downloaded, this tool can be used to pull groups and users from the local AD server followed by synchronizing to the cloud UI. The tool can also be scheduled using Windows Task Scheduler to automatically synchronize on a scheduled basis. Unlike Pull Method above, this does not require any special firewall configuration as you are pushing data to iSheriff Cloud Servers over port 80 or 443 from within your network.



        You must enable, type a unique passphrase, and save before downloading the tool.

    4. Add an arbitrary user to be used for the TS Endpoint itself. This arbitrary user will be used to lock policy for the TS so that there is no policy shift depending on when an admin or another account is used to login to the TS. This concept is similar to creating policies based on machine names. Also, assign this user to an arbitrary group. For example: Login Name: server; Group: Servers.

  4. Once users are available under the Users section of the iSheriff UI, make sure they are assigned to appropriate group(s) because groups are the objects that you will be assigning to a policy. 



    If a user is not assigned to a group, you cannot assign the user to a policy.

  5. Create and configure policy(ies) as desired under Filter Management à Web Filter à Policy for all of the users including various policy elements such as Category blocking/allowing, Data Protection, Exceptions, and Antivirus under the Endpoint tab.

  6. Create a policy for the TS and enable “Disable Content Filtering” setting by editing placing a checkbox under the TS policy and navigating to Endpoint à Custom à Content Filtering section.Configure Antivirus policy under the Endpoint à Antivirus tab.

  7. Download Endpoint from within the TS policy and install in the Terminal Server. Once installed, confirm that the web filtering is inactive while real-time antivirus functionality is active. Now, let’s lock endpoint to use the TS policy we created earlier.

    1. Start Notepad or Wordpad and Run as Administrator

    2. Open C:\Program Files (x86)\CloudClient\isf.local

    3. Go to the end of the file and add the following line:


             Where username is the arbitrary user that was added to the Users section above.

    1. Save the file and restart Cloud Client Service using services.msc.

    2. Confirm that the endpoint is locked to arbitrary user policy under Connection Status tab of the local endpoint manager. The endpoint manager can be accessed by clicking on the Endpoint Shield in the system tray followed by clicking the status button.

     8.   Lastly, configure proxy settings for each user by using the PAC file URL that is located with the iSheriff UI under Filter Management
à Web Filter à Setup à
Connection Bypass section. 



You can use group policy to enforce PAC file usage for each of the TS users.


End Result and Final Testing:

  • Terminal Server is locally protected from malware threats.

  • Each user browser is configured with a PAC file URL which will perform transparent user authentication and assign appropriate policy to the user allowing the administrator to setup different policies and run reports on individual users.

  • Test by going to a blocked website. The block page should list correct policy name based on the individual user assignment or user’s name.