Configure User Mapping for Terminal Server Users
Individual terminal server users appear to have the
same IP address and therefore an IP address-to-username mapping
is not sufficient to identify a specific user. To identify specific
users on Windows-based terminal servers, the Palo Alto Networks
Terminal Server agent (TS agent) allocates a port range to each
user. The TS agent then notifies every connected firewall about
the allocated port range, which allows the firewall to create an
IP address-port-user mapping table and enable user- and group-based
security policy enforcement. For non-Windows terminal servers, configure
the PAN-OS XML API to extract user mapping information. The following values
apply for both methods:
- Default port range: 1025 to 65534
- Per user block size: 200
- Maximum number of multi-user systems: 2,500
The following sections describe how to configure user mapping
for terminal server users: