End-of-Life (EoL)

Device > User Identification > Terminal Services Agents

On a system that supports multiple users who share the same IP address, a Terminal Services (TS) agent identifies individual users by allocating port ranges to each one. The TS agent informs every connected firewall of the allocated port range so that the firewalls can enforce policy based on users and user groups.
When you configure a TS agent connection, the Best Practice is to set the
and any
Alternative IP addresses
to a static IP address that never changes or an FQDN that resolves to a static IP address.
All firewall models can collect username-to-port mapping information from up to 5,000 multi-user systems. The number of TS agents from which a firewall can collect the mapping information varies by firewall model:
  • VM-50, VM-100, VM-300, PA-200, PA-220, PA-500, PA-800 Series, PA-3020, and PA-3050 firewalls: maximum 400 TS agents
  • VM-500, VM-700, PA-5020, PA-5050, PA-5060, PA-5200 Series, and PA-7000 Series firewalls: maximum 1,000 TS agents
    You must install and configure the TS agents before configuring access to them. The complete procedure to configure user mapping for terminal server users requires additional tasks besides configuring connections to TS agents.
You can perform the following tasks to manage access to TS agents.
Display information / Refresh Connected
In the
Terminal Services Agents
page, the Connected column displays the status of the connections from the firewall to the TS agents. A green icon indicates a successful connection, a yellow icon indicates a disabled connection, and a red icon indicates a failed connection. If you think the connection status might have changed since you first opened the page, click
Refresh Connected
to update the status display.
To configure access to a TS agent,
an agent and configure the following fields:
  • Name
    —Enter a name to identify the TS agent (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Host
    —Enter the IP address of the terminal server where the TS agent is installed.
    This must be a static IP address; DHCP is not supported.
  • Port
    —Enter the port number (default is 5009) that the TS agent service uses to communicate with the firewall.
  • Alternative IP Addresses
    —If the terminal server where the TS agent is installed has multiple IP addresses that can appear as the source IP address for the outgoing traffic,
    and enter up to eight additional IP addresses.
    This must be a static IP address; DHCP is not supported.
  • Enabled
    —Select this option to enable the firewall to communicate with this TS agent.
To remove the configuration that enables access to a TS agent, select the agent and click
To disable access to a TS agent without deleting its configuration, edit the agent and clear the

Recommended For You