Configure User Mapping for Terminal Server Users

Individual terminal server users appear to have the same IP address and therefore an IP address-to-username mapping is not sufficient to identify a specific user. To enable identification of specific users on Windows-based terminal servers, the Palo Alto Networks Terminal Services agent (TS agent) allocates a port range to each user. It then notifies every connected firewall about the allocated port range, which allows the firewall to create an IP address-port-user mapping table and enable user- and group-based security policy enforcement. The following values apply for both methods:
  • Default port range: 1025 to 65534
  • Per user block size: 200
  • Maximum number of multi-user systems: 1,000
For information about the terminal servers supported by the TS agent and the number of TS agents supported on each firewall model, refer to the Palo Alto Networks Compatibility Matrix.
The following sections describe how to configure user mapping for terminal server users:

Recommended For You