Configure the Palo Alto Networks Terminal Services Agent for User Mapping

Use the following procedure to install and configure the TS agent on the terminal server. To map all your users, you must install the TS agent on all terminal servers that your users log in to.
  • If you are using version 7.0 or later of the TS agent, disable any Sophos anti-virus software on the TS agent host. Otherwise, the source ports allocated by the TS agent will be overwritten.
  • If you are installing the TS agent version 8.0 or later on a Windows Server 2008 R2, download and install the security advisory patchon the server before installing the TS agent. Otherwise, the TS agent service fails to launch and writes the following error to the logs: servicefails with error 577.
For information about the supported terminal servers supported by the TS agent and the number of TS agents supported on each firewall model, refer to the Palo Alto Networks Compatibility Matrix.
  1. Download the TS agent installer.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select UpdatesSoftware Updates.
    3. Set Filter By to Terminal Services Agent and select the version of the agent you want to install from the corresponding Download column. For example, to download the 9.0 version of the agent, select TaInstall-9.0.msi.
    4. Save the TaInstall.x64-x.x.x-xx.msi or TaInstall-x.x.x-xx.msi file (be sure to select the appropriate version based on whether the Windows system is running a 32-bit OS or a 64-bit OS) on the systems where you plan to install the agent.
  2. Run the installer as an administrator.
    1. Open the Windows Start menu, right-click the Command Prompt program, and select Run as administrator.
    2. From the command line, run the .msi file you downloaded. For example, if you saved the .msi file to the Desktop you would enter the following:
      C:\Users\administrator.acme>cd DesktopC:\Users\administrator.acme\Desktop>TaInstall-9.0.0-1.msi
    3. Follow the setup prompts to install the agent using the default settings. By default, the agent gets installed to the C:\ProgramFiles (x86)\Palo Alto Networks\Terminal Server Agent folder, but you can Browse to a different location.
    4. When the installation completes, Close the setup window.
      If you are upgrading to a TS Agent version that has a newer driver than the existing installation, the installation wizard prompts you to reboot the system after upgrading in order to use the new driver.
  3. Define the range of ports for the TS Agent to allocate to end users.
    The System Source Port Allocation Range and System Reserved Source Ports fields specify the range of ports that will be allocated to non-user sessions. Make sure the values specified in these fields do not overlap with the ports you designate for user traffic. These values can only be changed by editing the corresponding Windows registry settings. The TS agent does not allocate ports for network traffic emitted by session 0.
    1. Open the Windows Start menu and select Terminal Server Agent to launch the Terminal Services agent application.
    2. Select Configure in the side menu.
    3. Enter the Source Port Allocation Range (default 20000-39999). This is the full range of port numbers that the TS agent will allocate for user mapping. The port range you specify cannot overlap with the System Source Port Allocation Range.
    4. (Optional) If there are ports/port ranges within the source port allocation that you do not want the TS Agent to allocate to user sessions, specify them as Reserved Source Ports. To include multiple ranges, use commas with no spaces, for example: 2000-3000,3500,4000-5000.
    5. Specify the number of ports to allocate to each individual user upon login to the terminal server in the Port Allocation Start Size Per User field (default 200).
    6. Specify the Port Allocation Maximum Size Per User, which is the maximum number of ports the Terminal Services agent can allocate to an individual user.
    7. Specify whether to continue processing traffic from the user if the user runs out of allocated ports. By default, the Fail port binding when available ports are used up is selected, which indicates that the application will fail to send traffic when all ports are used. To enable users to continue using applications when they run out of ports, clear this check box. Keep in mind that this traffic may not be identified with User-ID.
  4. (Optional) Assign your own certificates for mutual authentication between the TS agent and the firewall.
    1. Obtain your certificate for the TS agent from your enterprise PKI or generate one on your firewall. The private key of the server certificate must be encrypted. The certificate must be uploaded in PEM file format.
      • Generate a Certificate and export it for upload to the TS agent.
      • Export a certificate from your enterprise certificate authority (CA) and the upload it to the TS agent.
    2. Add a server certificate to TS agent.
      1. On the TS agent, select Server Certificate and click Add.
      2. Enter the path and name of the certificate file received from the CA or browse to the certificate file.
      3. Enter the private key password.
      4. Click OK and then Commit.
    3. Configure and assign the certificate profile for the firewall.
      1. Select DeviceCertificate ManagementCertificate Profile to Configure a Certificate Profile.
        You can only assign one certificate profile for Windows User-ID agents and TS agents. Therefore, your certificate profile must include all certificate authorities that issued certificates uploaded to connected Windows User-ID and TS agents.
      2. Select DeviceUser IdentificationConnection Security and click the edit button to assign the certificate profile.
      3. Select the certificate profile you configured in the previous step from the User-ID Certificate Profile drop-down.
      4. Click OK.
      5. Commit your changes.
  5. Configure the firewall to connect to the Terminal Services agent.
    Complete the following steps on each firewall you want to connect to the Terminal Services agent to receive user mappings:
    1. Select DeviceUser IdentificationTerminal Server Agents and click Add.
    2. Enter a Name for the Terminal Services agent.
    3. Enter the hostname or IP address of the Windows Host on which the Terminal Services agent is installed.
      The hostname or IP address must resolve to a static IP address. If you change the existing hostname, the TS agent resets when you commit the changes to resolve the new hostname. If the hostname resolves to multiple IP addresses, the TS agent uses the first one in the list.
    4. (Optional) Enter the hostname or IP address for any Alternative IP Addresses that can appear as the source IP address for the outgoing traffic.
      The hostname or IP address must resolve to a static IP address. You can enter up to 8 IP addresses or hostnames.
    5. Enter the Port number on which the agent will listen for user mapping requests. This value must match the value configured on the Terminal Services agent. By default, the port is set to 5009 on the firewall and on the agent. If you change it here, you must also change the Listening Port field on the Terminal Services agent Configure screen.
    6. Make sure that the configuration is Enabled and then click OK.
    7. Commit the changes.
    8. Verify that the Connected status displays as connected (a green light).
  6. Verify that the Terminal Services agent is successfully mapping IP addresses to usernames and that the firewalls can connect to the agent.
    1. Open the Windows Start menu and select Terminal Server Agent.
    2. Verify that the firewalls can connect by making sure the Connection Status of each firewall in the Connection List is Connected.
    3. Verify that the Terminal Services agent is successfully mapping port ranges to usernames by selecting Monitor in the side menu and making sure that the mapping table is populated.
  7. (Windows 2012 R2 servers only) Disable Enhanced Protected Mode in Microsoft Internet Explorer for each user who uses that browser.
    This task is not necessary for other browsers such as Google Chrome or Mozilla Firefox.
    To disable Enhanced Protected Mode for all users, use Local Security Policy.
    Perform these steps on the Windows Server:
    1. Start Internet Explorer.
    2. Select Internet optionsAdvanced and scroll down to the Security section.
    3. Clear Enable Enhanced Protected Mode.
    4. Click OK.
      In Internet Explorer, Palo Alto Networks recommends that you do not disable Protected Mode, which differs from Enhanced Protected Mode.

Related Documentation