Even though Terminal Server Agent connects to Paloalto Networks Firewall successfully, web-browsing traffic generated by Internet Explorer from an RDS (Remote Desktop Services) server, via Remote Desktop connection, is not identified per user.
The web-browsing traffic uses source ports included in "System Source Port Allocation Range" of Terminal Server Agent which should not be used.
The issue is only seen when "Enable Enhanced Protected Mode" is checked in the Internet options of Internet Explorer for each user who uses that browser.
Resolution
This is a limitation by Windows behavior. One needs to disable Enhanced Protected Mode. Perform these steps on the Windows Server for each users to disable it: (To disable for all users, use Local Security Policy.)
Start Internet Explorer.
Select Internet options > Advanced and scroll down to the Security section.
Clear Enable Enhanced Protected Mode.
Click OK.
Note:In Internet Explorer, Palo Alto Networks recommends that you do not disable Protected Mode, which differs from Enhanced Protected Mode.
This task is not necessary for other browsers such as Google Chrome or Mozilla Firefox.