https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/139308#M48089 <P>Is there any progress in this point? Maybe in a newer version of TSA? Am I the only one who thinks that his is a big problem? Is a workaround available for this problem?</P><P>&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Christian</P> Wed, 25 Jan 2017 13:34:21 GMT Zencon 2017-01-25T13:34:21Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/89487#M43538 <P>Hi Guys,</P> <P>&nbsp;</P> <P>Within a Poc with a PAN Firewall we ran into the following issue:</P> <P>&nbsp;</P> <P>A terminal server (with TSA) in network a ist connected to a PAN Firewall. Fileserver in network b is also connected to the PAN Firewall.</P> <P>&nbsp;</P> <P>Everything is configured properly and first testing are successfully done. (icmp, http). I were able to reach the Fileserver from the terminal server (both Windows Server 2012 R2). I could see in the logs the zones and the MS AD Users. Everything worked fine. But when I tried to open a smb share on the Fileserver it didn't work. (Windows Explorer: \\ip-address\c$) In the logs of the PAN I could see, that the traffic arrived on the Firewall, but no user was displayed. It seems that the TSA on the terminal server isn't mapping the user to ip (and port number). but only with this protocol.</P> <P>&nbsp;</P> <P>does anybody know anything about this issue and how to fix it?</P> <P>&nbsp;</P> <P>Thanks in advance!</P> <P>&nbsp;</P> <P>best regards,</P> <P>&nbsp;</P> <P>Christian</P> Mon, 20 Jun 2016 09:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/89487#M43538 Zencon 2016-06-20T09:53:48Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90237#M43557 <P>Hi Christian</P> <P>&nbsp;</P> <P>Mapped drives/fileshares run in a system context on windows server whereas http etc run in a user context. The operating system will only allow TSAgent to change source ports for services that run in a user context</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/TS-Agent-Unable-to-Map-Users-to-SMB-Traffic/ta-p/53106" target="_blank"> TS Agent Unable to Map Users to SMB Traffic</A></P> Tue, 21 Jun 2016 07:10:18 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90237#M43557 reaper 2016-06-21T07:10:18Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90273#M43560 <P>Hi,</P><P>&nbsp;</P><P>thanks for your answer.</P><P>&nbsp;</P><P>just for clarification: There is no way to make TSA map those source ports as the service doesn't run in user context? So it's a problem for Microsoft to solve? It's hard to believe that this issue wasn't noticed before. SMB is a standard and I think many companies are using fileshares...</P><P>&nbsp;</P><P>It's a pitty, but in this case the PAN Firewall would be completely useless for the customer, because removing the user filter from the policy will not be an option!</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Jun 2016 08:16:00 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90273#M43560 Zencon 2016-06-21T08:16:00Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90424#M43572 <P>It's the way the operating system is designed and where it allows external services to plug into the stack</P> <P>&nbsp;</P> <P>It's documented here: <A href="https://live.paloaltonetworks.com/t5/Management-Articles/TS-Agent-Unable-to-Map-Users-to-SMB-Traffic/ta-p/53106" target="_blank">TS Agent Unable to Map Users to SMB Traffic</A></P> Tue, 21 Jun 2016 13:19:37 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/90424#M43572 reaper 2016-06-21T13:19:37Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/139308#M48089 <P>Is there any progress in this point? Maybe in a newer version of TSA? Am I the only one who thinks that his is a big problem? Is a workaround available for this problem?</P><P>&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Christian</P> Wed, 25 Jan 2017 13:34:21 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-open-smb-share-tsa-user-mapping-issue/m-p/139308#M48089 Zencon 2017-01-25T13:34:21Z