With the TS-agent installed, outbound web traffic on port 80 from the Terminal Server is not using the allocated source ports for that user. All other traffic appears to use the correct allocated range of source ports but whenever the destination port is 80, the source port is far below the allocated range it should use. This causes the source user to be unknown, and miss the security policy rule where source user is defined.
Cause
If there are any Sophos, Trend Micro or similar products installed on the Terminal Server, the proxy feature may be causing the problem.
Resolution
To resolve the issue, disable the Sophos, Trend Micro or similar products proxy feature, or even all services.
Alternatively, configure the proxy so it does not change the source port when connection coming from Terminal Server.