07-12-2023 06:37 AM
Hello everyone,
We're having an issue with our terminal server agent software on multiple terminal servers running Windows Server 2019.
The problem lies in recognizing users who are logged on to these servers. The TS Agent sees the users on the Terminal Server Agent Monitor tab, but they do not appear in the traffic log in the Firewall Source User column.
Although in the past this scenario always worked for all applications that the logged-in user was using on the server (Microsoft 365, Adobe Acrobat) now users only appear in the traffic log when using the web browser on the server.
We have not changed our firewall configuration or the configuration of the terminal user agents on the terminal servers.
The only thing that has changed is the LACP connection to the trust zone between the firewall and a switch.
User detection via the User-ID agent on our domain controller is still working properly. All users on all clients are recognized and show up in the traffic log. The exception entries for the terminal server in the User-ID Agent are still there.
Anyone know where the problem could be?
Why did this always work before and now only via the web browser?
PA 450
PAN OS 10.2.4
08-23-2023 02:26 AM
has the server been upgraded (which could cause a change in behavior), and has the TS-agent been upgraded to the latest version?
09-06-2023 02:09 AM
The server has not been upgraded since the issue. The TS-Agent is already running the newest version (11.0.102).
However after some more tests, we can narrow down the problem further. It seems as if logging into Office products is the only situation in which users are not recognized by the firewall. While the registration/licensing window opens, the Ts agent does not seem to be able to assign a user to the packages. After signing in, the user is recognized again while navigating through templates or add-ins in the Office software.
12-05-2023 06:55 AM
We deployed some 2019 TS servers and are getting the same issue here. Were you able to find a fix yet?
Our 2016 TS servers work fine though. We even upgraded the PAN OS to 10.2.6. Same results.
12-06-2023 12:03 AM
Unfortunately we don't. We contacted Palo Alto technical support through our distribution partner. We tested the solution suggestions from the Palo Alto knowledge base:
Also without success. The technical support said they need to investigate the problem further. Our AV software was also considered as a potential cause, as it rewrites the source ports. We've used the same AV software before (also on Server 2019 systems) and it ran without any problems. We were asked by PA Support to enter some commands in the CLI and send the returned information to them. We have not yet received an answer to this.
07-19-2024 12:07 AM
Sorry to hear that. Unfortunately, Palo Alto support couldn't help us. They suggested we continue working with the exception policy we built for our terminal servers that are trying to connect to O365. We still do that to this day.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
