01-06-2022 06:27 AM
Hi guys,
We faced an issue where users' traffic related to office applications from a system, on which Terminal Server is installed, gets dropped by the firewall due to the unknown source user. We are using Terminal Server Agent as the means of user identifications. Web browsing and traffic related to other applications pass through the firewall with no issue and of course, the source user is known for those traffics. At first, the source ports being used by those office applications were out of range of allocated ports on the TS, so we extended the range to the maximum value to no avail. Does anyone have an idea?
Thank you in advance.
01-06-2022 11:42 AM
Have you verified that the ports in question aren't listed in the reserved port range, that the user port allocation max limit isn't getting hit. It kind of sounds like the source port being utilized is in your system reserved port range allocation, or its not being allocated to that user due to the ports being used up and you've modified the 'Fail port binding when available ports are used up' option is not set the the default which would explain why the port isn't being identified.
01-07-2022 04:50 AM
Hi BPry,
Thanks for your reply. Ports are not reserved and after I extended the allocated port range, the source ports of the applications fall within the allocated range, however, the same result. Moreover, the user didn't hit the maximum allocation port limit.
I am not sure this is the issue but if the user allocation port range is from 20000 to 20199, those applications are using source ports like 44xxx. Is there any way we can force applications to use only the ports allocated to the users and not whatever port they want?
Thank you in advance.
01-17-2024 06:40 AM
This is a known bug on Windows 2019 and later. We raised this issue in December 2020 with PAN support, they know what this issue is and for over 3 years they are unwilling to fix it, they say no one else is having the problem and they lack the resources to remediate.
We have escalated through multiple account teams and multiple mid-level engineering managers and our PAN partner, but they keep saying this is a feature request. We even emailed Nir Zuk after two years of waiting and he just punted it back to the account team, which of course did nothing, since they already had their money from the 5220 and 3K deals. Classifying as a “feature request” seems like an easy way to placate and procrastinate. Clearly the compatibility guide shows TSAgent is supported on many Windows OS, and we have tested them all. https://docs.paloaltonetworks.com/compatibility-matrix/terminal-services-ts-agent/terminal-services-...
It's a bug, TSAgent worked fine on Win2008, Win2012 and Win2016, but as you state, something changed with Win2019 and above and Microsoft apps can’t reach the internet as they are not identified correctly by TSAgent, and TSAgent doesn't create the User/Port relationship that Palo UserID needs to match the policy. So, with several hundred Citrix servers in a multiuser environment, we are stuck running Win2016 as we need UserID for access control and reporting purposes. We have asked PAN for an engineering summary of the bug and for a known list of URLS and services that are affected in hopes of creating a workaround, but they won’t share that either.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
