03-13-2018 02:56 AM
03-15-2018 03:31 AM
hi @Radmin_85
so if I understand correctly, the TSAgent is showing you all the users correctly?
I saw this once before where a <Well known AV vendor> webfiltering client was also installed on the terminal server.
It intercepted all connections and proxied them locally, which caused the port mapping provided by the TSAgent to stop working (TSAgent also intercepts connections and changes the source port so the firewall knows which connections belong to a certain user)
If something similar is installed on your terminal server, you may need to deactivate the url filrtering, or disable the proxying
03-17-2018 03:00 AM
Issue:
File shares set up by users on the terminal server are not identified by the TS Agent and are not mapped to a user in the traffic log.
Resolution:
If the traffic is initiated by an application running with the context of a user (e.g. telnet), the socket information can be intercepted by the TS Agent which will replace the source port. However, if the traffic is generated by a service running with System context, the agent is not able to determine the user information. The TS-Agent will not identify SMB traffic a this is run in a system context.
The System Source Port Allocation Range and System Reserved Source Ports fields specify the range of ports that will be allocated to non-user sessions. Make sure the values specified in these fields do not overlap with the ports you designate for user traffic. These values can only be changed by editing the corresponding Windows registry settings.
i have read this in the Internet.How one can handle with it?
03-17-2018 10:28 AM
@Radmin_85wrote:
i have read this in the Internet.How one can handle with it?
Not the answer you want to hear, but there is no solution. For SMB and other connections in system context you will not have user-ip-port mappings. If you really want to restrict connections from terminalservers to user connections you have to deny these connections (except the ones that that are required like SMB to Domaincontroller, Profileshares, ...) somewhere (on other external firewalls or with the local firewall.
03-18-2018 11:58 PM
But how about internet traffic
Is it possible to identify separate users who go to Internet
03-19-2018 01:18 AM - edited 03-19-2018 01:22 AM
This definately is possible. What output does the following command show you: "show user ip-port-user-mapping all"?
03-19-2018 03:29 AM
so it is ok
03-19-2018 04:05 AM
are you seeing these same source ports appear in your firewall's sessions from that server's IP address ?
except for a handful of 'system' services like SMB, every normal user session should be sourced from those source ports. if you see different source ports, you may need to check if htere's a proxy, webfiltering or AV service installed on the server that could intercept outgoing connections and alter the source port once more
03-19-2018 04:10 AM
03-19-2018 04:11 AM
well ... ping is a system service .... 😉
03-19-2018 04:14 AM
03-19-2018 04:17 AM
yes, try browsing to a common website like cnn or wikipedia
02-04-2021 10:56 PM
Hi,
do you remember the last situation of this problem ? were you able to solve it ?(and how)
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
