Terminal Services Agent allocates ports outside the defined port range

Reply
Highlighted
L2 Linker

Terminal Services Agent allocates ports outside the defined port range

Hi,

 

I have the problem, that the Terminal Services Agent sometimes allocates ports to users that are out of their port range.

That leads to the usage of wrong security polices.

 

For example for one user I configured 22800-22999 as the port range.

That user is not allowed to download certain files.

Now sometimes the user gets port 58729 allocated and so the session is not matched to that user, a wrong policy gets to work and the download is possible although it should be denied.

 

The TSA debug log is almost just filled with this error message:

 

[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!

 

There is no other application in use that could disturb the TSA.

 

Maybe someone encountered this error message and can provide some help?

Would be very much appreciated.

 

Best regards,

Marc

 

Highlighted
Cyber Elite

Hi @Marc.Luecke 

What OS version do you have and what TSA version do you use? At the time when this happens, did you check the allocated ports for this user? Did he maybe reach the 200 ports? How many users are connected to that server? Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

Highlighted
L2 Linker

Hi Vsys_remo:

 

thanks for your reply.

 

I will try to answer your questions:

 

What OS version do you have and what TSA version do you use?

- The Terminal Server Agent is running on a Windows Server 2016 in Version 8.1.13-5.

 

At the time when this happens, did you check the allocated ports for this user?

- No port allocations Error are shown in the TSA Debug log, so I guess that is not the problem

 

Did he maybe reach the 200 ports?

- Does not seem like that

 

How many users are connected to that server?

8 - 10 Users

 

Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

- Yes, it's verified through the logs

 

I hope you can maybe help with that problem?

 

Best regards,

Marc

 

Highlighted
L4 Transporter

If you don't want the users to fail to a high-port out of range, when the pool is used up, you can enable the check box "fail port binding when available ports are used up"

Best Regards
Chacko
Highlighted
L2 Linker

Hi Chacko42,

 

unfortunately, setting the mentioned option does not change the issue.

 

But thank you for your comment!!

Maybe there are additional options to check?

 

Best regards,

Marc

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!