02-28-2010 12:13 PM
03-01-2010 07:52 AM
Windows 2008 is not supported in 3.0 or 3.1. It is something that is being worked on for a release later in the year.
Mike
03-02-2010 03:47 PM
Is there a fix that I could use for now? Can I make a rule on the firewall that directs to a specific port to the terminal server? I am new at this, I used to use ISA Server 2004 and it had that as a feature.
03-02-2010 09:32 PM
You can set "source user = any" as workaround.
Another method would be to use captive portal along with ntlm but I dunno if pan-agent will work on 2008 or if it have the same issues as ts-agent.
03-09-2010 05:10 AM
Is there any more specific term than "later this year"? Because it's 2010, and more and more people are starting to use Windows 2008 server.
03-09-2010 07:27 AM
The most detail I can provide at this point would be to take the r off of the previous statement and say late this year.
We are running into this more and more and it is a priority. It also turns out to be a decent amount of work due to changes in the OS between 2003 and 2008.
Mike
03-10-2010 07:05 PM
This firewall is great, I just have small issues with them catching up to the current Server software. Terminal Server is a big deal where I work at, every officer on the road remotes in to get things done. I have to wait until 3.1 before I can put this in production.
03-10-2010 11:17 PM
Hopefully the session-based ntlm in 3.1 will be a good workaround/replacement for when you cannot use ts-agent.
Today the PAN will do the ntlm caching based on ip which along with terminalservers is a very bad thing because you usually have more than one user per terminalserver. The bad thing is that the wrong user is being logged (the PAN unit believes that traffic from one terminalserver is only one user where in fact it can be several users).
The workaround until 3.1 is released could be to enable ntlm auth in captive portal and setup policy to allow only the ad-group of users you want to be able to surf (or set it to "known-users"). However note that the logging of which user who did what will be incorrect (but it will work in terms of blocking users who are not allowed to surf).
03-11-2010 01:22 AM
In 3.1 the User mapping is still to IP Address when using NTLM. The Session cookie is to help prevent multiple challenges for Captive Portal on timeout and also to provide "roaming" (IP Address Change) support.
So this will not help with the TS 2008 conundrum. Therefore Mike's comments will still stand as to "late this year" I'm afraid.
03-11-2010 07:06 AM
Hmpf that was bad to hear since I have an ongoing case where ts-agent is failing after a few hours and a sufficient workaround for that case would be to use ntlm auth instead. However this will fail as long as the PAN unit does the ntlm auth caching per ip instead of per session (which was what both me and the company we have for support believed that the session cookie thingy enhancement in 3.1 would solve regarding ntlm auth).
03-11-2010 09:35 AM
If you have Win2K8, maybe this can help?
http://www.thincomputing.net/blog/windows-server-2008-r2-remote-desktop-ip-virtualization.html
I have not tried it - but there is a possible solution here.
03-11-2010 09:42 AM
Unfortunately not since its not 2008 boxes, its 2003 boxes 
But in case using 2008 that looks like a possible workaround for the workaround 😃
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
