The article was written by testing the Terminal Server agent on the older PAN-OS versions (7.1 or below). Although the configuration information remains the same, one can refer to updated documentation at Configuring Terminal Server Agent for User Mapping specifically when using certificates between the TS agent and Firewall.
Overview
Before installing the Terminal Server (TS) Agent, make sure that the following requirements are met :
- Verify the requirements in the Release Notes of the version of Terminal Server (TS) Agent to be installed.
- The administrator on the terminal server needs to install the TS Agent. The TS Agent should be configured to be started only by the administrator in order to prevent other remote logon users from controlling it.
- For the TS Agent to successfully install the necessary driver. Note that the installer must have administrator rights.
- On Windows Firewall where TS Agent is installed allow the connection to port 5009.
Steps
- Installation
- The install will first check to see if the TS Agent is compatible with the operating system it is being installed on. If the operating system is not compatible, it will pop up with an error message similar to the following:
- The TS agent installer will request a destination folder for the install.
- For a new installation, the administrator does not need to reboot the system; however, without a reboot, the TS Agent can only identify the new outbound TCP/UDP traffic. For the TCP/UDP traffic occurring before the installation, the Palo Alto Networks TS Agent can not identify the users.
- Configuration of the TS Agent on Terminal Server
- Main Panel
The TS Agent Controller is the application used on the Terminal Server for configuration and verification of agent status.

The main panel will show the Connection List which displays each PAN device connected to the TS agent as well as the device access control list. By default Device Access Control list is disabled. Enable this option if you want to specify which PAN device the TS Agent will listen to. The TS agent will ONLY accept incoming connections from the devices in the allow list. - Configure Panel
- Listening Port: The port that the TS Agent communicates on the Palo Alto Networks device with.
- Source port allocation range: Range of source ports users will be able to pull from.
- Reserved Source Ports: Ports that need to be excepted from the source port range because another service running on the Terminal Server needs it to communicate with.
- Port Allocation Start Size Per User: Minimum port allocation for new user port lease. Port allocation Maximum Size Per User: Maximum port allocation for user port lease.
- Fail port binding when available ports are used up: Prevents over lapping port allocations.
- Monitor Panel

The monitor operation from the navigation window displays all of the current users and port allocations. The “Ports Count” shows the currently used ports for the user. The Ports Count can be refreshed by clicking the “Refresh Ports Count”. You can also manually set a refresh interval by selecting the checkbox “Refresh Interval”.
- Configure of the TS Agent on Palo Alto Networks Device

- The Palo Alto Networks device needs to be configured with the following information:
- IP Address: IP address of the server where TS Agent installed on.
- Port: TS Agent listening port which should match what is configured on TS Server.
- IP List (optional): Terminal server source IP list if the terminal server has multiple source IPs, max of 8 IPs.
- Commit the changes on the firewall
- Troubleshooting Hints
The TS Agent maintains a log file which is very useful for troubleshooting. In case there is an issue with the TS Agent, these logs should be collected and sent to the TAC Support Team. The log file can be viewed on the TS Agent using File > Show Logs.
- To enable detailed information on the User-ID Agent operation, go to File > Debug and select Verbose. The logs will now display more detailed messages.
Useful CLI commands
Configure terminal server agent:
# set ts-agent <name> <options>
where <options> include
ip-address terminal server agent ip address
port terminal server agent listening port
ip-list terminal server alternative ip list
Show terminal server agent status:
> show user ts-agent statistics
IP Address Port Vsys State Users
----------------------------------------------
10.1.200.1 5009 vsys1 connected 8
10.16.3.249 5009 vsys1 connected 10
> show user ip-port-user-mapping all
User IP-Address Vsys Port-Range
------------------------------------------------
test1 10.1.200.1 vsys1 20000-20500
test2 10.1.200.1 vsys1 20500-21000
21500-22000
test3 10.1.200.1 vsys1 21000-21500
TS Agent may need to lookup a Palo Alto Networks User-ID agent or group mapping data to get the group information for a specific domain user.
Other CLI commands
The User-ID Agent's “enable-user-identification” and “User Identification ACL” configuration command also apply to TS Agent. This means that if the user-identification feature is enabled, both User-ID Agent and TS Agent features will be enabled.