Palo Alto Networks Knowledgebase: How to Install and Configure Terminal Server Agent

How to Install and Configure Terminal Server Agent

18165
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
User-ID
Resolution

Overview

Before installing the Terminal Server (TS) Agent, make sure that the following requirements are met :

  • Verify the requirements in the Release Notes of the version of Terminal Server (TS) Agent to be installed.
  • The administrator on the terminal server needs to install the TS Agent. The TS Agent should be configured to be started only by the administrator in order to prevent other remote logon users from controlling it.
  • For the TS Agent to successfully install the necessary driver. Note that the installer must have administrator rights.
  • The Windows firewall on the machine where TS Agent is installed needs to be disabled.

 

Steps

  1. Installation
    • The install will first check to see if the TS Agent is compatible with the operating system it is being installed on. If the operating system is not compatible, it will pop up with the error message similar to the following:
      ss1.gif
    • The TS agent installer will request a destination folder for the install.
      ss2.gif
    • For a new installation the administrator does not need to reboot the system; however, without reboot, the TS Agent can only identify the new outbound TCP/UDP traffic. For the TCP/UDP traffic occurring before the installation, the Palo Alto Networks TS Agent can not identify the users.
  2. Configuration of the TS Agent on Terminal Server
    • Main Panel
      The TS Agent Controller is the application used on the Terminal Server for configuration and verification of agent status.
      ss3.gif
      The main panel will show Connection List which displays each PAN device connected to the TS agent as well as the device access control list.By default Device Access Control list is disabled. Enable this option if you want to specify which PAN device the TS Agent will listen to. The TS agent will ONLY accept incoming connections from the devices in the allow list.
    • Configure Panel
      ss4.gif
      • Listening Port: The port that the TS Agent communicates on the Palo Alto Networks device with.
      • Source port allocation range: Range of source ports users will be able to pull from.
      • Reserved Source Ports: Ports that need to be excepted from the source port range because another service running on the Terminal Server needs it to communicate with.
      • Port Allocation Start Size Per User: Minimum port allocation for new user port lease. Port allocation Maximum Size Per User: Maximum port allocation for user port lease.
      • Fail port binding when available ports are used up: Prevents over lapping port allocations.
    • Monitor Panel
      ss5.gif
      The monitor operation from the navigation window displays all of the current users and port allocations. The “Ports Count” show the current used ports for the user. The Ports Count can be refreshed by clicking the “Refresh Ports Count”. You can also manually set a refresh internal by selecting the check box “Refresh Interval”.
  3. Configure of the TS Agent on Palo Alto Networks Device
    ts_agent.JPG.jpg
    • The Palo Alto Networks device needs to be configured with the following information:
      • IP Address: IP address of the server where TS Agent installed on.
      • Port: TS Agent listening port which should match what is configured on TS Server.
      • IP List (optional): Terminal server source IP list if the terminal server has multiple source IPs, max of 8 IPs.
    • Commit the changes on the firewall
  4. Troubleshooting Hints
    The TS Agent maintains a log file which is very useful for troubleshooting. In case there is an issue with the TS Agent, these logs should be collected and sent to the TAC Support Team. The log file can be viewed on the TS Agent using File > Show Logs.
    2015-05-11 08_13_58-PAN Terminal Server Agent install steps (1).pdf - Adobe Reader.jpg
    • To enable detailed information on the User-ID Agent operation, go to File > Debug and select Verbose.  The logs will now display more detailed messages.

 

Useful CLI commands

Configure terminal server agent:

# set ts-agent <name> <options>

where <options> include 

ip-address   terminal server agent ip address

port         terminal server agent listening port

ip-list      terminal server alternative ip list

 

Show terminal server agent status:

> show user ts-agent statistics

IP Address Port Vsys State Users

-------------------------------------------------------------

10.1.200.1  5009 vsys1 connected 8

10.16.3.249 5009 vsys1 connected 10

 

> show user ip-port-user-mapping all

User IP-Address Vsys Port-Range

----------------------------------------------------------------------------

test1 10.1.200.1  vsys1 20000-20500

test2 10.1.200.1  vsys1 20500-21000

                        21500-22000

test3 10.1.200.1  vsys1 21000-21500

TS Agent may need to lookup a Palo Alto Networks User-ID agent or group mapping data to get the group information for a specific domain user.

 

Other CLI commands

The User-ID Agent's “enable-user-identification” and “User Identification ACL” configuration command also apply to TS Agent. This means that if user-identification feature is enabled, both User-ID Agent and TS Agent feature will be enabled.

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language