User Identification through TSA not working for HTTP

User Identification through TSA not working for HTTP

5968
Created On 09/26/18 13:55 PM - Last Updated 02/07/19 23:39 PM


Resolution

Issue

  • The Terminal Server Agent is not mapping the ip-user-port mapping correctly, specific to http traffic. 80+ Citrix servers configured, and all of them running the Palo Alto Networks Terminal Services Agent.
  • When a user loads a https site from a PC, the traffic is sent to the Citrix server, the ip-port-user-mapping is correct (within the TSA range) and https traffic is allowed.
  • When a user loads a http site from the same machine and same browwer (Internet Explorer) the traffic is sent to the Citrix server, and the incorrect source-port is assigned (outside the TSA allocated range). Since the source port is incorrect, the traffic is denied by the firewall due to the incorrect ip-port-user-mapping.

 

Cause

If there are any TrendMicro products installed on the Citrix Terminal Server, the TrendMicro proxy feature may be causing the problem.

 

Resolution

To resolve the issue, disable the TrendMicro proxy feature, or all TrendMicro services.

 

owner:  tpiens



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1ACAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language