Palo Alto Networks Knowledgebase: Terminal Server Agent Port Allocation
Terminal Server Agent Port Allocation
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:39 PM
Palo Alto Networks suggests using the following settings for port allocation on the Terminal Server Agent:
If the Port Allocation Start Size per User is set to 400 and the Port Allocation Maximum Size per User is set to 4000, each time a user takes up 400 ports the TS-Agent will allocate another 400 ports until the max of 4000 is reached, at which point the allocation will fail. If a user application connects and closes a connection to the same destination port multiple times in a very short time, the source ports can be used to connect to another destination port.
If the "TCPTImedWaitDelay" on the Windows server hasn't expired from the previous connection, the same destination port cannot be used. The TCPTimedWaitDelay can be decreased to a smaller value (valid range is 30-300 seconds, default is 240) to free up the destination port.
It is also possible to decrease the Port Allocation Start Size Per User and the Port Allocation Maximum Size per User if there is a need to free up ports to allow more user connections.
The Source Port Allocation Range can be configured between 1 - 65535, but it is also required to reserve the server source ports (Reserved Source Ports) to ensure they aren't allocated to users.
You can verify the user-to-port-range mapping by viewing the TS-Agent Monitor to determine current users and port allocations.
Refresh the count by clicking the Refresh Ports Counts.