Random Source Users are missing in the traffic logs when using Terminal Server Agent (TSA)
- Traffic logs missing User-ID information from same Source IP Address
Zoomed in view:
Red box = Missing source User-ID mapping
- Source user has applications sending traffic through firewall on pre-defined source ports
Terminal Server Agent (TSA) providing User-ID information to Firewall based on Port Allocation.
TSA Source Port Allocation Range is 20,000-39,999. This is the full range of port numbers that the TS agent will allocate for user mapping.
If the application running on the workstation is using a source port that is not in the Source Port allocation range allocated by the TSA, then the user will not be mapped. Hence the traffic logs will not show User-ID for logs that have source port out of the allocated range.
Source ports on the application need to be modified to come in on the configured Source Port allocation range of the TSA