Installing and configuring TSA is covered in the following KB article:Ĭompatibility matrix can be found in the following document:īasic TSA configuration caters to most of the deployments, however, depending on the need and the environment, we may need to customise TSA configuration. When the firewall receives this network traffic from the Terminal Server, it identifies the User based on the User's Source-Port.TaService collaborates with TAD to intervene in this socket creation and allocate the Source-Port from the User Source-Port Range. When a user initiates any network traffic, the user application requests the Windows Kernel to create a TCP/IP socket, which is mainly a combination of Source-IP:Source-Port + Destination-IP:Destination-Port.When a firewall is configured to establish a connection with TSA on TCP port 5009, firewall learns about every logged-on user on the Terminal Server and his/her User Source-Port Range.All logged-on users are monitored and individual users are assigned with a specific set of ports - This is called User Source-Port Range.Collectively, they perform the following tasks: When TSA is installed on a Terminal Server, it initiates TaService on the system and activates its drivers (TAD) in Windows Kernel. Hence, the firewall can no longer associate the Terminal Server IP with one User. By definition, user to IP address mapping identifies one user located at a specific IP address and by design, Terminal Servers are used by multiple users at any given moment.The challenge with user to IP address mapping on Terminal-Servers is as follows: Palo Alto Terminal Server Agent (TSA) is a User-ID software installed on compatible Windows Terminal Servers to solve a challenge associated with identifying user to IP address mapping on PAN firewalls.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |