Installation Steps for PAN Terminal Services Agent

If you have a supported terminal server1 and an Active Directory domain, and would like the Palo Alto Networks firewall to match traffic to particular logged-in users, you can install the PAN Terminal Services Agent on each terminal server. The Terminal Services agent will assign a different TCP/UDP source port range for each users terminal services session. That database of usernames -> port ranges is then pushed to the PAN firewalls, where it is used for traffic logging, and policy enforcement.2 Note that the TS Agent does not require that the UserID Agent be installed in the network, although having both installed will give you a complete picture of who is doing what in your network. For instructions on how to install the PAN User ID Agent, refer to the document Installation Steps for PAN User ID Agent.

To determine beforehand:
Determine onto which machines the Terminal Services Agent will be installed. That machine must: o be running Windows Server 2003 Terminal Services, or Citrix Metaframe Presentation Server v4 or v4.5 o be a member of the domain to be monitored o have network connectivity to the management port of the PAN firewall Confirm that multiple users can login to the terminal server, and run various networking applications (web browsing, ping, etc.) The Palo Alto Networks firewall must be running PANOS 3.0.0 or higher.

Part 1: Installing and Configuring the Terminal Services Agent

1. Login as administrator to the terminal server. 2. Download the latest version of the Terminal Services Agent (TaInstall.msi) from https://support.paloaltonetworks.com.

1 2

Supported terminal servers: Windows 2003 Terminal Server, Citrix Metaframe Presentation Server v4.0 or v4.5 Policy enforcement requires that the PAN User-ID agent also be installed in the network.

PANOS 3.0.0

3. Install that file, accepting the all the defaults. This installs the software as a service on that machine. 4. You can confirm the service is installed by running the Services administrative tool (services.msc), and looking for PAN Terminal Server Agent

5. No configuration of the Terminal Service Agent is required; however if you want to view the current configuration, go to Start -> Programs-> Palo Alto Networks-> Terminal Server Agent.

6. The Terminal Services agent by default is operating on TCP port 5009. To confirm that the server running the Terminal Services Agent is listening on that port, use the following command on the server: netstat an | find 5009 Here is example output:

PANOS 3.0.0

Part 2: Configuring the PAN Firewall

7. To configure the PAN firewall to talk to the TS agent, login to the firewalls GUI. Go to Device tab -> User Identification. Click Add under Terminal Server Agent.

8. Enter the IP address of the TS agent. Also assign a name to the agent, and the port number.

If the terminal server is multi-homed, the bottom of the screen allows you to enter the additional IPs. 9. You must also enable user identification on each zone that you want to monitor. On the Network tab -> Zones page, edit the appropriate zone (example: tapzone). In the bottom left corner of the zone properties page, check the box to Enable User Identification.

10. The firewall is now configured. Commit your changes at this time.

PANOS 3.0.0

Part 3: Testing
11. To confirm everything is configured properly, bring up a CLI to the firewall, and execute this command: show ts-agent statistics You may see an error:

Or you may get this output, which indicates things are working properly:

Once you see connected in the CLI, you can go to the TS Agent GUI (Start -> Programs -> Palo Alto Networks -> Terminal Services Agent) and see a similar status on the main screen:

12. Login to the terminal server as different users concurrently, and surf the web or generate other traffic. Close those connections, as the firewall only logs completed sessions (by default).

PANOS 3.0.0

13. You can view which users are currently logged into the Terminal Server using: show ts-agent user-IDs

This info will match the Monitor page of the TS Agent:

If there is a long list of users, and you want to determine if a particular user (example: jpage) is in the list, use this command: show ts-agent user-IDs | match jpage

14. Examine the PAN traffic log to see if you can tell who is doing what (Monitor tab-> Logs -> Traffic)

Notice in the above log that two different users are coming from the same source IP addressthe terminal server. PANOS 3.0.0 5

Part 4: Troubleshooting Hints

15. The TS Agent maintains a log file which is very useful for troubleshooting. The log file can be viewed using File -> Show Logs.

To enable detailed information on the User-ID Agent operation, go to File -> Debug and select Verbose. The logs will now display more detailed messages.

PANOS 3.0.0