About the Cisco Terminal Services (TS) Agent
The Cisco Terminal Services (TS) Agent allows the Cloud-delivered Firewall Management Center or On-Prem Firewall Management CenterFMC to uniquely identify user traffic monitored by a Microsoft Windows Terminal Server. Without the TS Agent, the systems recognize all traffic from a Microsoft Windows Terminal Server as one user session originating from one IP address.
The TS Agent can be used with all of the following:
-
The Cloud-delivered Firewall Management Center available with the Cisco Defense Orchestrator (CDO).
-
The On-Prem Firewall Management CenterFMC available with CDO.
-
A standalone Management Center or high availability system that is not associated with CDO.
For brevity, in this guide, unless otherwise noted, On-Prem Firewall Management CenterFMC can mean either a Management Center associated with CDO or a standalone system that is not associated with CDO.
Note |
To avoid potential issues and to make sure you're using the most up-to-date software, Cisco recommends using the latest released version of the TS Agent. To find the latest version, go to the Cisco Support site. |
When installed and configured on your Microsoft Windows Terminal Server, the TS Agent assigns a port range to individual user sessions, and ports in that range to the TCP and UDP connections in the user session. The systems use the unique ports to identify individual TCP and UDP connections by users on the network. Port ranges are assigned on a least recently used basis, meaning that after a user session ends, the same port range is not immediately reused for new user sessions.
Note |
ICMP messages are passed without port mapping. |
Traffic generated by a service running in the computer's System context is not tracked by the TS Agent. In particular, the TS Agent does not identify Server Message Block (SMB) traffic because SMB traffic runs in the System context.
The TS Agent supports up to 199 simultaneous user sessions per TS Agent host. If a single user runs several simultaneous user sessions, the TS Agent assigns a unique port range to each individual user session. When a user ends a session, the TS Agent can use that port range for another user session.
Each Cloud-delivered Firewall Management Center or On-Prem Firewall Management CenterFMC supports up to 50 TS Agents connecting to it at the same time.
There are three primary components to the TS Agent installed on your server:
-
Interface—application to configure the TS Agent and monitor the current user sessions
-
Service— program that monitors the user logins and logoffs
-
Driver— program that performs the port translation
The TS Agent can be used for the following:
-
TS Agent data on the Cloud-delivered Firewall Management Center or On-Prem Firewall Management CenterFMC can be used for user awareness and user control. For more information about using TS Agent data in the Firepower System, see the Firepower Management Center Configuration Guide.
Note |
To use TS Agent for user awareness and control, you must configure it to send data only to the Cloud-delivered Firewall Management Center or On-Prem Firewall Management CenterFMC. For more information, see Configure the TS Agent. |