Technical Tip: Terminal Server Agents and SMB Shared Folders
Description
This article explains why Samba shared folder access might not be reachable when access from Terminal Server with Terminal Server Agent (TS Agent) through identity based policies.
Solution
SMB application does not use the user port-range assigned by TS Agent.
SMB uses system port range, therefore the port-range mismatch causes authentication failure when validating against firewall policies with FSSO on FortiGate unit.
Reason for this is that SMB traffic is initiated by system process.
Any traffic initiated by system process follows the system port range so it cannot be associated with a user.
TS Agent can only intercept traffic initiated by a user process.
This article explains why Samba shared folder access might not be reachable when access from Terminal Server with Terminal Server Agent (TS Agent) through identity based policies.
Solution
SMB application does not use the user port-range assigned by TS Agent.
SMB uses system port range, therefore the port-range mismatch causes authentication failure when validating against firewall policies with FSSO on FortiGate unit.
Reason for this is that SMB traffic is initiated by system process.
Any traffic initiated by system process follows the system port range so it cannot be associated with a user.
TS Agent can only intercept traffic initiated by a user process.
Create separate firewall policy without authentication for SMB traffic