Skip to main content
kanes39
kanes39
New Member
June 17, 2025
Question

Fortigate FSSO, DC Agent and TS Agent

  • June 17, 2025
  • 4 replies
  • 2491 views

Hi All,

Good Day. 

 

I have some issues with FSSO where it is not hitting the firewall policy and traffic is getting denied. 

 

My setup:

- I have a  DC agent installed on the DC server itself. 

- A collector server (Separate)

- TS Agent installed on Citrix. 

 

Issue:
When user logs in to the Citrix, the TS agent is able to get the port and the username/IP and send it to the Fortigate.
I can see the user authentication on the Fortigate User Auth page but the rule is not hitting as the user ID is not a match. 

I have got a TAC case raised but not much help as they could not find the fault.

I am seeking assistance from the community to see if there is anytone can help and guide me to the right direction. 

 

I am have configured TS server to connect to the CA via Secure Connection on port 8003.


Appreciate any help that you can provide/share.

Similar issues to what is described here:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-TS-Agent-is-not-matching-the-correct/ta-p/389463

 




4 replies

Stephen_G
Moderator
Stephen_G
Moderator
June 19, 2025

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
June 24, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

In the meantime, if anyone else has any advice to contribute, please feel free to do so!

 

Thanks,

Stephen_G - Fortinet Community Team
jdelafuente_FTNT
Staff & Editor
jdelafuente_FTNT
Staff & Editor
June 26, 2025

Hello Kanes39.
Let me explain how does TS_Agent identifies different users logged in same server.
it assign a source port range per user, all connections from same user will use this range, for example:
user1 uses from 200-399 TCP source port

user2 user from 400-599 TCP Source port
and so on.
This method is used too for some Antivirus suites and overwrite our range, please check if there is any AV software like Sophos.

    jdelafuente_FTNT
    Staff & Editor
    jdelafuente_FTNT
    Staff & Editor
    June 26, 2025

    The Fortinet TS (Terminal Server) Agent uses a range of source ports to differentiate between user sessions on a terminal server. When a user logs in, the TS Agent assigns a specific port range (fox example, 20000-20199) to that user's connections. This allows the FortiGate to identify which user is generating traffic based on the source port used in the connection.
    Check AV isn't installed (or try to configure different range port than AV solution in TS_agent) on server, read this related article to know how to configure it:
    Technical Tip: How to setup TS-Agent configuration


      kanes39
      kanes39Author
      New Member
      June 30, 2025

      Hi @jdelafuente_FTNT  @Stephen_G ,

       

      Thank you very much for the response.
      After a lot of troubleshooting, the issue was found to be caused by an overlapping agent ( we had a Palo Alto TS Agent) on the same server. The server for some reason were sending traffic only using the Palo Alto TS agent allocated ports. It took some time and a lot of T-Shoot because we did not realize the PA TS was running on it. 

      However I have a follow up question to this now:

      - Has anyone run more than one TS agent in a jumperserver (Citrix).

      - Is there any way we can actually do it?

       

      Thanks and Appreciate all your help. 

       

      jdelafuente_FTNT
      Staff & Editor
      jdelafuente_FTNT
      Staff & Editor
      July 10, 2025

      Dear kanes39.

      Unfortunately, this method of defining source ports to differentiate users on a multi-seat server, VPC, Citrix, RDP, is a common method used by all security vendors.

      Terms & ConditionsAccessibility statement