Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Created on ‎08-15-2016 01:23 AM

FSSO Citrix Terminal Agent Port Allocation Pool

Hi,

I have a question about the port allocation pool in FSSO Terminal Server Agent for Citix.

The default port range is 20000-49000.

What port range is used by the citrix server? What if a user will have a source port 65000 allocatted by the citrix server? Will the FSSO recognize that?

It is not a question to this forum but how can I find the port range configured on the Citrix server itself?

Or it does mean that the FSSO TS will do something like a Source Port NAT to fit the sessions to the port range configured on it?

 

I have a Citrix 7.9 set up in the LAB and playing around the settings bud did not find anything whether the FSSO TS agent port range and the Citrix server port range has to match or not.

 

AtiT

AtiT
Preview file
61 KB
10269
0 Kudos
6 REPLIES 6
Fishbone_FTNT
Staff
Staff

Created on ‎08-15-2016 01:59 AM

Hi!

> What port range is used by the citrix server?

Port range is based on system allocation pool. System pool is used by OS. TSagent will use ports out of this range.

 

> What if a user will have a source port 65000 allocatted by the citrix server? Will the FSSO recognize that?

Newer versions (build >= 249) of TSAgent can detect it, and should not alter it.

 

> how can I find the port range configured on the Citrix server itself?

It's the system allocation pool, if I understand the question well.

 

> Or it does mean that the FSSO TS will do something like a Source Port NAT to fit the sessions to the port range configured on it?

No, it's not NATting, TSAgent is really allocating those ports to applications. You can check yourself with netstat command, you should see user applications are using ports from range you configured.

 

Cheers,

 Fishbone )(

smithproxy hacker - www.smithproxy.org

4808
0 Kudos
AtiT
Valued Contributor

Created on ‎08-15-2016 02:20 AM

Hello Fishbone,

Thank you very much!

 

So it means that the System Dynamic Allocation Port Range (on the picture above) means that these ports will be used by the OS - Windows 2012 R2 in my case.

It seems to be correct according to https://support.microsoft.com/en-us/kb/832017

 

[ul]
  • If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.[/ul]

    Should I set the Port Allocation Pool to this range? If I leave the defaults I can see on the FSSO Agent the the ports starting from 20000 are used. Netstat also shows source ports from 20000.

    How it is possible if the OS port range is 49152 through 65535?

    I do not understand.

     

    • AtiT

    AtiT
    Preview file
    45 KB
    4808
    0 Kudos
    Fishbone_FTNT
    Staff
    Staff
    In response to AtiT

    Created on ‎08-15-2016 02:33 AM

    Hi,

    > So it means that the System Dynamic Allocation Port Range (on the picture above) means that these ports will be used by the OS

    yes, exactly.

     

    > Should I set the Port Allocation Pool to this range?

    No, keep it as it is. Your port range is OK, it is outside of system allocation port range. Basically you are telling the system to use port 49152 through 65535, and the rest is kept for applications.

     

    > How it is possible if the OS port range is 49152 through 65535?

    The range itself differs across OS versions and is predefined, but still configurable. You can use netsh to change it (if there is a reason for this -- don't think it's your case).

     

    As you see on  FSSO CA screenshot, you received TSAgent logons with ports starting at 20000. That's correct, expected behavior. You should see also user traffic coming from those ports on Fortigate.

    I don't know exactly why has TSAgent chosen to start at 20000 and not for example at 1024, but you can adjust the setting yourself.  Just keep in mind you don't want to overlap with system allocation pool range detected by TSAgent.

     

    Fishbone )(

    smithproxy hacker - www.smithproxy.org

    4808
    0 Kudos
    Fishbone_FTNT
    Staff
    Staff
    In response to Fishbone_FTNT

    Created on ‎08-15-2016 02:38 AM

    I see you are located in Czech Republic. Me too! :)

     

    smithproxy hacker - www.smithproxy.org

    4808
    0 Kudos
    AtiT
    Valued Contributor
    In response to Fishbone_FTNT

    Created on ‎08-15-2016 03:00 AM

    Thanks! Now I understand how it works.

    Yes, I am in Czech Rep. :)

    AtiT

    AtiT
    4808
    0 Kudos
    Fishbone_FTNT
    Staff
    Staff
    In response to AtiT

    Created on ‎08-15-2016 04:19 AM

    Just the comment on how multiple port-ranges are being allocated:

    By default, there are two pools per-user configured (2x 200) in TSAgent. First pool is allocated immediately once user logon is detected. Next pool is allocated when 80% of the previous one is used.

    This fits most of the scenarios well, just you should be aware that new port allocation implies another logon message sent from TSAgent -> FSSO CA -> Fortigates. 

    If there is too high user CPS (connections per second), this setting could be too relaxed (high). Port range is allocated, but CPS is so high, that traffic from the new pool arrives at Fortigate sooner than logon carrying the event of this port-rage allocation. This is exactly why there is 80% threshold which it should cover that delay.

     

    If there are not too many users connecting to the TS server, you may consider to make bigger one, but single port pool per user. Say, 1x400 to keep allocation similar to default setting. This will prevent above described race effect from happening.

     

    Threshold feature is controlled by following registry-only settings:

    EnablePortAllocThreshold <--- 0 to disable feature, 1 to enable feature (default)

    PortAllocThreshold <--- integer value with percentage (in %, by default it is 80).

     

    Fishbone )(

    smithproxy hacker - www.smithproxy.org

    4808
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.