Hi
We have recently deployed Fortiget with OS verion 6.0.0272-6325 and we plan to deploy TS Agent into our Citrix Xendesktop server which run Windows 2016 server
All domain controllers have DC Agent install
Collector agent installed in one of domain joined application server
The mode is set to DC Agent mode rather Polling mode
AD access mode is set to advanced
LDAP is configured
We have some issue installing TS Agent into our Citrix server
1. First we need to run command line below to modify the dynamic port ranges
"netsh int ipv4 set dynamicport tcp start=49152 num=16384" "netsh int ipv4 set dynamicport udp start=49152 num=16384"
Our Citrix servers seem to frequently hang/freeze after issuing this command line, revert the change and we do not see this issue
Is it common so that for Windows 2016 we need to change these dynamic port ranges? And any one is having issue above?
2. Even with the command line above issued and we checked the log of the TS Agent in Citrix server we frequently see this
11-20-2019 03:54:44 [00001534] Terminal Server Agent is starting..., version: 5.0.0276 11-20-2019 03:54:44 [00001534] WFP driver installed 11-20-2019 03:54:44 [00001534] Failed to read no_keepalive 11-20-2019 03:54:44 [00001604] failed to add session 0 11-20-2019 03:54:44 [00001604] failed to add session 1 11-20-2019 03:54:44 [00001604] failed to add session 65536 11-20-2019 03:54:44 [00001604] failed to add session 65537 11-20-2019 03:54:44 [00001604] failed to add session 65538 11-20-2019 03:54:44 [00001604] failed to add session 65539 11-20-2019 03:54:44 [00001604] failed to add session 65540
Our citrix server do not have any Antivirus, single NIC and single default gateway (point to fortinet firewall)
3. In TSAgent setting in Citrix server, should we leave the Host IP address field blank?
4. Ticket logged with fortinet but they are painfully slow to respond and classify this as P4
Hi hwle,
I am bit surprised servers hang already on netsh commands. Isn't the real problem somewhere else? Maybe the dynamic pool is too small, or maybe the rest for the system is too small. It would be good to investigate. Have a look at number of opened connections before you tun netsh and modifying ephemeral port pool. Subsequent tsagent failures may be impacted by the same thing.
Just an idea.
Fishbone)(
smithproxy hacker - www.smithproxy.org
thanks Fishbone
I have somehow made the TS agent to work properly
I installed the DC agent as well in our domain controllers and select DC agent mode rather Polling mode
Both Citrix servers and Domain controllers now seem to report log on detail to fortigate unit correctly
I then create the security policy which specify the SSO group users be able to access the internet (all web traffic)
LDAP have been configured and test successfully
i then check the Monitor traffic session in firewall but dont see any detail traffic
Am I missing anything?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.