Install and Configure the TS Agent

Install or Upgrade the TS Agent

Before you begin

Procedure

Step 1

Log in to your server as a user with Administrator privileges.

Step 2

Download the TS agent package from the Support site: TSAgent-1.3.0.exe.

Note

 

Download the update directly from the site. If you transfer the file by email, it might become corrupted.

Step 3

Right-click TSAgent-1.3.0.exe and choose Run as Administrator.

Step 4

Click Install and follow the prompts to install or upgrade the TS agent.

You are required to reboot the computer before you can use the TS agent.

What to do next


Note

If the TS agent installer reports that the .NET Framework failed, run Windows Update and try installing the TS agent again.

Start the TS Agent Configuration Interface

cite

If there is a TS agent shortcut on your desktop, double-click on the shortcut. Otherwise, use the following procedure to launch the TS agent configuration interface.

Procedure

Step 1

Log in to your server as a user with Administrator privileges.

Step 2

Open C:\Program Files (x86)\Cisco\Terminal Services Agent.

Step 3

View the program files for the TS agent.

Note

 

The program files are view-only. Do not delete, move, or modify these files.

Step 4

Double-click the TSAgentApp file to start the TS agent.

Configure the TS Agent

Use the TS agent interface to configure the TS agent. You must save your changes and reboot the server for your changes to take effect.

Before you begin

  • If you are connecting to the System, configure and enable one or more Active Directory realms targeting the users your server is monitoring, as described in the Cisco Secure Firewall Management Center Configuration Guide.

  • If you are connecting to the System, configure a user account with REST VDI privileges.

    You must create the REST VDI role in the management center as discussed in Creating the REST VDI Role.

  • If you are already connected to the System and you are updating your TS agent configuration to connect to a different management center, you must end all current user sessions before saving the new configuration. For more information, see Ending a Current User Session .

  • Synchronize the time on your TS agent server with the time on your System.

  • Review and understand the configuration fields, as described in TS Agent Configuration Fields.

Procedure

Step 1

On the server where you installed the TS agent, start the TS agent as described in Start the TS Agent Configuration Interface.

Step 2

Click Configure.

Step 3

Navigate to the General settings section of the tab page.

Step 4

Enter a Max User Sessions value.

Step 5

Choose the Server NIC to use for port translation and communications.

If the server's IP address changes later, you are prompted to save the configuration and reboot the server to make the change effective.

Step 6

Enter System Ports and User Ports values. In a valid configuration, the system and user port ranges do not overlap.

Step 7

Enter Reserve Port(s) values as a comma-separated list.

Reserve Port(s) is automatically populated with expected values for the Citrix MA Client (2598), Citrix Provisioning (6910), and Windows Terminal Server (3389) ports. You must exclude the Citrix MA Client and Windows Terminal Server ports.

If you're using Citrix Provisioning and you're upgrading from an earlier TS agent version, you must enter 6910 in this field.

Step 8

Navigate to the REST API Connection settings section of the tab.

Step 9

Enter Hostname/IP Address and Port values.

The management center requires Port 443.

Step 10

Enter the Username and Password.

Step 11

Optionally, repeat steps 9 and 10 in the second row of fields to configure a standby (failover) connection.

Step 12

Click Test to test the REST API connection between the TS agent and the system.

If you have a primary and secondary management center configured, the test connection to the secondary fails. This is expected behavior. The TS agent communicates with the active management center at all times. If the primary fails over and becomes the inactive management center, the TS agent communicates with the secondary (now active) management center.

Step 13

Click Save and confirm that you want to reboot the server.

TS Agent Configuration Fields

The following fields are used to configure the settings on a TS agent.

General Settings

Table 1. General Settings Fields

Field

Description

Example

Reserve Port(s)

The port(s) you want the TS agent to ignore. Enter the ports you want to exclude as a comma-separated list.

The TS agent automatically populates Reserve Port(s) with default port values for the Citrix MA Client (2598), Citrix Provisioning (6910), and Windows Terminal Server (3389). If you do not exclude the proper ports, applications requiring those ports might fail.

The value you specify in the TS agent Reserve Port(s) field must match one of the the Citrix Provisioning First and Last UDP port numbers ports.

Caution

 

Failure to specify the correct port will cause clients to fail to boot.

Note

 

If a process on your server is using or listening in on a port that is not in your System Ports range, you must manually exclude that port using the Reserve Port(s) field.

Note

 

If there is a client application installed on your server and the application is configured to bind to a socket using a specific port number, you must use the Reserve Port(s) field to exclude that port from translation.

Typically one of the following:

  • 2598,3389 (the Citrix MA Client and Windows Terminal Server ports)

  • 2598,3389, 6910 (the Citrix MA Client, Windows Terminal Server, and Citrix Provisioning ports)

Max User Sessions

The maximum number of user sessions you want the TS agent to monitor. A single user can run several user sessions at a time.

This version of the TS agent supports 29 user sessions by default, up to a maximum of 199 user sessions.

29 (the maximum supported value in this version of the TS agent)

Server NIC

This version of the TS agent supports using a single network interface controller (NIC) for port translation and server-system communications. If two or more valid NICs are present on your server, the TS agent performs port translation only on the address you specify during configuration.

The TS agent automatically populates this field with the IPv4 address and/or IPv6 address for each NIC on the server where the TS agent is installed. A valid NIC must have a single IPv4 or IPv6 address, or one of each type; a valid NIC cannot have multiple addresses of the same type.

Note

 

If the server's IP address changes, you are prompted to save the configuration and reboot the server to make the change effective.

Note

 

You must disable router advertisement messages on any devices connected to your server. If router advertisements are enabled, the devices may assign multiple IPv6 addresses to NICs on your server and invalidate the NICs for use with the TS agent.

Ethernet 2 (192.0.2.1) (a NIC on your server)

System Ports

The port range you use for system processes. The TS agent ignores this activity. Configure a Start port to indicate where you want to begin the range. Configure a Range value to indicate the number of ports you want to designate for each individual system process.

Cisco recommends a Range value of 5000 or more. If you notice the TS agent frequently runs out of ports for system processes, increase your Range value.

Note

 

If a system process requires a port that falls outside your designated System Ports, add the port to the Exclude Port(s) field. If you do not identify a port used by system processes in the System Ports range or exclude it, system processes might fail.

The TS agent automatically populates the End value using the following formula: 

( [Start value] + [Range value] ) - 1

If your entries cause the End value to exceed the Start value of User Ports, you must adjust your Start and Range values.

Start set to 10000 and Range set to 5000

User Ports

The port range you want to designate for users. Configure a Start port to indicate where you want to begin the range. Configure a Range value to indicate the number of ports you want to designate for TCP or UDP connections in each individual user session.

Note

 

ICMP traffic is passed without being port mapped.

Cisco recommends a Range value of 1000 or more. If you notice the TS agent frequently runs out of ports for user traffic, increase your Range value.

Note

 

When the number of ports used exceeds the value of Range, user traffic is blocked.

The TS agent automatically populates the End value using the following formula: 

[Start value] + ( [Range value] * [Max User Sessions value] ) - 1

If your entries cause the End value to exceed 65535, you must adjust your Start and Range values.

Start set to 15000 and Range set to 1000

Ephemeral Ports

Enter a range of ephemeral ports (also referred to as dynamic ports) to allow the TS agent to monitor.

Start set to 49152 and Range set to 16384

Unknown Traffic Communication

Check Permit to allow the TS agent to permit traffic over System ports; however, the TS agent does not track port usage. System ports are used by the Local System account or other local user accounts. (A local user account exists only on the TS agent server; it has no corresponding Active Directory account.) You can choose this option to permit the following types of traffic:

  • Permit traffic run by the Local System account (such as Server Message Block (SMB)) instead of being blocked. The management center identifies this traffic as coming from the Unknown user because the user does not exist in Active Directory.

    Enabling this option also enables you to successfully test the connection with the management center if you log in to the TS agent server using a local system account.

  • When a user or system session exhausts all available ports in its range, the TS agent allows the traffic over ephemeral ports. This option enables the traffic; the management center identifies the traffic as coming from the Unknown user.

    This is especially useful when System ports are needed for keeping system healthy, such as domain controller updates, authentications, Windows Management Interface (WMI) queries, and so on.

Uncheck to block traffic on system ports.

n/a

REST API Connection Settings

You can configure a connection primary and, optionally, standby (failover) system appliances:

  • If your system appliance is standalone, leave the second row of REST API Connection fields blank.

  • If your system appliance is deployed with a standby (failover) appliance, use the first row to configure a connection to the primary appliance and the second row to configure a connection to the standby (failover) appliance.

Table 2. REST API Connection Settings Fields

Field

Description

Example

Hostname/IP Address

The hostname or IP address for the system appliance.

192.0.2.1

Port

The port the system uses for REST API communications. (The management center typically uses port 443.)

443

Username and Password

The credentials for the connection.

  • The System requires a username and password for a user with REST VDI privileges on the management center. For more information about configuring this user, see the Cisco Secure Firewall Management Center Configuration Guide.

n/a

Creating the REST VDI Role

To connect the TS agent to the management center, your user must have the REST VDI role. The REST VDI is not defined by default. You must create the role and assign it to any user that is used in the TS agent configuration.

For more information about users and roles, see the Cisco Secure Firewall Management Center Configuration Guide.

Procedure

Step 1

Log in to the management center as a user with permissions to create roles.

Step 2

Click System > Users.

Step 3

Click the User Roles tab.

Step 4

On the User Roles tab page, click Create User Role.

Step 5

In the Name field, enter REST VDI.

The role name is not case-sensitive.

Step 6

In the Menu-Based Permissions section, check REST VDI and make sure Modify REST VDI is also checked.

Step 7

Click Save.

Step 8

Assign the role to the user that is used in the TS agent configuration.