Cisco Secure Firewall Management Center Device Configuration Guide, 10.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: December 3, 2025

Chapter: Identity source: TS agent

Identity source: TS agent
Terminal services agent identity source
Best practices for TS agent configuration
Identity source: TS agent
Troubleshoot the TS agent identity source
History for TS agent

Identity source: TS agent

To use the TS Agent as an identity source for user awareness and user control, install and configure the TS Agent software as discussed in the Terminal Services (TS) Agent guides.

What to do next:

Specify users to control and other options using an identity policy as described in Create an identity policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating other policies with access control.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity as discussed in Using Workflows in the Cisco Secure Firewall Management Center Administration Guide .

Terminal services agent identity source

The TS Agent is a passive authentication method and one of the authoritative identity sources supported by the system. A Windows Terminal Server performs the authentication, and the TS Agent reports it to a standalone or high availability .

TS agent functionality

When installed on Windows Terminal Servers, the TS Agent assigns a unique port range to individual users as they log in or log out of a monitored network. The Secure Firewall Management Center uses the unique port to identify individual users in the system. You can use one TS Agent to monitor user activity on one Windows Terminal Server and send encrypted data to a Secure Firewall Management Center.

The TS Agent does not report failed login attempts. The data gained from the TS Agent can be used for user awareness and user control.

Best practices for TS agent configuration

Configure the TS Agent on a Windows Terminal Server to monitor user activity and identity realms. The TS Agent enables user awareness in the Secure Firewall Management Center.

Install and configure the TS Agent on a Windows Terminal Server.
Configure one or more identity realms targeting the users your server is monitoring.

TS Agent data is visible in the Users, User Activity, and Connection Event tables and can be used for user awareness and user control. For detailed information about the multi-step TS Agent installation and configuration and a complete discussion of the server and system requirements, see the Terminal Services (TS) Agent guides.

Note

If the TS Agent monitors the same users as another passive authentication identity source (ISE/ISE-PIC), the Secure Firewall Management Center prioritizes the TS Agent data. If the TS Agent and another passive identity source report activity by the same IP address, only the TS Agent data is logged to the Secure Firewall Management Center.

Identity source: TS agent

To use the TS Agent as an identity source for user awareness and user control, install and configure the TS Agent software as discussed in the Terminal Services (TS) Agent guides.

What to do next:

Specify users to control and other options using an identity policy as described in Create an identity policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating other policies with access control.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity as discussed in Using Workflows in the Cisco Secure Firewall Management Center Administration Guide .

Troubleshoot the TS agent identity source

This reference provides troubleshooting guidance for TS Agent integration issues with the Secure Firewall Management Center. It addresses synchronization requirements, user data prioritization, and activity logging for overlapping passive identity sources.

For other related troubleshooting information, see Troubleshoot realms and user downloads and Troubleshoot user control.

If you experience issues with the TS Agent integration, check:

You must synchronize the time on your TS Agent server with the time on the Secure Firewall Management Center.
If the TS Agent monitors the same users as another passive authentication identity source (ISE/ISE-PIC), the Secure Firewall Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Secure Firewall Management Center.
Active FTP sessions are displayed as the Unknown user in events. This is normal because, in active FTP, the server (not the client) initiates the connection and the FTP server should not have an associated user name. For more information about active FTP, see RFC 959.

For more troubleshooting information, see the Terminal Services (TS) Agent guides.

History for TS agent

This reference provides the historical development timeline and version information for the TS Agent feature, including compatibility details and feature introductions across different Firepower Management Center and Threat Defense versions.


Feature	Minimum Firewall Management Center	Minimum Firewall Threat Defense	Details
TS Agent for user control.	7.2.0	6.2.0	Feature introduced. Firepower now provides the ability to better identify individual users in shared environments, such as Citrix's Virtual Desktop Infrastructure (VDI), to accurately enforce user-based policy rules on the firewall. Users are identified by ports used. The TS Agent software is updated independently of the Firepower Management Center. For more information, see: Cisco Terminal Services (TS) Agent Guide available on cisco.com Cisco Firepower Compatibility Guide

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)