Description
This article describes how to add applications to an exempt list in Terminal Server agent to ensure the application traffic does not use the user-allocated port range.
Solution
From FSSO version 5.0.0293 (version 5.0.0294 was released with FortiOS 6.4.3 and 6.2.6), Terminal Server Agents support the option of exempting specific applications from port allocation.
This can be done by adding a registry key and pointing it to the proper application names.
These should be the same name as the process that opens TCP/UDP sockets.
This can be checked via commands such as 'netstat'.
To add applications:
1) Shut down the TS Agent service (Win+R, services, scroll down to 'Fortinet SSO Terminal Server Agent', right-selection on the mouse, Stop).
2) Open registry (Win+R, regedit).
3) Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\TSAgent
4) Select an empty section and select New -> String Value.
5) Name it 'IgnoreAppList'.
6) Select the new entry, and select 'Modify'.
7) Add the executables to be ignored (atrium.exe for example, or firefox.exe; separated with a semicolon).
8) Start the service again (Win+R, services, scroll down to 'Fortinet SSO Terminal Server Agent', right-selection on the mouse, Start).
Note on netstat.
To use it, proceed as follows:
Open a Command Prompt in Windows with administrative privileges.
Open a Command Prompt in Windows with administrative privileges.
-> Search-bar, type 'cmd', right-selection on the mouse and select 'Run as administrator'.
-> Type ‘netstat –anb'.
-> This will dump a slew of TCP and UDP ports, along with the associated applications.
-> Type ‘netstat –anb'.
-> This will dump a slew of TCP and UDP ports, along with the associated applications.
