Identifying/editing TS Agent operating settings

The TS Agent does not have a configuration interface: operating settings can be looked up in the registry base of the server on which it is installed.

To look up/edit these TS Agent settings:

  1. Open an administrator session on the server on which the TS Agent is installed.
  2. Open the server's registry base (regedit).

In the registry base, you will find the TS Agent driver settings, and the TS Agent service settings. These settings have different locations.

TS Agent driver settings

IMPORTANT
If any changes are made to registry keys on the TS Agent's driver, the server must be restarted to apply the changes.

Location in the registry base:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StormshieldRdsDrv\Parameters

Parameter Description/Prescribed values
ExhaustedPortAction

Action that the TS Agent applies when users no longer have any available ports in their port ranges for new connections.

  • pass (by default): the TS Agent accepts the connection, and a port from the range [EphemeralPortMin-EphemeralPortMax] is assigned to the user.

    These connections are anonymous to the firewall. Its filter policy must allow anonymous network connections with source ports that are higher than or equal to the value of the EphemeralPortMin parameter. Otherwise, the firewall will block such connections.

  • block: the TS Agent blocks the connection.
ReservedPortAction

Action that the TS Agent applies when an application attempts to use a port from the port range that is reserved for users [TotalPortsRangeLow-TotalPortsRangeHigh].

  • block (by default): the TS Agent blocks the connection, unless this port is in the port ranges that have been assigned to the user in question. If a connection is blocked, an event will be generated in the Windows Event Viewer:

    Process [...] has been blocked because it tried to use a port [...] which is reserved by the driver.

  • pass: the TS Agent accepts the connection. Changing this parameter to "pass" is considered advanced configuration, as this may cause issues with the assignment of ports on the host.
PortsPerRange

Number of ports included in each port range assigned to each user (200 by default).

  • Minimum: 50,
  • Maximum: 1000.

If the default value is unsuitable, for example, if some applications require a large number of ports in order to function, you can change the value. This will ensure that users will not run out of available ports, but reduces the maximum number of users on the TS Agent.
RangePerUser

Number of port ranges assigned to a user (2 by default).

  • Minimum: 1,
  • Maximum: 20.

If the default value is unsuitable, for example, if some applications require a large number of ports in order to function, you can change the value. This will ensure that users will not run out of available ports, but reduces the maximum number of users on the TS Agent.
ReservedSystemPorts

List of ports included in the range [TotalPortsRangeLow-TotalPortsRangeHigh] that must be reserved for the operation of the system. These ports cannot be assigned to any user.

Several strings can be defined, by following the "[aaaaa-bbbbb]" format. For example:

  • To reserve port 20025: [20025-20025]
  • To reserve the port range [20025-20358]: [20025-20358]

The following ports are reserved by default:

[1303-1303]
[3389-3389]
[5353-5353]
[5355-5355]

You can run a script that analyzes any ports that may be in conflict with the TS Agent, and which adds them to this setting. For further information, refer to the section Appendix: Using script to configure ports that are reserved for system operations

NOTE
When a port is added to this list, the entire port range (PortsPerRange setting) that contains this port will be reserved.
TcpTimedWaitDelay

Time in seconds between the closure of a connection and when the associated port is available again (120 by default).

  • Minimum: 30,
  • Maximum: 300.

The value must match the one used by the Windows server under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip (120 by default). Ensure that you use the same value for both parameters.
TotalPortsRangeLow

Lower limit of the port range that is reserved for users (20000 by default).

  • Minimum: 1024.

If you bring down this value, ensure that the ports in the new range are not being used by other applications. You can reserve ports for the operation of the system with the parameter ReservedSystemPorts.
TotalPortsRangeHigh

Higher limit of the port range that is reserved for users (49151 by default).

  • Maximum: 65535.

If you raise this value, ensure that no dynamic Windows port ranges overlap the new port range that is reserved for users. Use the following command to check whether this is the case:

netsh int <ipv4|ipv6> show dynamicport <tcp|udp>

NOTE
The TS Agent's driver manages only one port range.
MaximumNumberRequests

Number of requests that can be processed simultaneously by the driver (512 by default). Adjust this value according to the memory capacity on the server.

  • Minimum: 1,
  • Maximum: 65535.

A value of 0 disables the limit on the number of simultaneous requests. You are strongly advised against disabling this limit, as it may cause overconsumption of memory on the RDS/Citrix server.

TS Agent service settings

IMPORTANT
If any changes are made to registry keys on the TS Agent's service, the "Stormshield-rds-service" service has to be restarted to apply the changes.

Location in the registry base:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stormshield-rds-service\Parameters

Parameter Description
PSK

Pre-shared key for exchanges with the firewall. This key is entered when the TS Agent is installed.

NOTE
Edit this value if the pre-shared key is changed on the firewall.
EphemeralPortMin

Lower limit of the range of additional ports that can be assigned to users (49152 by default). This limit is used when users no longer have any available ports in their port ranges (ExhaustedPortAction parameter set to "pass").

  • Minimum: 1,
  • Maximum: 65535.

If you edit this value, ensure that the port range [EphemeralPortMin- EphemeralPortMax] covers all dynamic Windows port ranges. Use the following command to check whether this is the case:

netsh int <ipv4|ipv6> show dynamicport <tcp|udp>

NOTE
The TS Agent's service sends only one port range to the driver.
EphemeralPortMax

Higher limit of the range of additional ports that can be assigned to users (65535 by default). This limit is used when users no longer have any available ports in their port ranges (ExhaustedPortAction parameter set to "pass").

  • Minimum: 1,
  • Maximum: 65535.

If you edit this value, ensure that the port range [EphemeralPortMin- EphemeralPortMax] covers all dynamic Windows port ranges. Use the following command to check whether this is the case:

netsh int <ipv4|ipv6> show dynamicport <tcp|udp>

NOTE
The TS Agent's service sends only one port range to the driver.
LogLevel

Log level (verbose) for communications between the TS Agent and the firewall.

These logs can be looked up in the Windows Event Viewer of the server on which the TS Agent is installed.

  • Level 1: errors only,
  • Level 2: errors and information (by default),
  • Level 3: errors, information and debug.
ServerPort

Communication port with the firewall (TCP/1303 by default). The default port corresponds to the predefined network object agent_ts on the firewall.

NOTE
Edit this value if the connection port declared on the firewall is different from the object agent_ts (TCP/1303).
SNS Timeout

Waiting time in seconds before the TS Agent considers the firewall unreachable (2 by default). Once this duration expires, the TS Agent ends the communication with the firewall. It will then save all information regarding authenticated users and forwards it to the firewall when it manages to restore the connection with the TS Agent.

  • Minimum: 0,
  • Maximum: 60.