Hi!

We have a Cisco ASA 5515-X (ver.9.7(1)) with FirePower services (6.2.0 (build 362)).

Also, some of our users work on terminal server (Window Server 2012 R2 Standard x64) and some users work localy.

We have install the Terminal Services (TS) Agent on our terminal server.

On FirePower we use passive authentication through MS AD Realm and active authentiation as a backup authentication method.

When our users go to login on their localy PC's, the passive authentication work well and we can see "username-to-IP address" bindings in FP Management Center (Analysis->Users->User Activity).

When our users go to login on terminal server, we can see "username-to-port range" bindings in the Terminal Services (TS) Agent. But if we go to FP Management Center (Analysis->Users->User Activity), then we see "username-to-IP address" bindings there, but no port ranges for each user are allocated. As a result, all traffic from terminal server to the Internet are initiated (and logged) from user, that was last login in terminal server.

Also we test connectivity (the "Test" button in TS Agent) from Terminal Services (TS) Agent to FP Managemet Center and it's look good. Moreover, we see TLS1.2 traffic in both direction between Terminal Services (TS) Agent and FP Managemet Center in WireShark when new user login in terminal server.

Why there is no port ranges in FP Managemet Center are associated to users, who work from terminal server?

Screen in attachment.