Did you say DC's were at different sites? Was the Websense at the same site as the only DC it could find? No replication errors in the DC I'm assuming, either.
On Fri, Jul 17, 2009 at 8:32 AM, John Hornbuckle < [email protected]> wrote: > Just for testing, we gave the account that runs the DC Agent service domain > admin rights. It made no difference, though. > > > > -----Original Message----- > From: Tim Vander Kooi [mailto:[email protected]] > Sent: Thursday, July 16, 2009 2:39 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Those are some REALLY old versions being referenced in that manual Bob. > We're running v7.1 now and while the DC Agent still exists, all that is > required for it to work is a "service" account used by the agent on the > WebSense server with read permissions to AD. > TVK > > -----Original Message----- > From: Free, Bob [mailto:[email protected]] > Sent: Thursday, July 16, 2009 1:26 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > As I recall at the time it was set up several years ago, there were > different configurations, we (the AD team) refused the one that required > an agent on each DC running with high level privileges so it was setup > with the DC Agent service running on the WebSense side. The agent needed > to query each DC for session state to generate the username/IP mapping > for its own internal db it uses for what they call "Transparent > Identification". If it couldn't obtain that information, you were popped > for your credentials. So it needs a list of DCs in the domain for this > session information. There is a service to get that information from the > directory. I believe there are a number of different configurations for > this product depending on its role and from glancing at a manual, the > Transparent mode is an option. > > From a WebSense manual: > > WebSense DC Agent queries each domain controller for user logon sessions > every 10 seconds by default, obtaining the user name and workstation > name > for each logon session. For each logon session identified, DC Agent > performs DNS lookup to resolve the workstation name to an IP address, > and > records the resulting user name/IP address pair. > > In Websense v4.4, DC Agent (Domain Controller Agent) was the backbone of > transparent user identification. > In Websense Enterprise v5.x, DC Agent still plays the central role, but > also works together with User Service > to provide user logon information to the Websense servers. The DC Agent > program is installed on a Windows > NT 4 or 2000/2003 Server machine, and runs as a Windows service. DC > Agent can be installed on one > machine, and can "discover" domains outside of its own domain. Multiple > DC Agents can also be used; this > may benefit larger networks. For details, see Deployment of DC Agent and > Related Components on page 17. > DC Agent identifies available domains and domain controllers in the > network, and then monitors the domain > controllers and associated client machines (workstations) for user logon > sessions. Filtering Service uses the > information provided by DC Agent to apply Internet filtering policies to > users logged on to the network. > > NetBIOS and Domain Discovery > In order for automatic domain detection to occur, NetBIOS must be > enabled on firewalls > or routers connecting virtually or physically separate subnets or > domains. In particular, > TCP port 139 (used by NetBIOS) must be enabled. If NetBIOS is not > enabled between > domains and/or subnets, then Filtering Service and DC Agent cannot > communicate with > those domains or subnets by default. This can occasionally be true even > if those domains > or subnets are trusted by the domain where Filtering Service resides. > If NetBIOS port 139 is not enabled, you may want to deploy additional DC > Agents in > virtually or physically remote domains. > There is an option to disable NetBIOS usage, if you do not want to > enable port 139. See > the UseNetBIOS description under Initialization Parameters on page 85 > for details. > > A program called XidDcAgent.exe is installed by default on the DC Agent > machine, to the directory > \Websense\bin\. This program runs as a Windows service, and initiates > the processes that enable DC Agent to > identify domains and monitor logon sessions. DC Agent stores domain > information to the hard disk of the > server where it is installed, in a file called dc_config.txt. New domain > information is recorded to > dc_config.txt upon startup, and every 24 hours thereafter by default. > > All that's configurable so he could have just been mad at me for the 24 > hr period after I promoted the new DC or whatever interval he had > configured for DC discovery (this was the first additional DC in that > domain in many years) It also was the 1st x64 DC in a very busy site on, > comparatively, pretty high end HW so it grabbed much of the > authentication traffic for that site. Potentially thousands of folks > could have been getting popped for creds that 1st day and it would have > been escalated to him, perhaps that's all it was. > > -----Original Message----- > From: Christopher Bodnar [mailto:[email protected]] > Sent: Thursday, July 16, 2009 9:02 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Agreed with the others. You should not have to specify a DC in the > config. > Specifying the domain, it should be able to find a DC. Just a thought is > the DC that is working a GC? Are the other ones on the list not GCs? > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Thursday, July 16, 2009 11:40 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > I was going to say that we use WebSense here and I have never had to do > anything other than give it the name of our domain. I have never given > it > a name or IP address of any DC. I did have to go in with one of their > support person's help and add a number of service accounts to a list of > names to not record. Other than that it just works. > TVK > > > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Thursday, July 16, 2009 6:59 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > The funny thing is, according to the WebSense docs you shouldn't have to > point the agent to your DCs; it's supposed to automatically find them > all. > > And I'm not sure exactly how DC Agent contacts the DCs. I read something > in the documentation about TCP port 139. > > Would you be willing to put me in touch with your WebSense guy so I > could > pick his brain? > > > > -----Original Message----- > From: Free, Bob [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 8:27 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > We have the DC Agent setup and it needs to be able to contact each DC to > determine logon status of the users. I believe it's in how you configure > the agent, our setup requires that a user be authenticated within x > period of time to be authorized to get through. Don't know what x is as > I'm the AD guy not the websense guy...I do know he wasn't too happy when > I added a new DC and neglected (well, actually, forgot) to tell him so > he could update his websense config. > > -----Original Message----- > From: Klint Price [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 2:05 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Do you have users on multiple domains? > > In my websense, for 500 users, I have them going through a single DC. > > Klint > > > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 12:49 PM > To: NT System Admin Issues > Subject: OT: Any WebSense Gurus? > > We had a vendor come in and install WebSense on a server for us. > However, the vendor is stumped by a problem and I figured I'd see if any > of the pros here had a solution. I'm brand new to WebSense myself, so I > can't help much. The vendor has been working with WebSense tech support, > but apparently they're stumped, too. > > The issue seems to be that the DC Agent utility isn't correctly getting > users' usernames. Not 100% of the time, though--just most of the time. > As best I can tell, the utility isn't correctly polling all of the DCs > in the network. > > Here's some sample output from the TestLogServer utility: > > ===== > time=Wed Jul 15 15:43:53 2009 version=3 > server=10.0.0.1 source=150.176.37.70 dest=66.165.70.6 > protocol= "http" > url= "http://www.woot.com/salerss.aspx"; > port= "80" > category= 17 (SHOPPING) > disposition= 1026 (Category Not Blocked) > app type= "" > keyword= "" > user= "" > bytes sent=0 bytes received=0 duration=0 > > > time=Wed Jul 15 15:43:53 2009 version=3 > server=10.0.0.1 source=10.11.7.106 dest=150.176.95.205 > protocol= "https" > url= "https://150.176.95.205/"; > port= "443" > category= 97 (EDUCATIONAL INSTITUTIONS) > disposition= 1026 (Category Not Blocked) > app type= "" > keyword= "" > user= "LDAP://10.11.1.2 > OU=Users,OU=PPS,DC=taylor,DC=k12,DC=fl,DC=us/George Clayton" > bytes sent=0 bytes received=0 duration=0 > ===== > > Notice that in the first entry, there's no username. There is in the > second entry, though. The common thread is that every time a user is > correctly identified, it's from the same DC: 10.11.1.2. So it appears > that DC Agent is correctly polling that DC, but none of my others. All > of them are listed in the dc_config.txt file, though. > > Any ideas what might be keeping it from talking to the other DCs? > > > > John Hornbuckle > MIS Department > Taylor County School District > 318 North Clark Street > Perry, FL 32347 > > www.taylor.k12.fl.us > > > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will be > disclosed to the public and the media upon request. E-mail > communications may be subject to public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will be > disclosed to the public and the media upon request. E-mail > communications > may be subject to public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ----------------------------------------- > This message, and any attachments to it, may contain information > that is privileged, confidential, and exempt from disclosure under > applicable law. If the reader of this message is not the intended > recipient, you are notified that any use, dissemination, > distribution, copying, or communication of this message is strictly > prohibited. If you have received this message in error, please > notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
