Any chance the WS server isn't getting good info from DNS? Pointing to the wrong DNS server, etc? Does a DNS query from that server return all the correct records? How about an LDAP query from the server independent of WS? Does that return all the correct info?
*********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Friday, July 17, 2009 5:31 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Oh, yeah... Been through all the docs... I manually added > every server to the dc_config.txt file (even though that's > not supposed to be necessary--DC Agent is supposed to > automatically find all the DCs on the network). No dice. > > I, too, have refused to install DC Agent on my DCs. It's only > installed on the WebSense server. > > > > > > -----Original Message----- > From: Free, Bob [mailto:[email protected]] > Sent: Thursday, July 16, 2009 2:26 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > As I recall at the time it was set up several years ago, > there were different configurations, we (the AD team) refused > the one that required an agent on each DC running with high > level privileges so it was setup with the DC Agent service > running on the WebSense side. The agent needed to query each > DC for session state to generate the username/IP mapping for > its own internal db it uses for what they call "Transparent > Identification". If it couldn't obtain that information, you > were popped for your credentials. So it needs a list of DCs > in the domain for this session information. There is a > service to get that information from the directory. I believe > there are a number of different configurations for this > product depending on its role and from glancing at a manual, > the Transparent mode is an option. > > >From a WebSense manual: > > WebSense DC Agent queries each domain controller for user > logon sessions every 10 seconds by default, obtaining the > user name and workstation name for each logon session. For > each logon session identified, DC Agent performs DNS lookup > to resolve the workstation name to an IP address, and records > the resulting user name/IP address pair. > > In Websense v4.4, DC Agent (Domain Controller Agent) was the > backbone of transparent user identification. > In Websense Enterprise v5.x, DC Agent still plays the central > role, but also works together with User Service to provide > user logon information to the Websense servers. The DC Agent > program is installed on a Windows NT 4 or 2000/2003 Server > machine, and runs as a Windows service. DC Agent can be > installed on one machine, and can "discover" domains outside > of its own domain. Multiple DC Agents can also be used; this > may benefit larger networks. For details, see Deployment of > DC Agent and Related Components on page 17. > DC Agent identifies available domains and domain controllers > in the network, and then monitors the domain controllers and > associated client machines (workstations) for user logon > sessions. Filtering Service uses the information provided by > DC Agent to apply Internet filtering policies to users logged > on to the network. > > NetBIOS and Domain Discovery > In order for automatic domain detection to occur, NetBIOS > must be enabled on firewalls or routers connecting virtually > or physically separate subnets or domains. In particular, TCP > port 139 (used by NetBIOS) must be enabled. If NetBIOS is not > enabled between domains and/or subnets, then Filtering > Service and DC Agent cannot communicate with those domains or > subnets by default. This can occasionally be true even if > those domains or subnets are trusted by the domain where > Filtering Service resides. > If NetBIOS port 139 is not enabled, you may want to deploy > additional DC Agents in virtually or physically remote domains. > There is an option to disable NetBIOS usage, if you do not > want to enable port 139. See the UseNetBIOS description under > Initialization Parameters on page 85 for details. > > A program called XidDcAgent.exe is installed by default on > the DC Agent machine, to the directory \Websense\bin\. This > program runs as a Windows service, and initiates the > processes that enable DC Agent to identify domains and > monitor logon sessions. DC Agent stores domain information to > the hard disk of the server where it is installed, in a file > called dc_config.txt. New domain information is recorded to > dc_config.txt upon startup, and every 24 hours thereafter by default. > > All that's configurable so he could have just been mad at me > for the 24 hr period after I promoted the new DC or whatever > interval he had configured for DC discovery (this was the > first additional DC in that domain in many years) It also was > the 1st x64 DC in a very busy site on, comparatively, pretty > high end HW so it grabbed much of the authentication traffic > for that site. Potentially thousands of folks could have been > getting popped for creds that 1st day and it would have been > escalated to him, perhaps that's all it was. > > -----Original Message----- > From: Christopher Bodnar [mailto:[email protected]] > Sent: Thursday, July 16, 2009 9:02 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Agreed with the others. You should not have to specify a DC > in the config. > Specifying the domain, it should be able to find a DC. Just a > thought is the DC that is working a GC? Are the other ones on > the list not GCs? > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Thursday, July 16, 2009 11:40 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > I was going to say that we use WebSense here and I have never > had to do anything other than give it the name of our domain. > I have never given it a name or IP address of any DC. I did > have to go in with one of their support person's help and add > a number of service accounts to a list of names to not > record. Other than that it just works. > TVK > > > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Thursday, July 16, 2009 6:59 AM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > The funny thing is, according to the WebSense docs you > shouldn't have to point the agent to your DCs; it's supposed > to automatically find them all. > > And I'm not sure exactly how DC Agent contacts the DCs. I > read something in the documentation about TCP port 139. > > Would you be willing to put me in touch with your WebSense > guy so I could pick his brain? > > > > -----Original Message----- > From: Free, Bob [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 8:27 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > We have the DC Agent setup and it needs to be able to contact > each DC to determine logon status of the users. I believe > it's in how you configure the agent, our setup requires that > a user be authenticated within x period of time to be > authorized to get through. Don't know what x is as I'm the AD > guy not the websense guy...I do know he wasn't too happy when > I added a new DC and neglected (well, actually, forgot) to > tell him so he could update his websense config. > > -----Original Message----- > From: Klint Price [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 2:05 PM > To: NT System Admin Issues > Subject: RE: Any WebSense Gurus? > > Do you have users on multiple domains? > > In my websense, for 500 users, I have them going through a single DC. > > Klint > > > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Wednesday, July 15, 2009 12:49 PM > To: NT System Admin Issues > Subject: OT: Any WebSense Gurus? > > We had a vendor come in and install WebSense on a server for us. > However, the vendor is stumped by a problem and I figured I'd > see if any of the pros here had a solution. I'm brand new to > WebSense myself, so I can't help much. The vendor has been > working with WebSense tech support, but apparently they're > stumped, too. > > The issue seems to be that the DC Agent utility isn't > correctly getting users' usernames. Not 100% of the time, > though--just most of the time. > As best I can tell, the utility isn't correctly polling all > of the DCs in the network. > > Here's some sample output from the TestLogServer utility: > > ===== > time=Wed Jul 15 15:43:53 2009 version=3 > server=10.0.0.1 source=150.176.37.70 dest=66.165.70.6 > protocol= "http" > url= "http://www.woot.com/salerss.aspx"; > port= "80" > category= 17 (SHOPPING) > disposition= 1026 (Category Not Blocked) > app type= "" > keyword= "" > user= "" > bytes sent=0 bytes received=0 duration=0 > > > time=Wed Jul 15 15:43:53 2009 version=3 > server=10.0.0.1 source=10.11.7.106 dest=150.176.95.205 > protocol= "https" > url= "https://150.176.95.205/"; > port= "443" > category= 97 (EDUCATIONAL INSTITUTIONS) > disposition= 1026 (Category Not Blocked) > app type= "" > keyword= "" > user= "LDAP://10.11.1.2 > OU=Users,OU=PPS,DC=taylor,DC=k12,DC=fl,DC=us/George Clayton" > bytes sent=0 bytes received=0 duration=0 ===== > > Notice that in the first entry, there's no username. There is > in the second entry, though. The common thread is that every > time a user is correctly identified, it's from the same DC: > 10.11.1.2. So it appears that DC Agent is correctly polling > that DC, but none of my others. All of them are listed in the > dc_config.txt file, though. > > Any ideas what might be keeping it from talking to the other DCs? > > > > John Hornbuckle > MIS Department > Taylor County School District > 318 North Clark Street > Perry, FL 32347 > > www.taylor.k12.fl.us > > > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that > will be disclosed to the public and the media upon request. > E-mail communications may be subject to public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that > will be disclosed to the public and the media upon request. > E-mail communications may be subject to public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ----------------------------------------- > This message, and any attachments to it, may contain > information that is privileged, confidential, and exempt from > disclosure under applicable law. If the reader of this > message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or > communication of this message is strictly prohibited. If you > have received this message in error, please notify the sender > immediately by return e-mail and delete the message and any > attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that > will be disclosed to the public and the media upon request. > E-mail communications may be subject to public disclosure. > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
