Initial Configuration > Creating and running the script for Logon Agent

Creating and running the script for Logon Agent

Applies to

Web Filter v7.6

Web Security v7.6

Web Security Gateway v7.6

Web Security Gateway Anywhere v7.6

In this topic

Overview

Prerequisites for running the logon script

Websense user map and persistent mode

Deployment tasks

Overview

If you installed Websense Logon Agent, you must create a logon script for clients that identifies them to Websense software when they log on to a Windows domain. The Websense Logon application, LogonApp.exe, provides a user name and IP address to the Logon Agent each time a Windows client connects to a Windows Active Directory or a Windows NT directory service.

During Logon Agent installation, the logon application and script files are placed in the Websense bin directory (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin on Windows or /opt/Websense/bin on Linux).

LogonApp.exe (Windows only): The Websense executable that communicates user information to the Logon Agent.

Logon.bat: The batch file containing sample logon and logout scripts.

LogonApp_ReadMe.txt: A summary of the procedures for creating and running the Websense logon script and optional logout script.

Prerequisites for running the logon script

Logon Agent requires running the logon application on Windows machines.

If the logon script runs the logon application in persistent mode, configure your Active Directory server not to run scripts synchronously.

Be sure that all computers can connect to the shared drive on the domain controller containing logon.bat and LogonApp.exe. You must copy both of these files from the machine running Logon Agent to both the logon and logout directories on the domain controller.

To determine if a Windows machine has access to the domain controller, run the following command from a command prompt:

net view /domain:<domain name>

The TCP/IP NetBIOS Helper Service must be running on each Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows NT client machine that is identified by Logon Agent.

The logon application on client machines must use NTLM authentication to communicate with Logon Agent. By default, Windows Vista machines use NTLMv2.

To change this setting globally, for all machines in the network, modify the default domain Group Policy Object (GPO) to require use of NTLM authentication:

1.	On the domain controller machine, go to Start > Run, and then enter mmc.

2.	In the Microsoft Management Console, go to File > Add/Remove Snap-In, and then click Add.

3.	Select Group Policy Management Editor, and then click Add.

4.	Select the default GPO (for example, Default domain policy), and then click Finish.

5.	Click Close and then OK to close the open dialog boxes.

6.	In the navigation pane of the Console window, expand the Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies node, and then select Security Options.

7.	In the content pane, select Network Security: LAN Manager authentication level, and change the setting to Send NTLM response only.

8.	Save and close the Console file.

 

To change this setting on individual Windows Vista machines, change the default setting for Network security: LAN Manager authentication level as follows:

1.	Open the Windows Local Security Settings window. See the Windows online Help for assistance.

2.	Go to Security Settings > Local Policy > Security Options, and double-click Network security: LAN Manager authentication level.

3.	In the Properties dialog box that appears, select Send NTLM response only.

Websense user map and persistent mode

When Logon Agent identifies a user, the user name and IP address are stored in a user map. The length of time this information is stored without reverification depends on whether the logon application is running in persistent mode or non-persistent mode. If LogonApp.exe is running in persistent mode, the update time interval is configured in TRITON - Web Security.

In non-persistent mode, user map information is created at logon and is not updated. The use of non-persistent mode creates less traffic between Websense software and the clients in your network.

In Active Directory, you can use a logout script to clear the logon information from the Websense user map before the interval defined in TRITON - Web Security. See Task 1: Prepare the scripts for more information.

For detailed information about configuring Logon Agent in TRITON - Web Security, see the User Identification topic in TRITON - Web Security Help.

Deployment tasks

Task 1: Prepare the scripts

Edit the parameters in the sample script file (Logon.bat) to suit your network.

Task 2: Configure the scripts to run

You can run your logon script from a Windows Active Directory or Windows NT directory service using group policies.

The Websense executable and logon batch file must be moved to a shared drive on the domain controller that is visible to all clients. If you use Active Directory, you also can create and deploy an optional logout batch file on the shared drive.

Task 3: Configure Logon Agent in TRITON - Web Security

After the logon scripts and application have been deployed, configure Logon Agent in TRITON - Web Security.

Task 1: Prepare the scripts

A batch file, called Logon.bat, is installed with Logon Agent in the Websense bin directory (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin).

This file contains instructions for using the scripting parameters, and two sample scripts: a logon script that runs the logon application (LogonApp.exe), and a logout script. The logout script removes user information from the Websense user map when the user logs out. Only Active Directory can use both types of scripts.

Script parameters

Construct a logon or logout script using the samples provided and the parameters in the table below.

The required portion of the logon script is:

LogonApp.exe http://<server>:<port>

This command runs LogonApp.exe in persistent mode (the default).

 

Note  You can edit the sample, or create a new batch file containing a single command.

 

Parameter	Description
<server>	IP address or name of the Websense Logon Agent machine. This entry must match the machine address or name entered in TRITON - Web Security in Task 3.
<port>	The port number used by Logon Agent (default 15880).
/NOPERSIST	Causes the logon application to send user information to the Logon Agent at logon only. The user name and IP address are communicated to the server at logon and remain in the Websense user map until the user's data is automatically cleared at a predefined time interval. The default user entry expiration is 24 hours, and can be changed in TRITON - Web Security. If the NOPERSIST parameter is omitted, LogonApp.exe operates in persistent mode, residing in memory on the domain server and updating the Logon Agent with the user names and IP addresses at predefined intervals. The default interval is 15 minutes, and can be changed in TRITON - Web Security.
/COPY	Copies the logon application to the %USERPROFILE%\Local Settings\Temp directory on users' machines, where it is run by the logon script from local memory. This optional parameter helps to prevent your logon script from hanging. COPY can be used only in persistent mode.
/VERBOSE	Debugging parameter that must be used only at the direction of Technical Support.
/LOGOUT	Used only in an optional logout script, this parameter removes the user's logon information from the Websense user map when the user logs off. If you use Active Directory, this parameter can clear the logon information from the user map before the interval defined for Logon Agent has elapsed. Use this optional parameter in a logout script in a different batch file than the one containing the logon script. See the Examples below.

Examples

The sample logon script sends user information to the Logon Agent at logon only. The information is not updated during the user's session (NOPERSIST). The information is sent to port 15880 on the server identified by IP address 10.2.2.95.

LogonApp.exe http://10.2.2.95:15880 /NOPERSIST

With Active Directory you have the option to clear the logon information for each user as soon as the user logs out. (This option is not available with Windows NTLM.) Create a companion logout script in a different batch file, and place it into a different directory than the logon script.

Copy the logon batch file and rename it Logout.bat. Edit the script to read:

LogonApp.exe http://10.2.2.95:15880 /NOPERSIST /LOGOUT

Task 2: Configure the scripts to run

You can configure your logon script to run with a group policy on Active Directory or on Windows NT Directory. The logout script only runs with Active Directory.

 

Note  The following procedures are specific to Microsoft operating systems and are provided here as a courtesy. Websense, Inc., cannot be responsible for changes to these procedures or to the operating systems that employ them. For more information, see the links provided.

Active Directory

If your network uses Windows 98 client machines, go to the Microsoft Web site for assistance.

1.	Make sure your environment meets the conditions described in Prerequisites for running the logon script.

2.	On the Active Directory machine, go to the Windows Control Panel and select Administrative Tools > Active Directory Users and Computers.

3.	Right-click the domain, and then select Properties.

4.	On the Group Policy tab, click New and create a policy called Websense Logon Script.

5.	Double-click the new policy or click Edit.

6.	In the tree structure displayed, expand User Configuration.

7.	Go to Windows Settings > Scripts (Logon/Logoff).

8.	In the right pane, double-click Logon.

9.	Click Show Files to open this policy's logon script folder in Windows Explorer.

10.	Copy two files into this folder:

Logon.bat, your edited logon batch file

LogonApp.exe, the application

11.	Close the Explorer window.

12.	Click Add in the Logon Properties dialog box.

13.	Enter Logon.bat in the Script Name field or browse for the file.

14.	Leave the Script Parameters field empty.

15.	Click OK twice to accept the changes.

16.	(Optional) If you have prepared a logout script, repeat Step 6 through Step 15. Choose Logoff at Step 8, and use your logout batch file when you are prompted to copy or name the batch file.

17.	Close the Group Policy Object Editor dialog box.

18.	Click OK in the domain Properties dialog box to apply the script.

19.	Repeat this procedure on each domain controller in your network, as needed.

 

Note  You can determine if your script is running as intended by configuring your Websense software for manual authentication. If transparent authentication with Logon Agent fails for any reason, users are prompted for a user name and password when opening a browser. Ask your users to notify you if this problem occurs. To enable manual authentication, see the User Identification topic in the TRITON - Web Security Help.

For additional information about deploying logon scripts to users and groups in Active Directory, go to the Microsoft TechNet site (technet2.microsoft.com/), and search for the exact phrase: Logon Scripts How To.

Windows NT directory or Active Directory (mixed mode)

1.	Make sure your environment meets the conditions described in Prerequisites for running the logon script.

2.	Copy the Logon.bat and LogonApp.exe files from the Websense installation directory on the Logon Agent machine (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin) to the netlogon share directory on the domain controller machine.

C:\WINNT\system32\Repl\Import\Scripts

Depending on your configuration, you may need to copy these files to other domain controllers in the network to run the script for all your users.

3.	In the Control Panel of the domain controller, select Administrative Tools > User Manager for Domains.

4.	Select the users for whom the script must be run, and double-click to edit the user properties.

5.	Click Profile.

6.	Enter the path to the logon batch file in the User Profile Path field (see Step 2).

7.	Enter Logon.bat in the Logon Script Name field.

8.

Click OK.

9.	Repeat this procedure on each domain controller in your network, as needed.

 

Note  You can determine if your script is running as intended by configuring your Websense software to use manual authentication when transparent identification fails. If transparent authentication with Logon Agent fails for any reason, users are prompted for a user name and password when opening a browser. Ask your users to notify you if this problem occurs. To enable manual authentication, see the User Identification topic in the TRITON - Web Security Help.

Task 3: Configure Logon Agent in TRITON - Web Security

After the logon/logout scripts and the logon application have been deployed and configured on the domain controllers, you must enable authentication in TRITON - Web Security. See the User Identification > Logon Agent topic in the TRITON - Web Security Help for instructions.

Initial Configuration > Creating and running the script for Logon Agent