Installation Guide
Websense Web Security and Websense Web Filter, version 7.5


Logon Agent is a Websense transparent identification agent that detects users as they log on to Windows domains in your network. It is for use with Windows-based client machines on a network that uses Active Directory or Windows NT Directory.
Do not install Logon Agent on the same machine as eDirectory Agent, because this can cause conflicts. Also, do not use Logon Agent in a network in which eDirectory Agent is used.
To use Logon Agent, you must modify the Group Policy on domain controllers so it launches a logon application (LogonApp.exe) as part of the logon script. Client machines must use NTLM (v1 or v2) when authenticating users (NTLMv1 only, in the case of Windows Server 2008; see note below). For instructions on configuring domain controllers and client machines to use Logon Agent, see Creating and running the script for Logon Agent.
Note 
If using Logon Agent with a Windows Server 2008 domain controller, client machines must be configured to use NTLMv1 when authenticating a user. To do this, modify the security policy so Network security: LAN Manager authentication level is set to Send NTLM response only. This can be done on each individual client machine by modifying the local security policy, or on all machines in a domain by modifying the security policy of a Group Policy Object. For instructions, see Prerequisites for running the logon script.
Logon Agent can be run with DC Agent if some of the users in your network are not being authenticated properly. If DC Agent is unable to identify certain users (for example, if it is unable to communicate with a domain controller due to network bandwidth or security restrictions), they would still be identified by Logon Agent at log on.
This screen appears if Policy Server is not found on this machine and is not selected for installation at the same time as Logon Agent. It is assumed Policy Server is installed on another machine. Enter the IP address of the machine and the port Policy Server uses to communicate with other Websense components (default is 55806).
The port used by Policy Server to communicate with other Websense components must be in the range 1024-65535. Policy Server may have been automatically configured to use a port other than the default 55806. When Policy Server is installed, if the installation program finds the default port to be in use, it is automatically incremented until a free port is found. To determine what port is used by Policy Server, check the websense.ini file—located in C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)—on the Policy Server machine. In this file, look for the PolicyServerPort value.
Important 
Do not modify the websense.ini file.
If Policy Server is not installed yet, anywhere in your network, you must install it before installing User Service. To install it on this machine, click Previous and select Policy Server in addition to already selected components. To install it on another machine, run this installation program on that machine (prior to installing components on this machine).
Enter the domain, user name, and password of an account that is a member of the Domain Admins group on the domain controller. This must be the domain controller for the users you wish to apply user- or group-based filtering policies to. Logon Agent uses this account to query the domain controller for user information.
Note 
User information on domain controllers trusted by the domain controller in question will also be accessible.
If you choose not to specify a Domain Admin account now (by leaving the fields blank), you can specify it after installation by configuring the Websense Logon Agent service to Log on as a Domain Admin user, using the Windows Services dialog box:
a.
Start the Windows Services dialog box (typically, Start > Administrative Tools > Services).
d.
Under Log on as, select This account and enter the domain\username and password (twice) of the trusted account you specified during installation.
e.
f.
A message appears informing you the account you specified has been granted the Log On As A Service right. Click OK.
g.
A message appears informing you the new logon name will not take effect until you stop and restart the service. Click OK.
h.
Click OK to exit the service properties dialog box.
After installation, follow the instructions in the User Identification topic in the TRITON - Web Security Help to configure Websense software to use Logon Agent to identify users without prompting them for logon information.