How DC Agent identifies users

Using DC Agent | Web Security Solutions | v7.7, 7.8

DC Agent detects domain controllers: At startup, and (by default) every 24 hours thereafter, DC Agent identifies available domains and domain controllers in the network and saves the information to its dc_config.txt file.

In order to perform domain discovery, DC Agent requires domain or enterprise admin permissions. If you do not want to grant DC Agent these permissions, you can maintain the DC Agent list of domains and domain controllers manually.

DC Agent obtains logon session information: DC Agent queries each domain controller for user logon sessions, obtaining the user and computer name.

By default, the query occurs every 10 seconds. This interval can be configured in the Web Security manager (go to Settings > General > User Identification, and then click a DC Agent instance in the Transparent Identification Agents list).


	Note If DC Agent is not running when a user logs on to a domain controller (because the DC Agent machine was restarted, for example), the logon session is not recorded. In this case, the computer or network policy (if it exists), or the Default policy, is used to manage user requests.

DC Agent records user name/IP address pairs: For each logon session, DC Agent performs a DNS lookup to resolve the computer name to an IP address, and then stores the user name/IP address pair in its user map in local memory. It periodically writes a copy of the user map to XidDcAgent.bak.

DC Agent sends user information to Filtering Service: DC Agent provides user names and IP addresses to Filtering Service each time its user map is updated.

The agent sends only those new user name/IP address pairs recorded since the last query.

Filtering Service adds new user name/IP address pairs to its copy of the user map in local memory.

No confidential information (such as user passwords) is transmitted.

Filtering Service gets group information for logged-on users: Filtering Service queries User Service to get group information for users in its copy of the user map. User Service queries the directory service for this group information, and sends the information to Filtering Service.

Websense software applies policies to logged-on users: Filtering Service uses the information from DC Agent and User Service to ensure that the correct policies are applied to directory clients (users, groups, and OUs).

Filtering Service does not check the policy every time an Internet request is made; policy data is cached for 3 hours by the server, unless the user cache is explicitly cleared in the Web Security manager.

DC Agent can be used in conjunction with Logon Agent. In this configuration, user logon information provided by Logon Agent takes precedence over information from DC Agent. DC Agent communicates a logon session to Filtering Service only in the unlikely event that Logon Agent has missed one. For more information about Logon Agent, see Using Logon Agent for Transparent User Identification, available from support.websense.com.

DC Agent computer polling

In addition to polling domain controllers for logon information, DC Agent also polls client machines (computers or workstations), by default. This helps to verify which user is logged on to a machine.

When Filtering Service receives a request from a client machine, Filtering Service prompts DC Agent to poll the client machine, unless the machine was already polled more recently than the configured query interval (15 minutes, by default).

DC Agent uses WMI (Windows Management Instruction) for computer polling. If you use computer polling, configure the Windows Firewall on client machines to allow communication on port 135.


	Note Computer polling is not effective for client machines that users access via remote desktop.

DC Agent stores the resulting user name/IP address pair in its user map and provides the information to Filtering Service. At a pre-defined interval, DC Agent uses computer polling to verify that users are still logged on.

You can configure how often DC Agent attempts to verify that users are still logged on, and how long an entry remains in the user map. See Configuring DC Agent settings.

In order to use computer polling, DC Agent must run with domain or enterprise admin permissions.