Configure DC Agent settings

Using DC Agent | Web Protection Solutions | v8.4.x | 31-July-2017

In the Forcepoint Web Security module of the Forcepoint Security Manager, use the Settings > General > User Identification page to review and edit DC Agent configuration information.

To edit DC Agent settings:

Use the Transparent Identification Agents table to select the IP address or hostname of the DC Agent instance that you want to configure.

If you have installed a new DC Agent instance that does not appear in the list, click Add Agent, then select DC Agent from the drop-down list.

Under Basic Agent Configuration, enter or verify the IPv4 address or hostname of the machine on which the agent is installed.


	Note Hostnames must start with an alphabetical character (a-z), not a numeric or special character. Hostnames containing certain extended ASCII characters may not resolve properly. To avoid this issue, enter an IP address instead of a hostname.

Enter or verify the Port that DC Agent should use to communicate with other web protection components. The default is 30600.

To establish an authenticated connection between Filtering Service and DC Agent, select Enable authentication, and then enter a Password for the connection.

Next, customize global DC Agent communication and troubleshooting, domain controller polling, and computer polling settings. By default, changes that you make here affect all DC Agent instances associated with a Policy Server instance.

Some of these settings can, however, be overridden in a configuration file. See Custom configuration for a DC Agent instance.

Under Domain Discovery, mark or clear Enable automatic domain discovery to determine whether DC Agent automatically finds domains and domain controllers in your network.

If domain discovery is enabled, also specify:

How often to discover domains (Identify domains every setting). Domain discovery occurs at 24-hour intervals, by default.

Whether DC Agent or User Service is responsible for performing domain discovery.

In many environments, it is preferable to use User Service for domain discovery.

If DC Agent is used for domain discovery, the service must run with domain or enterprise admin privileges.

When User Service is installed on a Linux machine, the page includes a Linux WINS Server Information section. Configure a WINS server if both of the following are true:

You selected User Service as the component to use for domain discovery.

User Service is installed on Linux.

This is required to resolve domain names to domain controller IP addresses.

To configure WINS server communication, enter:

The account name of an Administrative user that can access the directory service.

The Password for the account.

Domain information for the account.

The IP address or hostname of a WINS server in your network.

Two options are available for retrieving logon events.

The Event Subscriber option subscribes to logon events from the domain controller. This option is enabled by default in the transid.ini file in the web protection bin directory (C:\Program Files\Websense\Web Security\bin, by default).

The following entries in the ini file are used to determine the full functionality of the option.

UseEventSubscriber=on

UserMapUpdateTime=10000

IgnoreDNSFailure=on

StripEmailSign=on

See Custom configuration for a DC Agent instance for an explanation of each variable.

When this option is enabled, your network firewall must be configured to permit connections on port 135.

Enable DC Agent to query domain controllers for user logon sessions, by marking Enable domain controller polling in the Domain Controller Polling section of the DC Agent Communication box.

You can specify which domain controllers each instance of DC Agent polls in the agent's configuration file. See Configure domain controller polling in dc_config.txt.

To perform domain controller polling, the DC Agent service needs only read privileges on the domain controller. Automatic domain discovery (steps 1 and 2) and computer polling (step 7) require that the service run with elevated permissions.

Use the Query interval field to specify how often (in seconds) DC Agent queries domain controllers.


	Note This value is not used when the Event Subscriber option is enabled.

Decreasing the query interval may provide greater accuracy in capturing logon sessions, but also increases overall network traffic. Increasing the query interval decreases network traffic, but may also delay or prevent the capture of some logon sessions. The default is 10 seconds.

Use the User entry timeout field to specify how frequently (in hours) DC Agent refreshes the user entries in its map. The default is 24 hours.

Under Computer Polling, check Enable computer polling to enable DC Agent to query computers for user logon sessions. This may include computers that are outside the domains that the agent already queries.

DC Agent uses WMI (Windows Management Instruction) for computer polling. If you enable computer polling, configure the Windows Firewall on client machines to allow communication on port 135.

If DC Agent performs computer polling, the service must run with domain or enterprise admin privileges.

Enter a User map verification interval to specify how often DC Agent contacts client machines to verify which users are logged on. The default is 15 minutes.

DC Agent compares the query results with the user name/IP address pairs in the user map it sends to Filtering Service. Decreasing this interval may provide greater user map accuracy, but increases network traffic. Increasing the interval decreases network traffic, but also may decrease accuracy.

Enter a User entry timeout period to specify how often DC Agent refreshes entries obtained through computer polling in its user map. The default is 1 hour.

DC Agent removes any user name/IP address entries that are older than this timeout period, and that DC Agent cannot verify as currently logged on. Increasing this interval may lessen user map accuracy, because the map potentially retains old user names for a longer time.


	Note Do not make the user entry timeout interval shorter than the user map verification interval. This could cause user names to be removed from the user map before they can be verified.

10.

Click OK to return to the User Identification page, then click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.