Custom configuration for a DC Agent instance

Using DC Agent | Web Protection Solutions | v8.4.x | 31-July-2017

Many of the DC Agent settings configured in Forcepoint Security Manager apply to all agent instances in your deployment. You can, however, configure settings unique to a DC Agent instance by editing a configuration file called transid.ini.

Use a text editor to edit transid.ini (in C:\Program Files\Websense\Web Security\bin, by default), then save your edits.

Edit the parameters to customize for this agent instance.

For example, configure the agent to ignore user names that contain a dollar sign:

AllDollarSign=True

Add other values as desired.

Save and close the INI file.

Use the Windows Services tool to stop the Websense DC Agent service.

Delete the XidDcAgent.back file from the web protection bin directory.

The file is recreated when you start DC Agent.

Start the Websense DC Agent service.

Note that not all user identification settings can be overridden, and that all parameters and values described in this document are case-sensitive.

Before creating or updating the transid.ini file, please consider that the default values are designed to maximize accuracy and efficiency in most environments. In most cases, it is best to leave the default values as they are.

AllDollarSign

Prompts DC Agent to ignore logon sessions from any user names that contain a dollar sign character ($).


Default	True
Options	True, False
Synopsis	Ensures that DC Agent drops all entries containing dollar signs from its user map, without performing any additional verification. This option is a more powerful version of IgnoreDollarSign.

DiscoverInterval

Interval at which the domain auto-discovery process runs, in seconds (equivalent to the Identify domains every value under Domain Discovery in the Security Manager). The default is 86400 seconds, or 24 hours.


Default	86400
Options	Integer greater than 3600, or 0 to disable
Synopsis	DC Agent automatically detects new domains or domain controllers added to the network. By default, detected domain names are recorded to the dc_config.txt file at startup, and every 24 hours thereafter. Increasing the domain discovery interval may delay discovery of a new domain or domain controller. Decreasing the interval increases network traffic, because the process runs more frequently.

IgnoreDNSFailure

Dictates whether DNS failures are ignored or if the user IP address should be taken directly from the event data if DNS fails.


Default	Off
Options	On, Off
Synopsis	Used only when UseEventSubscriber is enabled. By default, DC Agent will discard data when a DNA failure occurs. When this option is on, DC Agent will ignore the failure and use the IP address in place of the user name.

IgnoreDollarSign

Enables DC Agent to ignore logons from user names containing dollar signs ($).


Default	True
Options	True, False
Synopsis	Used to prevent a problem involving Windows 2000 services that use a machine name followed by a dollar sign (wkstn$) as a user name when contacting the domain controller. DC Agent interprets the service as a new user to whom no policy has been assigned. When this parameter is set to True, if DC Agent detects a user$ entry in its map, it compares the name to the source machine's name. If these match, DC Agent ignores the logon session entirely, because it knows the logon did not originate from an actual user. If the logon name and machine name do not match, DC Agent attempts to get the name of the actual user logged on from the source machine. If it obtains a user name, DC Agent pairs that with the IP address of the source machine, and records these together in its map. If DC Agent cannot obtain an actual user name, it simply records the user$ entry in its map. This process minimizes the number of false user names DC Agent stores in its map and sends to Filtering Service. When the parameter is set to False, if DC Agent detects a user$ entry in its map, the agent attempts to replace it with an actual user name from the source machine. If DC Agent does not obtain an actual user name, it records the user$ entry in its map.

IgnoreLocalLogins

Determines whether DC Agent registers local (non-domain) user logons to local client machines


Default	False
Options	True, False
Synopsis	By default, DC Agent detects users logging on to domains and to local machines. If for some reason you want DC Agent to register logons only to domain controllers, and ignore local logons, set this value to True. See also AllDollarSign.

IgnoreRepeats

Determines whether DC Agent re-records user logon sessions that it already recorded at the time of the previous query.


Default	True
Options	True, False
Synopsis	By default, DC Agent ignores a user logon to a domain controller, if it already registered that logon after the previous domain controller query. As a best practice, leave this default setting as is. In most cases, there is no benefit to duplicating recognition of an earlier logon session.

IPCleanInterval

Interval at which DC Agent checks its cache for stale machine name/IP address pairs, in seconds


Default	600 [seconds = 10 minutes]
Options	Between 300 and 3600 seconds.
Synopsis	Determines how often DC Agent checks the machine name/IP address pairs in its cache for entries older than the IPCleanLifetime period. Entries older than this time period are removed from the cache. This parameter typically does not need to be changed.

IPCleanLifetime

The amount of time a machine name/IP address pair remains in DC Agent's cache before it is removed, in seconds.


Default	7200 [seconds = 2 hours]
Options	Integer greater than 3600, or 0 to disable
Synopsis	As DC Agent receives logon session information, it stores machine name/IP address pairs in its local memory cache. This reduces the number of times DC Agent must perform DNS lookups for each active client machine, because it already has the IP address.

MaxIgnoreListSize

The maximum number of entries (user names, user name/machine name pairs, and machine names) in DC Agent's ignore.txt file.


Default	70000
Options	Integer 5000 or greater
Synopsis	If you use an ignore.txt file to configure DC Agent to ignore particular users or client machines, this parameter sets an upper limit on the number of entries in the file. See Configure DC Agent to ignore certain user names.

StartDelay

Time period by which to delay DC Agent service initialization to allow diagnostic routines to start first.


Default	0 [seconds]
Options	Between 0 and 120 seconds
Synopsis	Used primarily by Forcepoint Technical Support. Allows the ConsoleClient diagnostic tool to connect to DC Agent while the service is running, but before its processes are activated. Use extreme caution when modifying this parameter.

StripEmailSign

Determines whether the user name will be stripped off when it appears in an email address.


Default	Off
Options	On, Off
Synopsis	Used only when UseEventSubscriber is enabled, determines whether user names are stripped off and added to the user map when they appear in the "username@company.com\" format. When this setting is off, the full email address is used for the user name.

UseDNSReverse

Determines whether DC Agent identifies the client hostname in the process of retrieving client IP address information.


Default	True
Options	True, False
Synopsis	By default, DC Agent uses the workstation entry in the session information it receives from the domain controller to first find the client hostname, then find the associated IP address. When UseDNSReverse is set to False, DC Agent uses the workstation entry to retrieve IP address information without first looking up the client hostname. Note: When UseDNSReverse is set to True and you have dual-stack (Ipv4 and IPv6) clients, you must have a reverse lookup zone in your DNS.

UseEventSubscriber

Configures DC Agent to register with the domain controllers for a call-back when user logon events occur.


Default	On
Options	On, Off
Synopsis	By default, each time DC Agent starts, it registers with the domain controllers it discovers. User logon session information is then automatically forwarded to DC Agent by the domain controllers as events occur.

UseNetBIOS

Whether to use NetBIOS to perform domain controller machine name lookups.


Default	False
Options	True, False
Synopsis	By default, DC Agent uses DNS lookup to identify domain controllers by name and IP address. If the DNS lookup fails, the agent uses NetBIOS calls. Set this parameter to True to cause DC Agent to use only NetBIOS to identify domain controllers.

UserMapUpdateTime

Establishes the time between updates to the user map.


Default	10000 [milliseconds]
Options	Between 1 and 60000 milliseconds
Synopsis	Used only when UseEventSubscriber is on, establishes the interval between updates to the user map. Decrease the time if users are not being included in the user map.

UseUserService

Whether to use User Service or Windows networking calls to communicate with domain controllers. (Equivalent to selecting User Service as the component to use for domain discovery in the Security Manager.)


Default	True
Options	True, False
Synopsis	By default, DC Agent uses User Service for communications with domain controllers in the network. To close the ports required for User Service to facilitate communications between DC Agent and domain controllers, set this value to False. In this case, DC Agent uses Windows networking calls for communications instead.

VerifyUserDomain

Whether to make sure that a user exists in a particular domain as indicated by domain controller polling results.


Default	True
Options	True, False
Synopsis	When this parameter is enabled, DC Agent checks the existence of a user account against the domain where a user logon session is detected. When this parameter is set to False, DC Agent may not update its user map right away if a user account is moved from one domain to another.