Prepare the Windows logon scripts

Using Logon Agent | Forcepoint Web Security and Forcepoint URL Filtering | 29-Apr-2022

The default logon.bat file contains instructions for using the scripting parameters, and two sample scripts: a logon script that runs the logon application and a logout script. The logout script removes user information from the user map when the user logs out. Only Windows Active Directory can use both types of scripts.

Construct a logon or logout script using the samples provided and the parameters in the table below. When you have finished customizing the script, continue with Configure the Windows logon scripts to run.

The required portion of the logon script is:

LogonApp.exe http://<server>:<port>

Be sure to enter a hard return at the end of the line.

This command runs LogonApp.exe in persistent mode (the default).


	Note You can edit the sample, or create a new batch file containing a single command.


Parameter	Description
<server>	IP address or name of the Logon Agent machine. This entry must match the machine address or name entered in the Forcepoint Security Manager.
<port>	The Logon Agent communication port (default 15880).
/NOPERSIST	Causes the logon application to send user information to the Logon Agent at logon only. The user name and IP address are communicated to the server at logon and remain in the user map until the user's data is automatically cleared at a predefined time interval. The default user entry expiration is 24 hours, and can be changed in the Forcepoint Security Manager. If the NOPERSIST parameter is omitted, LogonApp.exe operates in persistent mode, residing in memory on the domain server and updating the Logon Agent with the user names and IP addresses at predefined intervals. The default interval is 15 minutes, and can be changed in the Security Manager.
/COPY	Copies the logon application to the %USERPROFILE%\Local Settings\Temp directory on users' machines, where it is run by the logon script from local memory. This optional parameter helps to prevent your logon script from hanging. COPY can be used only in persistent mode.
/D	Debugging parameter that causes messages to be sent to a debugging file (Ws_LogonAppLog.txt). Use at the direction of Forcepoint Technical Support. The file is placed in the default temp directory for the current user (C:\Documents and Settings\<user_account>\Local Settings\Temp).
/DHCP	Designed to accommodate mobile users. Forces LogonApp.exe to send updates to the Logon Agent when an IP address change is detected. By default, LogonApp.exe does not detect IP address changes.
/filename	Overrides the default name of the debugging file. Use the format: /filename <debug_filename>
/IPV6	Causes LogonApp.exe to record IPv6 addresses in its user map. By default, only IPv4 addresses are recorded.
/VERBOSE	Debugging parameter that must be used only at the direction of Technical Support.
/LOGOUT	Used only in an optional logout script, this parameter removes the user's logon information from the user map when the user logs off. If you use Active Directory, this parameter can clear the logon information from the user map before the interval defined for Logon Agent has elapsed. Use this optional parameter in a logout script in a different batch file than the one containing the logon script.

Examples

The sample logon script sends user information to the Logon Agent at logon only. The information is not updated during the user's session (NOPERSIST). The information is sent to port 15880 on the server identified by IP address 10.2.2.95.

LogonApp.exe http://10.2.2.95:15880 /NOPERSIST

With Active Directory you have the option to clear the logon information for each user as soon as the user logs out. (This option is not available with Windows NTLM.) Create a companion logout script in a different batch file, and place it into a different directory than the logon script.

Copy the logon batch file and rename it Logout.bat. Edit the script to read:

LogonApp.exe http://10.2.2.95:15880 /NOPERSIST /LOGOUT