How can I configure my MS ISA Server to handle user identification instead of DC Agent?

Article Number: 000003071
Products: Web Security and Filter, Websense Enterprise
Versions: 6.2, 6.3, 7.0, 7.1, 7.5, 7.6, 7.7

Problem Description

I would like ISA, rather than DC Agent, to authenticate users using ISA Server. How can I do this?


You need to disable the DC Agent service, modify the ISA Server configuration, and then test your results. Complete the next steps in the following order.

A. Disable DC Agent

  1. Go to the machine where DC Agent is installed.
  2. Open the Windows Services dialog box (go to Start > Control Panel > Administrative Services, and then double-click Services).
  3. Locate the Websense DC Agent service in the list, and then right-click on the service name and select Stop.
  4. Right-click the service name again, and then select Properties.
  5. In the General tab of the Properties dialog box, set the Startup type to either Manual or Disabled. When you are finished, leave the Services dialog box open.
  6. In Websense Manager, go to Server > Settings > User Identification.
  7. Select the DC Agent instance in the Transparent Identification Agents list, and then click Delete.
  8. Click OK to save your changes and exit the Settings window.
  9. In the Windows Services dialog box, stop and restart the Websense Filtering Service (right-click on the service name, and then select Restart).

You are now ready to reconfigure the Microsoft ISA Server.

B. Reconfigure the ISA Server

For ISA 2000
  1. Go to the machine where Microsoft ISA Server runs and log on to the Microsoft ISA Management Console.
  2. To reconfigure the ISA Server, first find and select the ISA Server Name.
  3. Right-click on the server name, and then select Properties.
  4. Select the Outgoing Web Requests tab, and then make sure that Ask Unauthenticated Users for Identification is selected. This setting forces users to identify themselves if they fail to log on to the domain.
  5. On the same tab, select the Server Name entry, and then click Edit.
  6. Make sure that the Integrated check box is marked.
  7. Click OK, and then click OK again to close the Properties dialog box.
  8. In the ISA Management Console, select Save the changes and restart the service(s), and then click OK.
  9. Close the ISA Management Console.
For ISA 2004 and 2006
  1. Open ISA Server Management.
  2. Select “Firewall Policy” under the ISA server’s name.
  3. Locate the rule that is allowing the web traffic. This rule may be allowing the specific protocols HTTP, HTTPS & FTP along with other protocols or may be set for “all outbound traffic.” Typically, the rule would be from the “Internal” network to the “External” network but can be different depending on the way your ISA server is set up.
  4. After locating the rule that is allowing your web traffic, right click and select “Properties.”
  5. Go to the “Users” tab and remove the “All users” object, then click “Add.”
  6. Select “New” which will start a wizard so that you can create an object containing the users and groups from AD which you want to allow web traffic to.
  7. Highlight the object you created and click “Add.”
  8. Click “Ok” and then “Apply.”
A reason that ISA 2004 and 2006 may not be authenticating users is that traffic may be allowed anonymously. If you still see IP addresses instead of user names, double check the ISA firewall rules. There could be a rule that is allowing the anonymous connections.

You are now ready to run TestLogServer to verify communications.

C. Run TestLogServer

  • If Log Server runs on this machine, use the Windows services dialog box  to stop the  Log Server service. (Start > Control Panel > Administrative Services > Services)
    •  Leave the services dialog box open; you will use it again later.
  1. To run TestLogServer, go to Start > Programs > Accessories > Command Prompt.
  2. Navigate to the \Websense\bin directory. Type: 
    • cd c:\program files\websense\bin
  3. Enter the command:
    •  TestLogServer -file log.txt
  4. Log on to the domain and then use a Web browser to open a series of sites.
  5. On the TestLogServer machine, check the command prompt window to see if the correct user name is associated with the site requests that you made.
    • A hard copy of the TestLogServer data is logged to a file called log.txt located in the \Websense\bin directory.
  6. Repeat steps 4 and 5 using another account to ensure that multiple user names are correctly registered.
  7. When you are finished, press Ctrl + C to stop TestLogServer.

To view the complete results of your test:

  1. Use Windows Explorer to navigate to the \Websense\bin directory.
  2. Open the log.txt file, which contains the results of the TestLogServer test.
  3. Verify that user names are correct.
  4. Best practice is to search for the IP address of the test machine.

When your tests are complete, reset Log Server to its original status and/or configuration.