Support

Implementing transparent user identification with DC Agent

Article Number: 000004470
4470
Products: Websense Enterprise
Versions: 5.5, 6.1, 6.2, 6.3

Problem Description

I want to learn more about how to implement transparent user identification with DC Agent:

  • I need more information about what network and system permissions DC Agent and User Service need.
  • I am using DC Agent, but user and group policies aren't being applied correctly.
  • I want to know what system and network resources are used by DC Agent.

Error Messages: (Detailed)
Bad Network Path, Error code 53

Access Denied, Error code 5 

Resolution

The Websense DC Agent offers transparent user identification for users in a Windows-based directory service. DC Agent also communicates with User Service to provide up-to-date user logon session information to Websense software for use in filtering.

This article includes several sections to help you configure and troubleshoot transparent identification with DC Agent:

  1. Identify error and warning messages related to DC Agent and User Service to pinpoint any configuration or network problems.
  2.  Verify that the DC Agent machine can communicate with other machines in the network.
  3. Verify that DC Agent and User Service have the domain permissions they need to identify users.
  4. Check to see whether user names are being sent to Websense software.
  5. Ensure that the correct account name is associated with an internet request.

 

Identify problems

Two Microsoft Windows tools can provide useful insight for troubleshooting transparent identification problems:

  • The Websense User Service and Websense DC Agent run as Windows services. Use the Services manager (Control Panel > Administrative Tools > Services) to see service status and retrieve service information.
  • Use the Event Viewer (Control Panel > Administrative Tools > Event Viewer) to retrieve error, warning, and informational messages from services and applications.

The most common Windows Event Log messages associated with DC Agent are ERROR_ACCESS_DENIED and ERROR_BAD_NETPATH.
 

Network communication status

Verify that a two-way trust relationship is configured between domains.

  1. Log on to the DC Agent machine.
  2. Open the Windows command prompt (Start > Programs > Accessories > Command Prompt.
  3. Use the net view command to verify communication between the DC Agent machine and a workstation in the network.   
    net view \\<computerIP>
  4. Use the net view command again to verify communication between the DC Agent machine and the domain controller. 
    net view \\<domaincontrollerIP> 
  5. Use the results returned by the net view command to determine the next course of action:
    1. The command completed successfully. The machine is running and connected to the network. Continue with DC Agent and User Service permissions to continue troubleshooting your problem.
    2. The network path was not found. The machine is not running or not connected to the network. Verify that the machine is running, and then contact your system administrator for help troubleshooting your network configuration.

DC Agent and User Service permissions

In most situations, Websense, Inc. recommends that you grant domain administrator access rights to both DC Agent and User Service. These services only monitor information; they do not change anything in the domain.

If you are receiving DC Agent or User Service errors, you can enable directory service auditing to find out which user or group objects Websense software is trying to access, and which access attempts are being denied. If you cannot grant domain administrator rights to DC Agent and User Service, do the following:

  1. Create a user account with a meaningful name (such as Websense) in your domain. Refer to Microsoft documentation for configuring your domain controller. Although it is possible to use an existing account, it is preferable to have a dedicated Websense account. No special privileges are required. The account has no function other than to provide a security context for directory object access.
  2. Set the password for the new user to never expire, and then make a record of the user name and password. You will need this information again later in the process.
  3. In the Windows Control Panel, select Administrative Tools > Services. The Services dialog box opens.
  4. Select Websense DC Agent in the list, and then click Stop.
  5. Select Websense User Service, and then click Stop.
  6. Double-click Websense DC Agent.
  7. Click the Log On or Log On As tab, and then select This account.
  8. Enter the user name of the Websense user account created in step 1. Some environments require that you enter the name in the format user@domain.com.
  9. Enter and confirm the password for the account, and then click OK.
  10. Repeat the previous steps for the DC Agent service.
  11. Restart the Websense services:
    1. Select the Websense User Service and click Start.
    2. Select the Websense DC Agent and click Start.

Test user identification

There are two procedures that you can use to verify whether users are being identified correctly.


Use Websense reporting tools to verify user identification

  1. Log on to a machine that previously experienced communication problems with DC Agent.
  2. Open a browser and visit 4-5 websites.
  3. On the DC Agent machine, use the Windows Event Viewer to check for error messages.
  4. If there are no errors, use Websense Reporter or Websense Explorer to run reports to verify the accuracy of transparent user identification.


Use TestLogServer to verify user identification

TestLogServer is a utility installed with your Websense software. Run TestLogServer to verify that user names are being sent to Websense software.

  1. If necessary, stop the Websense Log Server service on the machine where you plan to run TestLogServer. See the Administrator's Guide for detailed instructions.
  2. Run TestLogServer.
    TestLogServer runs a process on port 55805 that listens to data sent from Filtering Service. By default, this information is displayed onscreen.
  3. To verify that Websense is passing traffic to the TestLogServer machine:
    1. In Websense Manager, select Server > Settings > Logging. Logging information appears in the content pane.
    2. Enter the IP address of the machine running TestLogServer in the Server field, and then click OK.
    3. Go to another machine in the network and try to access an internet site, or have someone request a site from another machine.

      NOTE

      If you have only recently configured DC Agent, the users requesting sites for testing purposes may need to log off and log back on. This allows DC Agent to identify the users. Websense software cannot apply user and group policies if users are logged on locally. Such users are filtered by the Global policy, or by a policy assigned to the workstation.

  4. Verify that the request and the associated user name are shown by TestLogServer.
    1. If the user name appears, there is probably a problem with policy configuration. Use Websense Manager to review the active policies and the category sets and yes lists that they enforce.
    2. If something other than the user name appears, or the user name is incorrect, see the More Troubleshooting section below.
    3. If nothing associated with a user name appears, verify that DC Agent and other Websense components are properly configured to communicate with your directory service.
  5. Press Ctrl+C to stop TestLogServer. 

Verify that user account information is correctly identified by DC Agent

In certain circumstances, Windows may incorrectly identify a newly-created or temporary workgroup as a domain. When this occurs, DC Agent receives duplicate account names associated with a single internet request.

If, for example, Windows identifies the workgroup TEMP as a domain, DC Agent receives 2 account names associated with a user in that workgroup:

  • \\ActualDomain\user1
  • \\TEMP\user1

As a result, DC Agent cannot properly identify the user, and user-based filtering is not applied.

To correct this problem, recreate the dc_config.txt file on the DC Agent machine to remove references to the fake domain.

  1. Make a backup copy of dc_config.txt in another location (preferably a network share).
  2. Stop the DC Agent service.
  3. Delete the existing dc_config.txt file on the DC Agent machine.
  4. Restart the DC Agent service.
 
More Troubleshooting

This section provides a series of questions to help you determine the source of user identification issues involving DC Agent.
 

Is the network configured for DNS and NetBIOS?

Check the Network Neighborhood configuration for client and server machines.

  1. Verify that there is an entry in the WINS database for the NetBIOS users logged on to the domain.
  2. Check the DNS table for static IP entries.

    NOTE

    If you use DHCP and DNS in a Windows 2000 environment, Websense, Inc. recommends that you set dynamic update of the DNS server.


Are users connecting through a RAS Server or through Terminal Services like Citrix Metaframe or Windows Terminal Server?

See Can Websense function in a Terminal Server / Citrix Server / Thin Client environment? for details.
 

Are users with Windows 95/98/XP machines bypassing the logon process?

To filter users who bypass the logon process in an attempt to circumvent Websense filtering:

  1. Check integration logs or use Websense reporting tools to retrieve the IP addresses of workstations that may be accessing HTTP sites that should be blocked.
  2. Use Websense Manager to apply a policy to these workstations.

If a user name or IP address is not captured, and if no other policy applies, Websense software enforces the Global policy.
 

Are client machines able to log on to different domains?

The primary or backup domain controllers need to replicate their SAM databases to pass security information for authenticated users between domains.

If a user can successfully log on to the network, but does not get filtered by Websense software:

  1. Verify the policy assigned to the user in Websense Manager.
  2. Verify that the client machine is passing through the correct gateway for internet requests.


Were Filtering Service and DC Agent running before the user logged on to the network?

Both Websense Filtering Service and DC Agent must be running before users log on to the network. If a user logs on before DC Agent has started, Websense applies the Global policy by default (if no workstation or network policy applies).

In this situation:

  1. Force users off the network remotely.
  2. Make sure that Filtering Service and all instances of DC Agent are running.

When users log back on to the network, user data is captured by DC Agent, so that user-based policies can be applied.
 

If you use Active Directory, are there any duplicated users names in a parent and child domain?

In Active Directory, users may be given duplicate accounts in both parent and child domains. For example, testuser@parent.com and testuser@child.parent.com are duplicate entries.

If duplicate accounts share the same password, DC Agent may not be able to identify the employee correctly. It is best not to configure your directory service with duplicate accounts (other than service accounts).

 

Related Articles:
 

Using TestLogServer with Websense Enterprise

How do I start, stop, and/or restart Websense services?

Can Websense function in a Terminal Server / Citrix Server / Thin Client environment?



 

Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >