| Question: | Answer: |
| Can you elaborate on the uses of the P2 interface on the V10000? | The P2 interface can be used for multicast communications between multiple V10000?s in a cluster configuration. Another configuration we see from time to time is to set up the P1 interface on the internal network for client proxy traffic, then have the P2 interface on a different network which has Internet access, but no direct access to clients. This separates internal client networks from the internet with the only point of access via the P1 interface of the V10000. |
| Should one use network agent, if using a integration product (like bluecoat)? What benefit would I get? | The network agent is how Websense performs protocol filtering (outside of HTTPS and in some cases FTP). When looking at the Protocol filter list in the Websense Manager, all of these protocols (except for the above exceptions) require the Network Agent to be properly configured to be monitored. Another benefit for using the Network Agent is bandwidth reporting; Most integrations (such as Cisco PIX firewalls) do not send bytes sent/received data to the Websense Filtering Service. The Network Agent can monitor the HTTP bandwidth data and make this available for your reporting |
| Why would the DCagent create 100's of DCOM errors in the windows system log? | DC Agent uses Windows Management Interface (WMI) for communicating with workstations for Workstation polling. Windows firewall (and other desktop protection programs) will block WMI calls to the workstation, which will cause DCOM access denied errors from the workstation to appear on the DC Agent Server?s event log. There is an excellent MSDN knowledge base article which explains how to correct the situation on your client PC?s here: http://msdn.microsoft.com/en-us/library/aa389286.aspx |
| Do you need to run NETBIOS or can you just use the NETBIOS ports? | Your Domain Controllers must be running NetBIOS and listening on port 139 for the DC Agent to automatically detect your Domain Controllers in your network. An easy test to see if this is operating properly is to attempt to telnet to one of your domain controllers on port 139. If this fails, then your DC Agent will not be able to detect that particular domain controller. |
| Currently on Websense 6.3 and need to upgrade to the latest version. What upgrade path do you recommend? | Any version of 6.3.X can upgrade directly to version 7.1 using the 7.1 installer. I want to caution however, that you make sure you meet the hardware requirements for 7.1 before you upgrade, as they have increased between 6.3.X series and 7.X series Websense.. |
| How often is the user map refreshed? | The DC Agent polls your Domain Controllers by default every 10 seconds, and if there is a change to the map, it will be refreshed immediately. The filtering service also retains a copy of the map, and the update to that map is also immediate. |
| What would cause the dcagent service to stop/fail repeatedly on a win2008 DC? | There are multiple different reasons which can cause the service to stop / fail on a server. Some examples would be:
- Domain account is having run as service rights being stripped by GPO
- Computer Browser Service (new with server 2008) is not started
- Antivirus / Monitoring software stopping service
If you find none of these to be the cause, I would suggest opening a case with Websense Technical Services to troubleshoot and correct the issue. |
| Can you explain your integration with Checkpoint? | Please see Websense Knowledge Base article: How Do Websense and Firewall-1 Interact? |
| When I do a search within Websense enterprise 6.1.0, users are listed several times, even though there is only one user, the results display all OU's that this user was in, how are these updated? | The short answer for version 6.1.0 is ?they are not.? This was an issue with older versions of Websense and was corrected with version 6.3.2 and higher. I would strongly suggest upgrading to at least version 6.3.2 to take advantage of this and other new features released after version 6.1.0. |
| If I have more Actve directory domains which are not trusted, can I use only a Websense Policy Server and many DC agents installed to manage the users ? | Yes you can. You will need to make sure you have a DC Agent installed in each of these separate domains to identify the users in each of these domains. Further, you will need to make sure you add an entry for each domain in the Websense Manager under your Directory Service settings. |
| What's the difference between DC agent and the Logon Agent? | In a nutshell, the DC Agent operates by polling your Directory Controllers looking for active SMB sessions and gathering the login name and machine name from these sessions. The Logon Agent detects users by use of an executable called by a script which is run by clients when they log on or off the network. The script is pushed to clients via GPO as part of the logon script, so the executable must be accessible by the client PC?s. for more information on how the DC agent and Logon Agent operate, please see knowledge base article: V7: Transparent Identification of Users |
| How do you identify users on a multi-user server (i.e. terminal services users)? | For Citrix servers, we do have a plug-in available which handles user identification and operates much as a regular Websense integration (performs HTTP and HTTPS filtering). For terminal services the only option we can really offer is to use a proxy server integrated with Websense such as Websense Content Gateway or Microsoft ISA, which can identify users via NTLM. |
| My dba doesn't like that partitions roll, because they have to keep changing their backup jobs (and other maintenance jobs)...what is the recommendation if one doesn't want partitions to roll over (i.e. are there purge scripts available?) | The Websense Database model in use today (for version 6.3.x and higher) uses multiple databases (1 Catalog database and 1 or more partition databases). This system was designed to increase performance and correct many of the issues we had previously with data purging in our older versions. This new system does require the ability to roll partitions, however you can set the partition sizes to be quite large so the partitions are not rolled very often (although I wouldn?t recommend partitions over 40 GB in size, as performance tends to degrade past that point). Websense does not offer the ability to purge or delete data within the partitions. |
| Is there a way to see the "user->IP mapping" for logon agent, similar to what consoleclient will show for DC agent user mapping? | Consoleclient can be used to view the user identification map just like the DC Agent. The diagnostic?s port for the Logon Agent is 30603. Please see Websense Knowledge Base article: Debugging Websense Services Using ConsoleClient |
| LogonApp takes precendence over DC Agent, right? | Yes. |
| Once a deleted SQL partitions log database is deleted, will doing a restore of the database within SQL automatically add it back to the available partitions? | A partition database which is set to ?inactive? within the Websense Manager under Logging can safely be detached from SQL and moved off of the SQL server (Tape backup or network storage for example). If data is needed from that particular partition, you can move that particular partition database back to the SQL server and attach with the same name, then mark the database active again in the Websense manager to retrieve data from it. If a partition database is deleted within the Websense Manager, you cannot restore the data back to Websense again, as this partition?s referential links will be removed from the catalog database. Also, if you are taking full backups of all Websense databases (Catalog and all partitions) you can restore them all from a backup, but it is very important that all of them are restored, else you run a very high risk of corrupting your databases and losing all of your reporting data. |
| As a Websense customer on Linux, I am curious as to the future of Linux support and Websense's commitment to the platform since logging and reporting has always been inferior on the Linux platform. | With version 7.5, Websense Manager (which includes reporting) will be available for Linux. This will allow all of the same reporting options which are currently available to Windows users and should close that gap which existed previously between reporting on both platforms. The Websense logserver service still requires Windows and MSDE, MSSQL 2000 or MSSQL 2005. |
| How do you download the logon agent software? | The logon agent software is part of the regular Websense installer. If you already have Websense installed, run the installer and select the option to add components. You will find the Logon Agent listed. Check the box and follow the prompts to install. |
| Would we have to use IP policies to filter Mac traffic? | Not necessarily. Websense can filter Apple PC?s as long as they are properly authenticating to the Windows domain. |
| Regarding Network Agent, could you repeat under what circumstances does the Interface N is connected to bidirectional should be checked? | On the Websense V10000 appliance, the N interface for the network agent has the capability to send Network Agent blocks when the switch the N interface is connected to is capable of performing bi-directional communications. What this means is, when you are spanning traffic to the switch interface the N interface is plugged in to, that same interface can also communicate with the network. If your switch does not support this ability, you should not check the bidirectional checkbox. In the case your interface does not support bidirectional traffic, all Network Agent blocks will be sent via the C interface. |
| What should we do to support Kerberos Authentication ? | At this time, Websense Security Gateway does not support Kerberos Authentication. |
| When will the DC Agent support kerberos logins from Mac clients? | Kerberos Authentication is not supported at this time. Support for Kerberos for identification is roadmapped for later this year, however I have no specifics on if the support will be for DC Agent or if support for Kerberos is planned. You can submit a feature request by sending an email to suggest@websense.com. Make sure you include the words "Feature Request" in the subject line of the email, and be as detailed as possible explaining what feature you would like to see added. |
| What does it mean when the Log IP address or name is set to localhost? | The logserver IP address location is relative to your Websense Filtering Service. If you have all Websense components installed on the same server, this isn't really an issue since localhost to the Websense Filtering Service is local to the Websense Logserver Service as well. However, if you have a V10000 appliance, or your Websense Filtering Service(s) are installed in a separate location, then you must update this entry from localhost to the location of the Websense Logserver Service, else your Logserver will not receive any log data and you will have blank reports |
| When we restart our win2003 machine with the policy server the service wont start unless I go into websense.ini and increase the port by 1 number, have you ever seen this problem? | The issue described sounds like an issue caused by a Microsoft Security Patch to DNS. Please see Websense knowledge base article: Policy Server Will Not Start: Failed to Initialize the UID Broadcast Receiver . If this article does not resolve your issue, please contact Websense Technical Support for further assistance. |
| Is compatibility with HyberV planning? | I do not know of HyperV support planned at this time. You can submit a feature request by sending an email to suggest@websense.com. Make sure you include the words ?Feature Request? in the subject line of the email, and be as detailed as possible explaining what feature you would like to see added. |
| Why would you disable computer polling? | Computer Polling can fail for several reasons. Websense uses WMI (Windows Management Interface) to communicate with workstations over port 135. If Windows Firewall is enabled, or another security software is blocking Remote Procedure Calls (RPC?s) then Computer Polling will fail. Computer polling can also fail if the account you are using for your DC Agent Service does not have rights to access the Windows Registry on your client PC?s. |
| Can websense 7.1 authenticate more than one domain users at the same time? | The Websense DC agent and Websense User Service does support multiple domains. For Websense User Service, you must list at least 1 Domain Controller for each non-trusted domain in the Websense Manager under Directory Services. For the Websense DC Agent, you must have a DC Agent installed in each non-trusted domain to communicate with the DC?s from those domains. At this time, Websense Content Gateway only supports NTLM authentication within 1 domain and any trusted domains that first domain is connected to; With version 7.5, WCG will have the ability to communicate to multiple non-trusted domains. |
| If you want 1 user to access only 1 website, what would be the best way to do this? by IP address? | You can create a policy for one single user within the Websense Manager and apply to a single user object. |
| IS 2008 R2 supported? | No, 2008 R2 (which is 64 bit) is not supported at this time. |
| Are there any plans or updates in the works to allow support for Internet Explorer 8.0 64 bit for Websense Manager? | Support for running the Websense Manager with Internet Explorer 8.0 will be provided with version 7.5. Websense components will not support installation on a 64 bit operating system. |
| Any plans on gettin citrix plugin for xenapp 5/6? | Websense does not currently support installation on Xenapp. You can submit a feature request by sending an email to suggest@websense.com. Make sure you include the words ?Feature Request? in the subject line of the email, and be as detailed as possible explaining what feature you would like to see added. |
| Users sometime get prompted for authentication on our network, is this a dc_config.txt issue? | There can be multiple causes for this issue. The most common we see is the users time-out off of the DC Agent user identification map. This is most commonly seen in environments where users lock their workstations or don?t access network shares regularly. If you find this the case in your network, I would suggest using the Websense Logon Agent for authentication instead. For further troubleshooting of this issue, I would suggest contacting Websense Technical Support. |
| What about VMware workstation? It always picks up my host logon instead of the client which has its own IP. | DC Agent does not support multi-host installations, such as Citrix, VMWare or Terminal Services server. For cases like this, you will need a way to identify users by their browser rather than by IP. Commonly, users will use Microsoft ISA integrated with Websense, or Websense Content Gateway to identify these users. |
| How to identify DHCP users were there is no comain controller? (otherwise reporting may not show correct user) | DC Agent requires an Active Directory domain to operate correctly. While you can enable manual authentication, this still requires a domain to operate properly. If you do not have a domain, then you will only be able to identify users by IP address. |
| Websense is currently licensed by IP will there be an option to license by user? | No, this is not currently planned. You can submit a feature request by sending an email to suggest@websense.com. Make sure you include the words ?Feature Request? in the subject line of the email, and be as detailed as possible explaining what feature you would like to see added. |
| I see the user entry expiration is set to 24 hours for both the logon and dc agents. Is it safe, from a performance standpoint, to reduce that down to as little as 1 or 2 hours? | You will see no performance gains by lessening the timeout of user identification; In fact, you can cause issues with users 'falling off' the user identification map if you set a shorter timeout. Once a user times out off of a user identification map, their identification to Websense is lost and those users will either be identified by IP address or be prompted for manual authentication if you have that feature enabled. |
| If I find that a user is incorrectly identified as someone else, is there a way to manually delete the mapping for only that one person? In the past, I've been told the entire mapping file has to be deleted and recreated which usually involves all our users reauthenticating or logging off/on their workstations. | No, there is no way to manually remove a single user from the mapping. |
| what if users authentic wired then go undocked into an already connected simultaneous wireless connection. Will the name still be shown? | Possibly. If the user makes a new SMB session by accessing a share or they log off and on again, they should have a new user identification map entry created for that wireless IP. If they begin browsing without making a new SMB request, then the DC Agent will not have any way to identify that user and the user will not be identified by user name. In environments such as this, it would be best to use Websense Logon Agent instead. |
| What is the process for restoring the SQL database for reporting on historical data? | If you properly disabled a partition within Websense, then you can restore the database as simply as re-enabling the partition from within the Websense Manager. If a partition has been deleted within Websense, you cannot re-add the partition back. If you have a full backup of all Websense databases including the catalog database, you can restore all databases to the same point in time. |
| If IE 8 is not supported, then is Windows 7 not support for Websense 7? | For version 7.1 and below, IE8 is not supported. You can install Firefox version 3.0 on Windows 7 to work with the Websense Manager |
| Why would HTTPS traffic always read as just IP addresses? | The URL portion of an HTTPS packet header is encrypted. Since most Websense integrations do not decrypt HTTPS, the Websense Filtering Service is unable to determine the URL of the HTTPS request. The HTTPS request is instead filtered by the destination IP address instead, and this is how the request is logged. |
| When will you support IPv6? | IPV6 support is not planned for 7.5. You can submit a feature request by sending an email to suggest@websense.com. Make sure you include the words ?Feature Request? in the subject line of the email, and be as detailed as possible explaining what feature you would like to see added. |
| Does Websense Enterprise version 6.1.0 support IE 8? | In terms of filtering, Websense should be browser independent. Since Version 6.1.0 uses an installed software manager, your browser will not matter. |
| On the DC Agent you mentioned not enabling Workstation Polling, What is this and why not enable it? | Websense DC Agent uses Computer Polling (Workstation polling in previous versions of Websense) to bolster the user identification capabilities of the Websense DC Agent. Since the DC Agent domain controller polling only identifies when users log on (not log off) there is a known 'workaround' to DC Agent user identification by logging on locally to a client machine, which will not create a new SMB session to a domain controller, and therefore not be identified. What actually happens in that case is the local user will be identified by the previous domain user's credentials until the DC Agent map entry times out for that IP address / user pairing. To prevent this from occurring, Websense DC Agent will poll client PCs using Windows Management Interface (WMI) on port 135 once a PC has browsed the internet that Websense does not have a user map entry for. The most common reason why Websense suggests to disable Computer Polling is most desktop security software, including Windows Firewall, blocks the DC Agent?s attempts to identify the user, causing a blank entry In the user map. Unless you have tailored your environment to not have port 135 blocked on your client PC?s, we suggest disabling Computer Polling to prevent these blank entries. |
| Do you see running testlogserver and not logging to the DB as a risk, for reporting where people are going while not logging to DB? | This can be a risk, depending on how sensitive your company is to having breaks in reporting data for troubleshooting and how long you?ll be running testlogserver for. Most companies do not mind having a small lapse of reporting to troubleshoot an issue, but some companies have strict change request requirements which means testlogserver can only be run during a maintenance period. Overall, this really depends on your IT server/service requirements for your own organization. |
| Why don't I ever see information in the bandwidth presentation reports? | If you do not see bandwidth data, it is likely your Websense integration does not support bandwidth data, for example a Cisco PIX and you do not have a Websense Network Agent configured to monitor your network traffic. To remedy this, I would suggest setting up the Network Agent to monitor a span of your network traffic so the Network Agent can report bandwidth usage. Please see chapter 3 of the Websense deployment guide for more information. |
| If we have two Domain controller, could we install two DC agent? | I would only suggest installing more than 1 DC Agent if you have more than 1 domain and they are untrusted, or if you have a large amount of domain controllers and you need to load balance your DC Agents. |
| What are possible reasons supposedly blocked categories show up under "Never Blocked" in investigative reports? | The only time a site should be recorded as never blocked is for unpurchased security categories (in the case of Websense Web Filter), a hit against the Malicious Traffic protocol group, or the user has a policy with the Never Block category filter. If you find other instances where you are seeing Never Blocked, I would suggest contacting Websense Technical Support for assistance. |
| How can you check for real time monitoring? | To test real time categorization, go to http://testdatabase.websense.com and use the Real-time Analysis test pages to test your real time filtering. |
| Why do we need to have an IP address for the NA on V10000 ? | The Websense V10000 uses Linux for its internal operating system, which requires an IP address be assigned to any interface. Linux does not support promiscuous mode interfaces like Windows. |
| Can you use DCAgent as default and NTLM for Terminal Server user identification or can you only use one or the other? | You can use both. NTLM identification within the Websense Content Gateway / V10000 or Microsoft ISA integration takes precedence over the Websense DC Agent. |
| Sometimes the DC Agent "loses" an individual's map between username and IP address, and the user typically has to reboot to fix this. What causes this to be "lost"? It appears that perhaps the person leaves the workstation locked overnight and the next day the person isn't filtered correctly? | You are correct in your assumption. Since the DC Agent cannot detect when a user logs off their workstation, it is necessary to use timeouts to expire user entries off the user map. If you have an environment where users do not often ?hop? PCs, you can try increasing the DC Agent timeout to something higher, maybe 96 hours or so. While this won?t be a perfect solution (as users entries can still expire from the map if they never access a share and/or never log off) it can help with users who ?fall off? the map overnight. A more reliable solution would be to use the Websense logon agent instead. |
| Doesn't the DC Agent also identify service accounts as users on desktops? | DC Agent can be set to ignore certain user logons or IP addresses by using the ignore.txt file in the bin directory. Please see Websense Knowledge Base article: Configure DC Agent to ignore users for more information. |
| Can multiple instances of DC Agent be run to poll domain controllers through firewalls or over slow links? | Yes, you can install DC Agents at remote locations to poll domain controllers at remote locations. You will want to configure your dc_config.txt for each location to only poll the domain controllers onsite and not the remote DC?s. |
| When would the dc_config.txt file not exist? and why? | The DC Agent requires NetBIOS be enabled to discover domain controllers over tcp port 139. If port 139 is blocked or NetBIOS is disabled in your network, the DC Agent will not discover any domain controllers. If this is the case, the dc_config.txt file will not be created. You can manually create the file within the bin directory if this is the case. Please see Websense Knowledge Base article: Transparent Identification of Users for more information on the dc_config.txt file. |
| How often does the DC Agent build the user map? We have a mobile user base and don't see all of the appropriate usernames when digging through logs. | The DC Agent by default polls your domain controllers every 10 seconds and will update the map for each new entry it finds. If you have mobile users whom are not being identified by DC Agent, you may be experiencing a different phenomenon due to Windows ability to cache domain credentials. If a user is logged in to a laptop already when it is attached to your network, then the regular login event of discovering network shares will not occur and the laptop will not be identified by the DC Agent. In this type of environment it would be optimal to use the Websense Logon Agent instead. |
English (US)
Quick Links
Service Requests
