Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Initial Configuration > Creating and running the script for Logon Agent

If you installed Websense Logon Agent, you must create a logon script for clients that identifies them to Websense software when they log on to a Windows domain. The Websense Logon application, LogonApp.exe, provides a user name and IP address to the Logon Agent each time a Windows client connects to a Windows Active Directory or a Windows NT directory service.
During Logon Agent installation, the logon application and script files are placed in the Websense bin directory (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin on Windows or /opt/Websense/bin on Linux).
*
LogonApp.exe (Windows only): The Websense executable that communicates user information to the Logon Agent.
*
Logon.bat: The batch file containing sample logon and logout scripts.
*
LogonApp_ReadMe.txt: A summary of the procedures for creating and running the Websense logon script and optional logout script.
*
If the logon script runs the logon application in persistent mode, configure your Active Directory server not to run scripts synchronously.
*
Be sure that all computers can connect to the shared drive on the domain controller containing logon.bat and LogonApp.exe. You must copy both of these files from the machine running Logon Agent to both the logon and logout directories on the domain controller.
net view /domain:<domain name>
*
The TCP/IP NetBIOS Helper Service must be running on each Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows NT client machine that is identified by Logon Agent.
*
The logon application on client machines must use NTLM authentication to communicate with Logon Agent. By default, Windows Vista machines use NTLMv2.
To change this setting globally, for all machines in the network, modify the default domain Group Policy Object (GPO) to require use of NTLM authentication:
1.
2.
In the Microsoft Management Console, go to File > Add/Remove Snap-In, and then click Add.
3.
Select Group Policy Management Editor, and then click Add.
5.
Click Close and then OK to close the open dialog boxes.
6.
In the navigation pane of the Console window, expand the Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies node, and then select Security Options.
7.
In the content pane, select Network Security: LAN Manager authentication level, and change the setting to Send NTLM response only.
To change this setting on individual Windows Vista machines, change the default setting for Network security: LAN Manager authentication level as follows:
1.
Open the Windows Local Security Settings window. See the Windows online Help for assistance.
2.
Go to Security Settings > Local Policy > Security Options, and double-click Network security: LAN Manager authentication level.
When Logon Agent identifies a user, the user name and IP address are stored in a user map. The length of time this information is stored without reverification depends on whether the logon application is running in persistent mode or non-persistent mode. If LogonApp.exe is running in persistent mode, the update time interval is configured in TRITON - Web Security.
In non-persistent mode, user map information is created at logon and is not updated. The use of non-persistent mode creates less traffic between Websense software and the clients in your network.
In Active Directory, you can use a logout script to clear the logon information from the Websense user map before the interval defined in TRITON - Web Security. See Task 1: Prepare the scripts for more information.
For detailed information about configuring Logon Agent in TRITON - Web Security, see the User Identification topic in TRITON - Web Security Help.
The Websense executable and logon batch file must be moved to a shared drive on the domain controller that is visible to all clients. If you use Active Directory, you also can create and deploy an optional logout batch file on the shared drive.
A batch file, called Logon.bat, is installed with Logon Agent in the Websense bin directory (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin).
This file contains instructions for using the scripting parameters, and two sample scripts: a logon script that runs the logon application (LogonApp.exe), and a logout script. The logout script removes user information from the Websense user map when the user logs out. Only Active Directory can use both types of scripts.
LogonApp.exe http://<server>:<port>
Note 
<server>
IP address or name of the Websense Logon Agent machine. This entry must match the machine address or name entered in TRITON - Web Security in Task 3.
<port>
Causes the logon application to send user information to the Logon Agent at logon only. The user name and IP address are communicated to the server at logon and remain in the Websense user map until the user's data is automatically cleared at a predefined time interval. The default user entry expiration is 24 hours, and can be changed in TRITON - Web Security.
If the NOPERSIST parameter is omitted, LogonApp.exe operates in persistent mode, residing in memory on the domain server and updating the Logon Agent with the user names and IP addresses at predefined intervals. The default interval is 15 minutes, and can be changed in TRITON - Web Security.
Copies the logon application to the %USERPROFILE%\Local Settings\Temp directory on users' machines, where it is run by the logon script from local memory. This optional parameter helps to prevent your logon script from hanging.
Used only in an optional logout script, this parameter removes the user's logon information from the Websense user map when the user logs off. If you use Active Directory, this parameter can clear the logon information from the user map before the interval defined for Logon Agent has elapsed.
Use this optional parameter in a logout script in a different batch file than the one containing the logon script. See the Examples below.
The sample logon script sends user information to the Logon Agent at logon only. The information is not updated during the user's session (NOPERSIST). The information is sent to port 15880 on the server identified by IP address 10.2.2.95.
With Active Directory you have the option to clear the logon information for each user as soon as the user logs out. (This option is not available with Windows NTLM.) Create a companion logout script in a different batch file, and place it into a different directory than the logon script.
Copy the logon batch file and rename it Logout.bat. Edit the script to read:
You can configure your logon script to run with a group policy on Active Directory or on Windows NT Directory. The logout script only runs with Active Directory.
Note 
The following procedures are specific to Microsoft operating systems and are provided here as a courtesy. Websense, Inc., cannot be responsible for changes to these procedures or to the operating systems that employ them. For more information, see the links provided.
2.
On the Active Directory machine, go to the Windows Control Panel and select Administrative Tools > Active Directory Users and Computers.
4.
On the Group Policy tab, click New and create a policy called Websense Logon Script.
7.
Go to Windows Settings > Scripts (Logon/Logoff).
9.
Click Show Files to open this policy's logon script folder in Windows Explorer.
*
Logon.bat, your edited logon batch file
*
LogonApp.exe, the application
12.
Click Add in the Logon Properties dialog box.
13.
Enter Logon.bat in the Script Name field or browse for the file.
14.
Leave the Script Parameters field empty.
15.
Click OK twice to accept the changes.
16.
(Optional) If you have prepared a logout script, repeat Step 6 through Step 15. Choose Logoff at Step 8, and use your logout batch file when you are prompted to copy or name the batch file.
18.
Click OK in the domain Properties dialog box to apply the script.
Note 
You can determine if your script is running as intended by configuring your Websense software for manual authentication. If transparent authentication with Logon Agent fails for any reason, users are prompted for a user name and password when opening a browser. Ask your users to notify you if this problem occurs.
To enable manual authentication, see the User Identification topic in the TRITON - Web Security Help.
For additional information about deploying logon scripts to users and groups in Active Directory, go to the Microsoft TechNet site (technet2.microsoft.com/), and search for the exact phrase: Logon Scripts How To.
2.
Copy the Logon.bat and LogonApp.exe files from the Websense installation directory on the Logon Agent machine (by default, C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin) to the netlogon share directory on the domain controller machine.
Depending on your configuration, you may need to copy these files to other domain controllers in the network to run the script for all your users.
3.
In the Control Panel of the domain controller, select Administrative Tools > User Manager for Domains.
5.
Click Profile.
6.
7.
Enter Logon.bat in the Logon Script Name field.
8.
Note 
You can determine if your script is running as intended by configuring your Websense software to use manual authentication when transparent identification fails. If transparent authentication with Logon Agent fails for any reason, users are prompted for a user name and password when opening a browser. Ask your users to notify you if this problem occurs.
To enable manual authentication, see the User Identification topic in the TRITON - Web Security Help.
After the logon/logout scripts and the logon application have been deployed and configured on the domain controllers, you must enable authentication in TRITON - Web Security. See the User Identification > Logon Agent topic in the TRITON - Web Security Help for instructions.


Go to the table of contents Go to the previous page Go to the next page Go to the index
Initial Configuration > Creating and running the script for Logon Agent