Configuring DC Agent

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

Related topics:

Identifying on-premises users transparently

Manual authentication

Configuring user identification and authentication

DC Agent

Use the User Identification > DC Agent page to configure a new instance of DC Agent, as well as to configure the global settings that apply to all instances of DC Agent.

To add a new instance of DC Agent, first provide basic information about where the agent is installed, and how Filtering Service should communicate with it. These settings may be unique to each agent instance.

Under Basic Agent Configuration, enter the IPv4 address or hostname of the machine on which the agent is installed.


	Note Hostnames must start with an alphabetical character (a-z), not a numeric or special character. Hostnames containing certain extended ASCII characters may not resolve properly. If you are using a non-English version of web protection software, enter an IP address instead of a machine name.

Enter the Port that DC Agent should use to communicate with other web protection components. The default is 30600.

To establish an authenticated connection between Filtering Service and DC Agent, select Enable authentication, and then enter a Password for the connection.

Next, customize global DC Agent communication and troubleshooting, domain controller polling, and computer polling settings. By default, changes that you make here affect all DC Agent instances.

Some of these settings can, however, be overridden in a configuration file (see the Using DC Agent for Transparent User Identification technical paper).

Under Domain Discovery, mark or clear Enable automatic domain discovery to determine whether DC Agent automatically finds domains and domain controllers in your network.

If domain discovery is enabled, also specify:

How often to Identify domains. Domain discovery occurs at 24-hour intervals, by default.

Domain discovery will always be done by DC Agent.

Two options are available for retrieving logon events.

The Event Subscriber option subscribes to logon events from the domain controller. This option is enabled by default in the transid.ini file in the web protection bin directory (C:\Program Files\Websense\Web Security\bin, by default).

The following entries in the ini file are used to determine the full functionality of the option.

UseEventSubscriber=on

UserMapUpdateTime=10000

IgnoreDNSFailure=on

StripEmailSign=on

where

UseEventSubscriber is used to enable the feature

UserMapUpdateTime establishes the time interval (in milliseconds) between updates to the user map.

IgnoreDNSFailure dictates whether DNS failures are ignored or if the user IP address should be taken directly from the event data if DNS fails

StripEmailSign determines whether user names are stripped from "username@company.com" formats.

Enable DC Agent to query domain controllers for user logon sessions, by marking Enable domain controller polling in the Domain Controller Polling section of the DC Agent Communication box.

To perform domain controller polling, the DC Agent service needs only read privileges on the domain controller. Automatic domain discovery (steps 1 and 2) and computer polling (step 7) require that the service run with elevated permissions.

You can specify which domain controllers each instance of DC Agent polls in a configuration file (see The dc_config.txt file).

Use the Query interval field to specify how often (in seconds) DC Agent queries domain controllers.


	Note This value is not used when the Event Subscriber option is enabled.

Decreasing the query interval may provide greater accuracy in capturing logon sessions, but also increases overall network traffic. Increasing the query interval decreases network traffic, but may also delay or prevent the capture of some logon sessions. The default is 10 seconds.

Use the User entry timeout field to specify how frequently (in hours) DC Agent refreshes the user entries in its map. The default is 24 hours.

Under Computer Polling, check Enable computer polling to enable DC Agent to query computers for user logon sessions. This may include computers that are outside the domains that the agent already queries.

DC Agent uses WMI (Windows Management Instruction) for computer polling. If you enable computer polling, configure the Windows Firewall on client machines to allow communication on port 135.

If DC Agent performs computer polling, the service must run with domain or enterprise admin privileges.

Enter a User map verification interval to specify how often DC Agent contacts client machines to verify which users are logged on. The default is 15 minutes.

DC Agent compares the query results with the user name/IP address pairs in the user map it sends to Filtering Service. Decreasing this interval may provide greater user map accuracy, but increases network traffic. Increasing the interval decreases network traffic, but also may decrease accuracy.

Enter a User entry timeout period to specify how often DC Agent refreshes entries obtained through computer polling in its user map. The default is 1 hour.

DC Agent removes any user name/IP address entries that are older than this timeout period, and that DC Agent cannot verify as currently logged on. Increasing this interval may lessen user map accuracy, because the map potentially retains old user names for a longer time.


	Note Do not make the user entry timeout interval shorter than the user map verification interval. This could cause user names to be removed from the user map before they can be verified.

Click OK to return to the User Identification page, then click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.