User Identification Technologies within Websense Web...

web security | data security | email security © 2009 Websense, Inc. All rights reserved.

Support Webinars

User Identification Technologies within

Websense Web Security v7.x

Websense Support Webinar August 2009

Webinar Information

2

Title: User Identification Technologies within Websense Web Security v7.x

Audio information:– This presentation incorporates STREAMING AUDIO.

– Use of speakers or headsets is required. If unable to hear streaming audio or it is choppy, a limited number of dial-in numbers are available.

Dial-in numbers:– U.S. dial-in numbers:

Toll free: 1-866-288-9872, pass-code: 429066

Toll: 1-913-312-2900, pass-code: 429066

– Find international dial-in numbers at:

• http://www.websense.com/july15intl

• Pass-code: 429066

http://www.websense.com/july15intl

Goals and Objectives

Deploying and configuring DC Agent

Deploying and configuring Logon Agent

Deploying and configuring eDirectory Agent

Deploying and configuring User Service

Troubleshooting tips for DC Agent, Logon Agent, and eDirectory Agent

Troubleshooting tips for User Service

3

Webinar Presenter

4

Ravi Desai

Title: Tech Support Specialist

Accomplishments:– Over 2 years supporting

Websense products

Education / Certifications:– B.Eng (Hons) Computer

Systems and Networks– MCP – CCNA– WCWSA – Websense

Certified Web Security Associate

Qualifications:– New Hire Training– v7 Tech Support Training

For additional information:www.websense.com/support/

DC Agent Deployment

For Server 2008 installations, please check the Installation Guide for additional information.– Multiple instances of DC Agent can be deployed depending on

the size of the network.

– If network is large, than having multiple instances can allow for faster identification.

– If multiple Filtering Service instances are installed, each one must be able to communicate with all DC Agent instances.

5

Supported Platform 7.0 –7.0.1

7.1

Windows Server 2003, Standard and Enterprise Yes Yes

Windows Server 2008, 32 bit only Yes

DC Agent Deployment

6

Websense DC Agent enables transparent user identification via a Windows-based directory service.

DC Agent Domain Discovery

At start-up, and (by default) every 24 hours thereafter, DC Agent performs domain discovery to identify available domains and domain controllers in the network.

DC Agent refers to User Service to get the list of domains and domain controllers and saves this information to a file called dc_config.txt.

Once the list is populated, DC Agent contacts each domain controller, round-robin fashion, every ten seconds.

7


The dc_config.txt file contains:– Names of the available domains and domain controllers in the

network

– Whether DC Agent monitors each domain controllers

You can configure which domain controllers are monitored by assigning each a value of on (monitor, the default) or off (do not monitor) to each entry in the file:[Domain1]

DCA=on

DCB=off

[Domain2]

DC1=on

DC2=off

8


For automatic domain discovery to occur, NetBIOS must be enabled on firewalls or routers connecting different subnets or domains.

If NetBIOS is not enabled, DC Agent cannot communicate with those domains or subnets.

If it is not possible to enable NetBIOS between domains then install additional instance of DC Agent for those sites.

Set DiscoverInterval=0 in transid.ini to disable automatic domain discovery.

9

Domain Controller Polling

DC Agent queries each domain controller for user logon sessions, obtaining the user and computer name.

10

Domain Controller Polling

By default, the query occurs every 10 seconds. This interval can be configured in Websense Manager.

If DC Agent is not running when a user logs on to a domain controller, the logon session is not recorded.

– In this case, the user may be filtered by the computer or network policy (if it exists), or by the Default policy.

11

User to IP Address Mapping

For each logon session, DC Agent performs a DNS lookup to resolve the computer name to an IP address, and then stores the user name/IP address pair in its user map in local memory. It periodically writes a copy of the user map to XidDcAgent.bak.

12

User to IP Address Mapping

DC Agent provides user names and IP addresses to Filtering Service each time its user map is updated.

– The agent sends only those new user name/IP address pairs recorded since the last query.

– Filtering Service adds new user name/IP address pairs to its copy of the user map in local memory.

No confidential information (such as user passwords) is transmitted.

13

Computer Polling

DC Agent polls client machines (computers) by default. This helps to verify which user is logged on to a machine.– Filtering Service prompts DC Agent to poll the client machine if the

logged-on user does not appear in its user map.– Computer polling occurs via WMI (Windows Management

Instruction). Configure the Windows Firewall on client machines to allow communication on port 135.

– DC Agent stores the user name/IP address pair in its user map and provides the information to Filtering Service. At a pre-defined interval, DC Agent uses computer polling to verify that users are still logged on.

The User entry timeout setting (1 hour, by default) determines how long an entry remains in the user map.The User map verification interval (15 minutes, by default) determines how often DC Agent attempts to verify users are still logged on.

14

Setting Exceptions for DC Agent

It is possible to set DC Agent not to identify certain users transparently.

This can be done from the Websense Manager: go to Settings > User Identification and click Exceptions.

It is also possible to specify if the user should be manually authenticated (prompted for logon information) if transparent identification is not available.

15

Logon Agent Deployment

Identifies users transparently, maximizes accuracy in identifying users on the network.

Multiple Logon Agent instances can be used if required; this may be of benefit in larger networks.

16

Supported Platform 7.0 –7.0.1

7.1



RedHat Enterprise Linux 3 or 4 AS, ES, WS Yes Yes

RedHat Enterprise Linux 5 Server, Advanced Platform, or Desktop

Yes Yes


Transparent identification with Websense Logon Agent uses the following components:

Logon Agent– Also known as Authentication Server, can be installed on Windows

or Linux, and works with the logon application installed on the Windows client.

– Can communicate with Windows Active Directory or Windows NT Directory, and uses information sent by the LogonApp.exe to authenticate user logon sessions from all Windows domains in your network.

– Stores authenticated user name/IP address pairs in a user map that is periodically saved to a backup file, AuthServer.bak.

Filtering Service uses the information provided by Logon Agent to apply filtering policies to logged-on users.

17


LogonApp.exe– Runs on Windows client machines, and sends user logon

information to Logon Agent for authentication

– Can be activated via a logon script

The application sends user data either when logon sessions first occur, or at a specified interval (default):– /Persist – (default) the logon application sends logon

information to Logon Agent at a specific interval (configured using the Query interval setting in Websense Manager).

– /NoPersist – The logon application sends logon information to Logon Agent only once for each logon. The entry remains in the user map for a specific interval (configured using the User entry expiration setting in Websense Manager).

18

Logon Agent User Identification

19

Logon Agent and LogonApp.exe work together to detect users as they log on to your network.

The user identification process works as follows:

1. When users log on to the network, a network logon script invokes the Websense logon application (LogonApp.exe).

2. The logon application contacts Logon Agent via HTTP.

Logon Agent User Identification

20

3. Logon Agent sends an NTLM authentication challenge, and the logon application provides a user name, hashed password, and IP address to Logon Agent.

4. Logon Agent establishes a session with the domain controller to verify the user name/password combination from the logon application. (The agent contacts User Service to determine which DC is the logon source.)

5. Once the user name/IP address pair is verified, Logon Agent provides the information to Filtering Service and adds an entry to its user map, which is periodically saved to a backup file, AuthServer.bak.

6. Filtering Service records user name/IP address pair to its own copy of the user map in local memory. If Logon Agent is used with DC Agent, Logon Agent takes precedence.

eDirectory Agent Deployment

Works with Novell eDirectory to identify users transparently.– Does not authenticate users directly but uses Netware Core Protocol

(NCP) to gather user logon session information from Novell eDirectory.

– Associates each authenticated user with an IP address and records user name-to-IP-address pairings to a user map.

– Supplies this information to Websense Filtering Service.

21

Supported Platform 7.0 .x 7.1



RedHat Enterprise Linux 3 or 4 AS, ES, WS Yes Yes

RedHat Enterprise Linux 5 Server, Advanced Platform, or Desktop

Yes Yes

eDirectory Agent Deployment

Needs to be installed on at least 1 machine.

– Depending on size of network, multiple instances can be deployed.

Each Filtering Service must be able to communicate with all instances of eDirectory Agent.

Cannot be used in combination with DC Agent or Logon Agent (on the same machine or in the same network).

22

eDirectory Agent User Identification

1. Novell eDirectory authenticates users as they logon.

2. eDirectory Agent retrieves information from Novell eDirectory about logged-on users.

– The agent queries the directory service or user logons at regular intervals (30,000 milliseconds, or 30 seconds, by default). The agent detects only users logging on directly to Novell eDirectory server.

23


24


3. eDirectory Agent stores the user name, domain name, and originating IP address from each logon session in a map in local memory, and in the eDirAgent.bak file.

– If eDirectory Agent receives a new request from an IP address already included in its map, it replaces the existing pairing with the new pair.

25


4. eDirectory Agent sends user names and IP addresses to Filtering Service using port 30700.

– Filtering Service records user name/IP address pairs to its own copy of the user map in local memory. No confidential information (such as user passwords) is transmitted.

5. Filtering Service queries User Service for group information for user names in its user map.

6. User Service queries Novell eDirectory for group information corresponding to those users, and sends the information to Filtering Service.

26

Combining Agents

It is possible to install more than one transparent identification agent on the same machine.

– DC Agent can be installed with Logon Agent or RADIUS Agent on the same machine.

– Do not install DC Agent and eDirectory Agent on the same machine or in the same network.

– Do not install Logon Agent and eDirectory Agent on the same machine or in the same network.

27

Websense User Service

Communicates with a supported LDAP- or NTLM-based directory service– Passes information from the directory service to Policy Server and

Filtering Service for applying policies to users, groups, and organizational units (OUs).

– Allows directory users to be assigned as delegated administrators.

Only one User Service per Policy ServerUse the Directory Services and Logon Directory pages in Websense Manager to configure User Service settings.Duplicate user names are not supported for LDAP-based directories. Ensure that the same user does not appear in multiple domains.While using AD or Sun Java Directory, user names with blank passwords are not supported.

28

Websense User Service

The Settings > Directory Services page

– Configure settings for Windows NT Directory / Active Directory (mixed mode), Active Directory (native mode), Sun Java System Directory, or Novell eDirectory.

– Only one type of directory service can be selected per Policy Server.

– Select the appropriate directory service from the list.

Windows NT Directory/Active Directory (Mixed Mode)

– If this option is selected, no further configuration is necessary.

– Make sure that User Service runs with a service account that has enough rights to access the directory.

– In rare circumstances you may need to configure additional settings, if User Service resides on a Linux machine.

– Universal groups do not work with this option.

29

Directory Service Settings

Windows Active Directory (Native Mode)– In order for User Service to contact AD, you must provide

information about the global catalog servers in your network.

– Click Add to add a global catalog server.

– Use the Server IP or name field to identify the global catalog server.

– If you have multiple global catalog servers configured for failover, enter the DNS domain name.

– If your global catalog servers are not configured for failover, enter the IP address or host name of the server to add.

– Enter the port number (by default, 3268).

– Root context is optional, unless you are using port 389 or 636. In that case, you must provide a root context.

30


Windows Active Directory (Native Mode) (continued)

– Specify the account to be used for directory search. Account should have read access, does not need to be a domain administrator.

– Select Distinguished name by components or Full distinguished name.

– Click OK, and then Save All.

– Advanced settings can also be configured. These can be used to define advanced search criteria.

31


Novell eDirectory and Sun Java System Directory

– Enter the IP address of the directory server machine.

– Enter Port number to communicate with the directory (by default, 389).

– If your directory requires administrator privileges for read-only access, enter the Administrator distinguished name and Password.

– Optionally, enter the Root context that Websense software should use when searching for user information. For example, o=domain.com.

– Under the user ID logon attributes enter “uid” and under Search Filter enter “(objectclass=person)”.

– Select the necessary option under Group Options.

– Select the appropriate option for LDAP referrals.

32

Logon Directory Settings

Specify which directory service Websense should use to authenticate delegated administrator accounts.

Use the Get Settings button to copy the settings from the Directory Services page.

Configure these settings before trying to give network users delegated administrator access to Websense Manager.

33

Troubleshooting DC Agent

Run ConsoleClient on diagnostic port 30601.Get a printself output of XID User map and check for user entries that don’t have a corresponding IP address.Ensure that DC Agent is running with an account that has access to poll domain controllers for user information.Check the websense.log file and the Windows Event Viewer for errors.If there is a problem identifying particular user, open a command prompt on the client machine and run “set L” to get the Logon Server name.Check the dc_config.txt file and ensure that the relevant server is listed in the file and is set to on. Check XID map entries and ensure that computer polling is not getting blank user names.

34

Troubleshooting Logon Agent

Run ConsoleClient on diagnostic port 30603 and get a printself output of the XID map.

Verify that the user’s machine is connected to the shared drive on the domain controller where LogonApp.exe and the logon script are stored.

NetBIOS for TCP/IP must be enabled.– If NetBIOS is disabled, logonapp.exe may not be able to run,

and Logon Agent may not be able to communicate with domain controllers.

– The TCP/IP NetBIOS Helper service must be running on each client machine. If this service is not running, LogonApp.exe cannot be properly deployed on client machines, and therefore cannot capture logon sessions.

35

Troubleshooting Logon Agent

Make sure that the user profile stored on the client machine is not corrupt.

Run the LogonApp.exe with the /Verbose switch to print out error messages that may occur during the user identification process.

Use the /d parameter to print messages to a file specified via the /filename switch.

Run a packet capture using Wireshark.

36

Troubleshooting eDirectory Agent

To activate eDirectory Agent logging and debugging:1. Stop the Websense eDirectory Agent service.

2. Navigate to the Websense bin directory.

3. Open the file wsedir.ini in a text editor and locate the [eDirAgent] section.

4. Modify the DebugMode entry to read: DebugMode=On

5. Modify the DebugLevel entry to read: DebugLevel=3• Level 3 provides the highest level of debugging detail.

6. Modify the LogFile entry to read: LogFile=eDirLog.txt• This causes log output to be sent to a file called eDirLog.txt. You can

enter a different file name, or leave the entry blank to send debugging information to the console.

7. Start the Websense eDirectory Agent service.

37

Troubleshooting User Service

Unable to add clients in Websense Manager:– Verify your Directory Service settings.

– If you are using Active Directory (native mode), make sure that you can telnet to the global catalog server on the port specified.

– Use an LDAP browser such as Softerra to replicate settings and check whether you can connect with that browser.

A delegated administrator cannot log on to Websense Manager:– Verify your Logon Directory settings.

– Run a Wireshark trace, set a capture filter for the port number specified in the Logon Directory settings, and check for LDAP errors.

38

Troubleshooting User Service

User or group-based filtering is not working:

1. Stop all Websense services

2. Navigate to the Websense bin directory and open the websense.ini file in a text editor.

3. Add the following lines:[DirectoryService]

GroupLog=true

BindLog=true

UseDomainMap=true

4. Start the Websense services. A dstrace.txt file is created in the bin directory. Send this file to Technical Support for further investigation.

39

Support Online Resources

Tech Alerts– Subscribe to receive product specific alerts that automatically

notify you anytime Websense issues new releases, critical hot-fixes, or other technical information.

Knowledge Base– Search or browse the knowledge base for documentation,

downloads, top knowledge base articles, and solutions specific to your product.

Support Forums– Share questions, offer solutions and suggestions with experienced

Websense Customers regarding product Best Practices, Deployment, Installation, Configuration, and other product topics.

• ask.websense.com– Create and manage support service requests using our online

portal.

Webinar Announcement

Title: Installing and Configuring Websense

Content Gateway

Date: September 16, 2009

Time: 8:30 AM Pacific Time

How to register:

http://www.websense.com/content/SupportWebin

ars.aspx

Webinar

Update

http://www.websense.com/SupportPortal/SupportWebinars.aspx

Customer Training Options

To find Websense classes offered by Authorized Training Partners in your area, visit:http://www.websense.com/findaclass

Websense Training Partners also offer classes online and onsite at your location

For more information, please send email to:

[email protected]

Questions?

43

User Identification Technologies within Websense Web...

Documents

Transcript of User Identification Technologies within Websense Web...