Not meaning to imply anything bad about older versions of WebSense. The catch is that anything older than v7 is fundamentally different than their new products because that is when they incorporated the abilities of SurfControl after that acquisition. The change from v6.x to v7.x was fairly substantial. TVK
-----Original Message----- From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, July 16, 2009 2:06 PM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? Yikes, I will go back to my pile of fossils ;-) -----Original Message----- From: Tim Vander Kooi [mailto:tvanderk...@expl.com] Sent: Thursday, July 16, 2009 11:39 AM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? Those are some REALLY old versions being referenced in that manual Bob. We're running v7.1 now and while the DC Agent still exists, all that is required for it to work is a "service" account used by the agent on the WebSense server with read permissions to AD. TVK -----Original Message----- From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, July 16, 2009 1:26 PM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? As I recall at the time it was set up several years ago, there were different configurations, we (the AD team) refused the one that required an agent on each DC running with high level privileges so it was setup with the DC Agent service running on the WebSense side. The agent needed to query each DC for session state to generate the username/IP mapping for its own internal db it uses for what they call "Transparent Identification". If it couldn't obtain that information, you were popped for your credentials. So it needs a list of DCs in the domain for this session information. There is a service to get that information from the directory. I believe there are a number of different configurations for this product depending on its role and from glancing at a manual, the Transparent mode is an option. >From a WebSense manual: WebSense DC Agent queries each domain controller for user logon sessions every 10 seconds by default, obtaining the user name and workstation name for each logon session. For each logon session identified, DC Agent performs DNS lookup to resolve the workstation name to an IP address, and records the resulting user name/IP address pair. In Websense v4.4, DC Agent (Domain Controller Agent) was the backbone of transparent user identification. In Websense Enterprise v5.x, DC Agent still plays the central role, but also works together with User Service to provide user logon information to the Websense servers. The DC Agent program is installed on a Windows NT 4 or 2000/2003 Server machine, and runs as a Windows service. DC Agent can be installed on one machine, and can "discover" domains outside of its own domain. Multiple DC Agents can also be used; this may benefit larger networks. For details, see Deployment of DC Agent and Related Components on page 17. DC Agent identifies available domains and domain controllers in the network, and then monitors the domain controllers and associated client machines (workstations) for user logon sessions. Filtering Service uses the information provided by DC Agent to apply Internet filtering policies to users logged on to the network. NetBIOS and Domain Discovery In order for automatic domain detection to occur, NetBIOS must be enabled on firewalls or routers connecting virtually or physically separate subnets or domains. In particular, TCP port 139 (used by NetBIOS) must be enabled. If NetBIOS is not enabled between domains and/or subnets, then Filtering Service and DC Agent cannot communicate with those domains or subnets by default. This can occasionally be true even if those domains or subnets are trusted by the domain where Filtering Service resides. If NetBIOS port 139 is not enabled, you may want to deploy additional DC Agents in virtually or physically remote domains. There is an option to disable NetBIOS usage, if you do not want to enable port 139. See the UseNetBIOS description under Initialization Parameters on page 85 for details. A program called XidDcAgent.exe is installed by default on the DC Agent machine, to the directory \Websense\bin\. This program runs as a Windows service, and initiates the processes that enable DC Agent to identify domains and monitor logon sessions. DC Agent stores domain information to the hard disk of the server where it is installed, in a file called dc_config.txt. New domain information is recorded to dc_config.txt upon startup, and every 24 hours thereafter by default. All that's configurable so he could have just been mad at me for the 24 hr period after I promoted the new DC or whatever interval he had configured for DC discovery (this was the first additional DC in that domain in many years) It also was the 1st x64 DC in a very busy site on, comparatively, pretty high end HW so it grabbed much of the authentication traffic for that site. Potentially thousands of folks could have been getting popped for creds that 1st day and it would have been escalated to him, perhaps that's all it was. -----Original Message----- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, July 16, 2009 9:02 AM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? Agreed with the others. You should not have to specify a DC in the config. Specifying the domain, it should be able to find a DC. Just a thought is the DC that is working a GC? Are the other ones on the list not GCs? Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 -----Original Message----- From: tvanderk...@expl.com [mailto:tvanderk...@expl.com] Sent: Thursday, July 16, 2009 11:40 AM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? I was going to say that we use WebSense here and I have never had to do anything other than give it the name of our domain. I have never given it a name or IP address of any DC. I did have to go in with one of their support person's help and add a number of service accounts to a list of names to not record. Other than that it just works. TVK -----Original Message----- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Thursday, July 16, 2009 6:59 AM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? The funny thing is, according to the WebSense docs you shouldn't have to point the agent to your DCs; it's supposed to automatically find them all. And I'm not sure exactly how DC Agent contacts the DCs. I read something in the documentation about TCP port 139. Would you be willing to put me in touch with your WebSense guy so I could pick his brain? -----Original Message----- From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, July 15, 2009 8:27 PM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? We have the DC Agent setup and it needs to be able to contact each DC to determine logon status of the users. I believe it's in how you configure the agent, our setup requires that a user be authenticated within x period of time to be authorized to get through. Don't know what x is as I'm the AD guy not the websense guy...I do know he wasn't too happy when I added a new DC and neglected (well, actually, forgot) to tell him so he could update his websense config. -----Original Message----- From: Klint Price [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, July 15, 2009 2:05 PM To: NT System Admin Issues Subject: RE: Any WebSense Gurus? Do you have users on multiple domains? In my websense, for 500 users, I have them going through a single DC. Klint -----Original Message----- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Wednesday, July 15, 2009 12:49 PM To: NT System Admin Issues Subject: OT: Any WebSense Gurus? We had a vendor come in and install WebSense on a server for us. However, the vendor is stumped by a problem and I figured I'd see if any of the pros here had a solution. I'm brand new to WebSense myself, so I can't help much. The vendor has been working with WebSense tech support, but apparently they're stumped, too. The issue seems to be that the DC Agent utility isn't correctly getting users' usernames. Not 100% of the time, though--just most of the time. As best I can tell, the utility isn't correctly polling all of the DCs in the network. Here's some sample output from the TestLogServer utility: ===== time=Wed Jul 15 15:43:53 2009 version=3 server=10.0.0.1 source=150.176.37.70 dest=66.165.70.6 protocol= "http" url= "http://www.woot.com/salerss.aspx" port= "80" category= 17 (SHOPPING) disposition= 1026 (Category Not Blocked) app type= "" keyword= "" user= "" bytes sent=0 bytes received=0 duration=0 time=Wed Jul 15 15:43:53 2009 version=3 server=10.0.0.1 source=10.11.7.106 dest=150.176.95.205 protocol= "https" url= "https://150.176.95.205/" port= "443" category= 97 (EDUCATIONAL INSTITUTIONS) disposition= 1026 (Category Not Blocked) app type= "" keyword= "" user= "LDAP://10.11.1.2 OU=Users,OU=PPS,DC=taylor,DC=k12,DC=fl,DC=us/George Clayton" bytes sent=0 bytes received=0 duration=0 ===== Notice that in the first entry, there's no username. There is in the second entry, though. The common thread is that every time a user is correctly identified, it's from the same DC: 10.11.1.2. So it appears that DC Agent is correctly polling that DC, but none of my others. All of them are listed in the dc_config.txt file, though. Any ideas what might be keeping it from talking to the other DCs? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~