User Service and Directory Agent: Configuration Best Practices and Troubleshooting



Similar documents
User and Group-Based Reporting in TRITON - Web Security: Best Practices and Troubleshooting

Websense Support Webinar: Questions and Answers

Filtering remote users with Websense remote filtering software v7.6

Delegated Administration Quick Start

Log Server Error Reference for Web Protection Solutions

Transparent Identification of Users

Installing and Configuring Websense Content Gateway

Web Security Log Server Error Reference

DC Agent Troubleshooting

Websense Web Security Gateway: What to do when a Web site does not load as expected

How To Upgrade A Websense Log Server On A Windows 7.6 On A Powerbook (Windows) On A Thumbdrive Or Ipad (Windows 7.5) On An Ubuntu (Windows 8) Or Windows

Upgrading to Websense Web Security v7.6

TRITON - Web Security Help

Webinar Information. Title: Websense Remote Filtering Audio information: Dial-in numbers:

Using RADIUS Agent for Transparent User Identification

V Series Rapid Deployment Version 7.5

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

Installing Version 7.6 The Latest Tips

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

v7.8.1 Release Notes for Websense Web Security

Migrating your custom settings to version 7.6

Using Logon Agent for Transparent User Identification

Remote Filtering Software

Using LDAP Authentication in a PowerCenter Domain

Upgrading Websense Web Security Software

Integrated Cisco Products

TRITON - Web Security Help

Security Provider Integration LDAP Server

Configuring User Identification via Active Directory

TRITON Unified Security Center Help

Integrating LANGuardian with Active Directory

Introducing ZENworks 11 SP4. Experience Added Value and Improved Capabilities. Article. Article Reprint. Endpoint Management

Using DC Agent for Transparent User Identification

Backup and Restore FAQ

Configuration Information

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Integrated Citrix Servers

Remote Filtering Software

PineApp Surf-SeCure Quick

Installation Guide. Websense TRITON Enterprise. v7.8.x

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Migrating MSDE to Microsoft SQL 2008 R2 Express

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

HP Device Manager 4.7

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

OnCommand Performance Manager 1.1

Deployment Guide. Websense Web Security Solutions. v7.5

Introducing ZENworks 11 SP4

Click Studios. Passwordstate. Installation Instructions

Installation Guide. Websense TRITON APX. v8.1.x

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Using LDAP for User Authentication

qliqdirect Active Directory Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Security Provider Integration RADIUS Server

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution

JAMF Software Server Installation Guide for Linux. Version 8.6

Synchronization Agent Configuration Guide

LDAP and Active Directory Guide

Installation Guide Supplement

EXPLORER AND REAL-TIME ANALYZER USER GUIDE

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Websense Certified Engineer Web Security Professional Examination Specification

v Installation Guide for Websense Enterprise v Embedded on Cisco Content Engine with ACNS v.5.4

Remote Filtering. Websense Web Security Websense Web Filter. v7.1

NSi Mobile Installation Guide. Version 6.2

Clientless SSL VPN Users

IIS SECURE ACCESS FILTER 1.3

Is my site ready for upgrade to v7.6?

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Configuring MailArchiva with Insight Server

v6.1 Websense Enterprise Reporting Administrator s Guide

Using TestLogServer for Web Security Troubleshooting

Installation and Configuration Guide

Installing Management Applications on VNX for File

PATROL Console Server and RTserver Getting Started

VMware Identity Manager Administration

BlackBerry Enterprise Service 10. Version: Configuration Guide

Virtual Web Appliance Setup Guide

Configuration Information

Installation Guide. Websense Web Security Websense Web Filter. v7.5

Veritas Cluster Server

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Installation Guide. Websense Web Security Websense Web Filter. v7.1

F-Secure Messaging Security Gateway. Deployment Guide

Configuration Guide. BES12 Cloud

Changing the C Interface IP Address: step-by-step

Getting Started Guide

CommandCenter Secure Gateway

Administering Cisco ISE

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Citrix EdgeSight Administrator s Guide. Citrix EdgeSight for Endpoints 5.3 Citrix EdgeSight for XenApp 5.3

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

DNS: How it works. DNS: How it works (more or less ) DNS: How it Works. Technical Seminars Spring Paul Semple psemple@rm.

DameWare Server. Administrator Guide

Apache Server Implementation Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

Transcription:

User Service and Directory Agent: Configuration Best Practices and Troubleshooting Websense Support Webinar March 2011 web security data security email security Support Webinars 2009 Websense, Inc. All rights reserved.

Goals and Objectives Introduction to User Service and Directory Agent User Service configuration best practices Directory Agent deployment best practices Directory Agent configuration best practices Troubleshooting User Service issues Troubleshooting Directory Agent issues 2

Websense User Service Communicates with a supported LDAP- or WINS-based directory service Passes information from the directory service to Policy Server and Filtering Service for applying policies to users, groups, and organizational units (OUs). Allows directory users to be assigned as delegated administrators. Only one User Service per Policy Server Use the Directory Services and Logon Directory pages in TRITON - Web Security to configure User Service settings. Duplicate user names are not supported for LDAP-based directories. Ensure that the same user does not appear in multiple domains. 3

Directory Agent Directory Agent collects user and group information from an LDAP based directory service (Windows Active Directory or Novell edirectory) Windows NT or Sun Java System Directory not supported Sends directory data to the Sync Service in LDIF format Policy Server must be installed before installing Directory Agent User Service must be configured to communicate with the directory before configuring Directory Agent 4

Directory Agent Directory Agent configuration file is das.ini and is located in the Websense bin directory This file is used to configure additional parameters for Directory Agent Communicates to the Sync Service via port 55832 Sync Service sends user and group information to the hybrid service, compresses large LDIFs before sending them 5

User Service Configuration Best Practice Only one User Service per Policy Server The Settings > Directory Services page Configure settings for Windows NT Directory / Active Directory (mixed mode), Active Directory (native mode), Sun Java System Directory, or Novell edirectory. Only one type of directory service can be selected per Policy Server. Select the appropriate directory service from the list. Windows NT Directory/Active Directory (Mixed Mode) If this option is selected, no further configuration is necessary. Make sure that User Service runs with a service account that has enough rights to access the directory. You will need to configure additional settings if User Service resides on a Linux machine. Universal groups do not work with this option. 6

User Service Configuration Best Practice Windows Active Directory (Native Mode) In order for User Service to contact AD, you must provide information about the global catalog servers in your network. The best practice for this setting is to use the DNS domain name instead of the IP address Provides failover and can use DNS round robin functionality if configured on DNS server in case one domain controller fails to respond 7

User Service Configuration Best Practice Windows Active Directory (Native Mode) (continued) When using the full distinguished name option, ensure that the LDAP path for the user is correctly entered. Use the following command-line query on the domain controller to find the full LDAP path: dsquery user name UserName For example, to find the full LDAP path for user Administrator: dsquery user name Administrator This returns a result similar to the following: CN=Administrator,CN=Users,DC=testlab,DC=com 8

User Service Configuration Best Practice Identifying Nested Groups User Service does not recursively search for nested groups Users must be direct members of the group with Universal Scope to which a group-based filtering policy has to be applied Please refer to the following KB article for more information http://www.websense.com/support/article/kbarticle/active- Directory-group-based-policies-with-multiple-domains-and-ornested-groups Add the following entry to the [DirectoryService] section of the websense.ini file to ensure that User Service filters users added to updated nested groups: [DirectoryService] SearchADNestedGroups=True Restart Filtering Service and User service after making the change. 9

User Service Configuration Best Practice Novell edirectory and Sun Java System Directory Enter the IP address of the directory server machine. Enter Port used for directory communication (by default, 389). If your directory requires administrator privileges for readonly access, enter the Administrator distinguished name and Password. Optionally, enter the Root context to use when searching for user information. For example, o=domain.com. 10

Directory Agent Deployment Supported Operating Systems Windows Server 2008 SP2 Windows Server 2003 R2 SP2 Windows Server 2003 SP2 Red Hat Enterprise Linux 5,update 3 Red Hat Enterprise Linux 4, update 7 In most cases, you need only one instance of Directory Agent in the entire deployment. It is possible to install multiple instances of Directory Agent, but not recommended. 11

Directory Agent Deployment Policy Server must be installed before installing Directory Agent. If you have a V-Series appliance, Directory Agent is already installed on the appliance. Do not install it on a separate machine. Sync Service must be installed to send data collected by the Directory Agent to the hybrid service. Communicates with Sync Service on port 55832 12

Directory Agent Configuration Directory Agent configuration is done in TRITON - Web Security Navigate to the Settings > Hybrid Configuration > Shared User Data page User Service must be configured before configuring Directory Agent Select a global catalog server configured on the Directory Services page to configure Directory Agent communication with that server 13

Directory Agent Configuration Specify a root context to use when collecting user/group information Context should include only hybrid filtering users To increase Directory Agent speed and efficiency, narrow the context. Select the appropriate level to indicate whether search is performed just one level below the context or all levels. Use search filters to remove duplicate or unwanted mail entries while searching. 14

Directory Agent Configuration Use the Test Connection button to verify that Directory Agent can communicate with Sync Service. Schedule how often collected data is sent to the hybrid service on the Settings > Hybrid Configuration > Scheduling page. 15

Directory Service Configuration Additional configuration of Directory Agent can be done using the das.ini file. To change the path where Directory Agent stores LDIF files, use: DiffDir=./diffs/ To set the number of times Directory Agent retries after a failed attempt to connect to the directory service: DirServiceRetryCount=5 16

Troubleshooting User Service Unable to add clients in TRITON - Web Security: Verify your Directory Service settings. If you are using Active Directory (native mode), make sure that you can telnet to the global catalog server on the port specified. Ensure that the account details specified in the directory service settings are correct Use an LDAP browser such as Softerra to replicate settings and check whether you can connect with that browser. Use Wireshark to packet capture the communication 17

Troubleshooting User Service User or group-based filtering is not working: 1. Stop all Websense services 2. Navigate to the Websense bin directory and open the websense.ini file in a text editor. 3. Add the following lines: [DirectoryService] GroupLog=true BindLog=true CacheLog=true 4. Start the Websense services. A dstrace.txt file is created in the bin directory. Send this file to Technical Support for further investigation. 18

Troubleshooting Directory Agent Sync Service not receiving user/group information Ensure User Service is correctly configured and that Directory Agent is able to communicate with the global catalog to retrieve user/group information. Verify that the Directory Agent can communicate with Sync Service via the Test Connection button. If no connection can be made, verify the IP address or hostname of the Sync Service machine and ensure that Sync Service is running. Also check the firewall to ensure communication is allowed. Run the Sync Service viewer to see if it is receiving LDIFs from Directory Agent. 19

Troubleshooting Directory Agent Directory Agent debugging information can be generated using the diagnostic.cfg file located in the Websense bin directory: 1. Open the diagnostics.cfg file. 2. Look for the section: #log4j.threshold=off log4j.threshold=error #log4j.threshold=all 3. Change this to: #log4j.threshold=off #log4j.threshold=error log4j.threshold=all 4. Add the following line into the file: log4j.logger.das=all, GUI, CONSOLE, FILE 5. Save and close the file, then stop and start the Directory Agent service. 20

Troubleshooting Directory Agent When Directory Agent diagnostics are enabled, a detailed log file called WebsenseDAService.log is created in the Websense bin directory. After generating the necessary troubleshooting information, make sure to disable debugging in the diagnostic.cfg file, then restart Directory Agent. 21

Support Online Resources Knowledge Base Search or browse the knowledge base for documentation, downloads, top knowledge base articles, and solutions specific to your product. Support Forums Share questions, offer solutions and suggestions with experienced Websense Customers regarding product Best Practices, Deployment, Installation, Configuration, and other product topics. Tech Alerts Subscribe to receive product specific alerts that automatically notify you anytime Websense issues new releases, critical hot-fixes, or other technical information. ask.websense.com Create and manage support service requests using our online portal.

Webinar Announcement Title: Upgrading to Websense Web Security v7.6 Webinar Update Date: April 13, 2011 Time: 8:30 AM Pacific Time How to register: http://www.websense.com/content/supportwebin ars.aspx

Customer Training Options To find Websense classes offered by Authorized Training Partners in your area, visit: http://www.websense.com/findaclass Websense Training Partners also offer classes online and onsite at your location For more information, please send email to: readiness@websense.com

Questions? 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information