Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
We are running Wensense Express. The goal is to make sure all users are logged to the domain prior to accessing the Internet. After enabling "Prompt user for directory authentication" (Server/Settings/User Identification), domain users can be asked to relog to the domain in less than 15 minutes. Not good! I did some troubleshooting using the ConsoleClient tool (consoleclient localhost 30601). The user map dump shows in all cases the Agent type as "WKSPOLLING". I expected to see the Agent type as "DC" in all cases thus enabling transparent user identification. Can someone guide me in determining why I am NOT seeing this? I suspect the problem relates to permissions for the account used for the DC Agent service. Please note that it will NOT be possible to give this account Domain Admin rights. Lastly, I suspect that the Agent type "WKSPOLLING" seen in the user map dump file can result in frequent domain login requests by Websense due to the short timeout associated with each user account (typically less than one hour as per the user map dump file).
Look at your User Identification settings in Triton... WKSPOLLING is the Logon Agent which is actually using the domain service account you gave it to log into workstations and determine the logged in user. It's there you can also change that 15 minute timeout, but really you should be relying on DC Agent primarily and Logon Agent as a backup.
From there you may also find either you have DC Agent turned off or not set correctly.
As indicated in the inital post, we are using Websense Express, not Triton. And, as far as I've been able to determine, Websense Express, does not (obviously) support the Logon Agent i.e. no LogonApp.exe in the Websense\Bin folder. Concerning the DC Agent itself, I have double- and triple-checked the settings in Websense Manager i.e. "Enable domain polling" and "Enable computer polling" and both are checked. There's not much else to configure after taking the defaults for the TCP Port and Diagnostic Port.
As you've indicated, I would really like to relying on the DC Agent as the primary agent but so far how to do so in our environment escapes me!
My mistake, when I said Logon Agent I was thinking of Workstation Polling.
Maybe it's coming up as Workstation Polling only because you're forcing everyone to do manual authentication and transparent is failing. Make sure DC Agent is running with a domain admin account
Workstation Polling is *part* of DC Agent.
JACOB SLOAN, CCNA, WCSE
I have since "turned off" forcing everyone to log to the domain and the WKSPOLLING is still coming up. I think the problem may be that the domain account that I'm using for the DC Agent does NOT have domain admin rights as you've said it should. And, it's highly unlikely that I'll be able to get such an account. Is it possible to use a less priviledged account? If yes, can you tell me what AD rights this account should have?
Others have tried and failed, unfortunately, Websense will only say that it requires domain admin rights. You should be able to get a service account created, just for DC Agent, to do this. Your AD admin can even lock it down so it can't be misused for interactive logons (RDP, console).
DC Agent uses that same service account to do the WKSPOLLING... normally it needs admin rights for that too (because otherwise it won't be able to log onto the desktop). I'd also check for dc_config.txt and make sure that's configured to point to your correct Domain Controllers
OK. Thanks for the clarification on the DC Agent service account permissions. And, wish me luck in getting the domain service account created!
As JSloan pointed out WKSPOLLING is part of DCAgent. If you have entries in your dcagent user dump that show a blank username for WKSPOLLING you should disable computer polling in the DCAgent config. Domain admin rights are primarily required for computer polling so if you have that disabled you are more likely to get the dcagent to work without domain admin rights.
I am now using my domain delegate account that has some elevated priviledges as the logon account for the User Service and DC Agent services. This account also has workstation admin rights and can list domain users when using the net user /domain command. But, the ConsoleClient tool still does not list the Agent Type as "DC" but only "WKSPOLLING" (which also displays associated domain user names!). It seems that to get the "DC" agent type "active" it still requires a more priviledged domain user account for the DC Agent serivce than my delegate account. Comments anyone?
If you don't want to see WKSPOLLING in your console client switch of computer polling.
Switched off Computer Polling. Still seeing "WKSPOLLING" as Agent type:
========================================XID User Map PrintSelfSnapshot time: 02-26-2012 11:49:19.676985Number of entries in map is : 19IP : 10.33.57.33 User: Timeout: 02-26-2012 12:20:13.0 Timestamp: 02-26-2012 11:13:52.0 Agent type: WKSPOLLINGIP : 10.209.73.22 User: EMEA\userfirstname.lastname Timeout: 02-26-2012 12:40:58.0 Timestamp: 02-26-2012 11:33:02.0 Agent type: WKSPOLLINGIP : 10.209.73.24 User: EMEA\checu.azqcx Timeout: 02-26-2012 12:25:00.0 Timestamp: 02-26-2012 11:16:32.0 Agent type: WKSPOLLINGIP : 10.209.73.49 User: EMEA\userfirstname.lastname Timeout: 02-26-2012 12:45:19.0 Timestamp: 02-26-2012 11:44:57.0 Agent type: WKSPOLLINGIP : 10.209.73.74 User: {local}CHECU-MKT-CSH\arlservice Timeout: 02-26-2012 12:47:24.0 Timestamp: 02-26-2012 11:44:07.0 Agent type: WKSPOLLINGIP : 10.209.73.103 User: EMEA\SMS1000 Timeout: 02-26-2012 12:26:07.0 Timestamp: 02-26-2012 11:25:06.0 Agent type: WKSPOLLINGIP : 10.209.74.96 User: Timeout: 02-26-2012 12:11:22.0 Timestamp: 02-26-2012 11:02:03.0 Agent type: WKSPOLLINGIP : 10.209.74.126 User: {local}CHECU-N60BETA1B\qaarl Timeout: 02-26-2012 12:06:54.0 Timestamp: 02-26-2012 11:05:55.0 Agent type: WKSPOLLINGIP : 10.209.74.214 User: EMEA\SMS1000 Timeout: 02-26-2012 12:00:46.0 Timestamp: 02-26-2012 10:56:11.0 Agent type: WKSPOLLINGIP : 10.209.74.220 User: Timeout: 02-26-2012 12:05:47.0 Timestamp: 02-26-2012 10:57:03.0 Agent type: WKSPOLLINGIP : 10.209.75.1 User: EMEA\userfirstname.lastname Timeout: 02-26-2012 12:40:27.0 Timestamp: 02-26-2012 11:39:45.0 Agent type: WKSPOLLINGIP : 10.209.75.15 User: EMEA\userfirstname.lastname Timeout: 02-26-2012 12:45:11.0 Timestamp: 02-26-2012 11:36:54.0 Agent type: WKSPOLLINGIP : 10.209.75.41 User: EMEA\checu.azqcx Timeout: 02-26-2012 11:49:43.0 Timestamp: 02-26-2012 10:47:03.0 Agent type: WKSPOLLINGIP : 10.209.75.49 User: Timeout: 02-26-2012 12:45:01.0 Timestamp: 02-26-2012 11:33:39.0 Agent type: WKSPOLLINGIP : 10.209.75.92 User: EMEA\userfirstname.lastname Timeout: 02-26-2012 12:26:16.0 Timestamp: 02-26-2012 11:18:03.0 Agent type: WKSPOLLINGIP : 10.209.75.104 User: AUTORITE NT\service local Timeout: 02-26-2012 12:53:30.0 Timestamp: 02-26-2012 11:43:53.0 Agent type: WKSPOLLINGIP : 10.209.75.117 User: AUTORITE NT\service local Timeout: 02-26-2012 12:52:02.0 Timestamp: 02-26-2012 11:42:43.0 Agent type: WKSPOLLINGIP : 10.209.75.126 User: Timeout: 02-26-2012 12:08:52.0 Timestamp: 02-26-2012 11:03:52.0 Agent type: WKSPOLLINGIP : 10.209.75.191 User: AUTORITE NT\service local Timeout: 02-26-2012 12:44:33.0 Timestamp: 02-26-2012 11:35:49.0 Agent type: WKSPOLLING========================================Please note that after disabling Computer Polling in the DC Agent configuration setup I stopped and restarted all Websense services. Still no DC Agent type!!
I believe the usermap is maintained over DCAgent restarts, hence there are still old WKSPOLLING entries in your usermap.
Anyway your root problem as described in your first post is that users are not getting identified transparently. The WKSPOLLING in your consoleclient output would not cause this. You seem to have some other DC config misconfiguration.
You should read this
http://www.websense.com/support/article/t-kbarticle/v7-DC-Agent-does-not-see-some-or-all-users
and if your problem is still not resolve phone your Websense partner for support and if they can't help, raise a case with Websense technical support.
Evidently, this tech article has either been renamed or moved. When I click on the link I get the following:
File Not Found
a quick google search revealed the following link
http://www.websense.com/support/article/t-kbarticle/v7-DC-Agent-does-not-see-some-or-all-users-1258048446442
