NetSpective Logon Agent Guide for NetAuditor

NetSpective Logon
Agent Guide for
NetAuditor
The NetSpective Logon Agent
The NetSpective Logon Agent is a simple application that runs on client machines on your
network to inform NetSpective (and/or NetAuditor) which network user owns which IP
addresses. It normally does not need to be installed on Windows clients because it can be
launched as part of a domain logon script. However, the Mac version requires you to install it on
each client machine.
The Logon Agent supports various command-line arguments to allow it to run in different modes
of operation. For example, you can configure it to run in persistent mode (where it stays running
to report when a client’s IP address changes) or to shut down immediately after reporting the IP
addresses assigned to the current login (only reliable if your users log out each day and then log
in the next morning). You can configure it to create a system tray icon (for positive feedback
when it’s running) or to stay hidden. You can also enable/disable logging for trouble-shooting
purposes.
Before you get started, you must gather a list of IP addresses of all NetSpective and/or
NetAuditor machines you want the Logon Agents to communicate with. Next, you need to find
and open LogonAgent.zip (or LogonAgent.dmg for Mac OS X). If you’re using NetSpective, you
can find it on the Utilities page in its administrative interface. If you’re using NetAuditor, you can
find it in “<NetAuditor install folder>\Support”.
Note: NetSpective appliances are always listening for Logon Agent messages, but NetAuditor
must be configured to listen for them. If you plan to have Logon Agent communicate with
NetAuditor, you must create and enable a “Logon Agent” collection method on your NetAuditor
server before you start.
Logon Agent for Windows
Before you attempt to configure the Logon Agent to be launched automatically for all domain
users, we recommend that you test it manually on a client machine to get comfortable with it
and make sure everything works as expected. On Windows you start with LogonAgent.zip,
which contains two files:
•
wflogon.exe – The logon agent executable
•
wfcall.bat – An example logon script you may use as a base-line to help you get
started with creating your own logon script.
Usage:
wflogon.exe [-v] [-p] [-s] [-dDOMAIN] [-uUSERNAME] IPADDRESS [IPADDRESS...]
wflogon.exe [-v] -q IPADDRESS [IPADDRESS...]
Options:
• -v The verbose option tells wflogon.exe to log additional information to the Windows
Event Log while it is running.
•
-p The persistent option tells wflogon.exe to remain running until logoff so it can detect
and notify NetSpective/NetAuditor when local IP addresses change. If it’s not persistent,
the Logon Agent can’t detect changes due to sleep, hibernate, or changing networks
(e.g. switching between wi-fi and wired).
•
-s The silent option is only used with the persistent option. It tells wflogon.exe not to
create a Windows systray icon (so it stays hidden).
•
-q The quit option tells NetSpective/NetAuditor to stop associating the current IP
addresses with the current user. It should only be used from a logoff script, and only
when the logon script does NOT use the persistent flag.
•
-d The domain option is used to override the domain name. This option should not be
used if wflogon.exe correctly detects the current domain name.
•
-u The user name option is used to override the user name. This option should not be
used if wflogon.exe correctly detects the current domain name.
Note: The IP addresses must be specified at the end of the command-line (after any options)
Recommended Initial Test:
wflogon.exe -v -p <specify your own IP addresses here>
Verification in the Client
If you ran the recommended command above, you should have a blue NetSpective icon in your
system tray. When you let the mouse cursor hover over it, a tool tip will pop up to show the
domain name, user name, and all local IP addresses, like this:
If you ran it in silent mode, you should look for wflogon.exe in the Windows Task Manager. (It
will only be visible in the “Processes” tab.) You can also check the Windows Event Viewer for
messages logged by WFLogon:
Verification in NetSpective
To verify that NetSpective correctly received the Logon Agent messages generated by your test
run, log into its administrative web interface, select Users, and select the “[Current Logged On]”
group. It should list all user names it has recently received from any running Logon Agents.
Verification in NetAuditor
To verify that NetAuditor correctly received the Logon Agent messages generated by your test
run, you should open the NetAuditor administrative client and select the Logon Agent collection
method you configured. It should provide you with a list of logs collected by date, and that list
should include today’s date. If you click today’s date, it should open today’s log file in Wordpad.
You should be able to find your user name in today’s file:
Creating a Logon Script for Active Directory 2008
The easiest way to ensure that all of your Windows clients run the Logon Agent is to create an
Active Directory Group Policy Object to launch it from a logon script.
Note: Active Directory relies on the Domain Name Service (DNS) to provide Group Policy
access. This may require installing DNS on the domain controller and configuring the client
systems so that they use the controller as their DNS server. Consult the appropriate
documentation on Active Directory from Microsoft for more details.
Creating a Group Policy Object
1) Log into a domain controller (or another machine with access to the Group Policy
Management Tools) and select Start, Programs, Administration Tools, and then Group
Policy Management. Expand the forest and then the domain that contains the first set of
users you want to track.
2) Right click on the ‘Group Policy Objects’ (GPO) and select ‘New’
3) On the New GPO dialog enter a descriptive name like ‘NetSpective Logon Agent’. Leave
the ‘Source Starter GPO’ set to ‘(none)’.
4) Expand the Group Policy Objects entry in the tree, right-click the new GPO, and select
‘Edit’.
5) In the GPO Management Editor window that appears, expand ‘User Configuration’ and
‘Windows Settings’, and then select ‘Scripts (Logon/Logoff)’.
6) Right-click or double-click the Logon entry on the right to display the logon script
properties, and then select the Add button.
7) Select the ‘Browse’ button from the ‘Add a Script’ dialog. It should open the folder
created for this GPO on your domain’s NETLOGON share. To ensure that all of your
Windows clients can access the NetSpective Logon Agent files properly, we recommend
that you copy wflogon.exe to this folder. If you plan to use wfcall.bat, you should also
copy that file to this folder.
8) Select either wfcall.bat or wflogon.exe based on your requirements. If you select the exe,
you must specify its command-line parameters in the “Script Parameters” field for the
Logon Agent to function properly. If you select the bat, you must edit the batch file to
have it specify the appropriate command-line parameters for wflogon.exe. Read the
section below for a full explanation of the command-line parameters.
9) Once you have saved all settings and returned to the Group Policy Management
window, select the Detail tab and change the GPO status to ‘Enabled’.
Note: You may want to perform a limited test before enabling it for the entire domain. If
so, change the “Authenticated Users” group in the “Scope” tab to a specific test user or
group. When you have finished testing the GPO, change it back to include whatever
groups you feel need to run the Logon Agent.
10) Soon after it is enabled, the Logon Agent should be launched every time a user logs into
that domain. There are propagation delays between domain controllers as well as
between server and client.
Note: You can skip the delay on the client by running “gpupdate /force”, but that only
works if the GPO has already been propagated to the server it connects to.
Customizing a Logon Batch File
If you have an existing logon script that executes a batch file, you may also get that batch file to
launch the Logon Agent by adding a few lines to it. Please refer to the sample wfcall.bat
included in the LogonAgent.zip file. The important lines in it are here:
REM add a call to NetSpective logon agent, located in this share
REM use full UNC path
START \\PDC01\NETLOGON\wflogon.exe -p 10.0.30.1
Important: The START command is needed when using the persistent option to keep the
batch file from waiting for wflogon.exe to exit.
Note: You may use a different network share if you prefer, but it will be your responsibility to
ensure that your users have the necessary privileges to access it. Either way, we recommend
that you specify the full UNC path.
Creating a Logon Script for Novell
For Novell, the NetSpective Logon Agent executable should be placed in a specific shared
folder on the domain server or somewhere on the network. The application can then be called
from a logon script that can be set up on the Novell Server. The logon script must set the
environment variables WF_USERNAME and WF_USERDOMAIN then execute the logon agent
executable. Figure 8 contains a sample Novell logon script making the call to the Logon Agent.
There are multiple ways to set up logon scripts on a Novell Domain. The logon scripts can be
added per User, using a Profile or at the Organizational Unit (OU). For example, to set up a
logon script at the OU, open the Novell ConsoleOne application. Navigate the Novell directory
until you find the OU that the logon script will be added to. In order for the logon script to work it
must be added to the OU that contains the users that are to be affected. Once the OU has been
found, right click on the OU and select properties. From the properties window select the login
script tab and add the logon script. Figure 3 illustrates the basic steps in adding a logon script to
the Organizational Unit. Check your Novell documentation for more information on setting up
logon scripts.
Edit the Container
Add the Logon Script
Note: NetSpective does not support all of the characters that are usable in Novell usernames.
The characters <>;:" do not work in NetSpective.
Editing the Script
If all users share the same logon script (or a master script is available), edit the script so that it
contains the call to the Logon Agent as described in the previous sections. For multiple logon
scripts, edit all appropriate scripts. Refer to the following examples at the end of this document.
Novell Sample
Please refer to the following example of a short Novell logon script, which includes the setting of
the environment variables WF_USERNAME and WF_USERDOMAIN and the required call to
the NetSpective Logon Agent. Note that the path for the executable may vary between domains.
REM Sample Novell logon script
REM set environment variables
REM
DOS SET WF_USERNAME="%LOGIN_NAME.%LOGIN_CONTEXT"
REM Call netspective logon agent
REM
START @NOVELLSERVER/SYS:\PUBLIC\WFLOGON 192.168.10.227
Logon Agent for Mac OS X
The Logon Agent for Mac OS X must be installed on each client. To begin the install, mount and
open the LogonAgent.dmg disk image file. Inside that image is the install package
logonagent.mpkg. Select the logonagent.mpkg to start the installation process.
Note: The installation requires administrative credentials, and it will ask you to confirm the
install by entering your password.
The installation will install a LaunchDaemon property list file and the LogonAgent executable:
/Library/LaunchDaemons/com.telemate.logonagent.daemon.plist
/Library/Application\ Support/Telemate.Net/LogonAgent/LogonAgent
Both files require administrative privileges to be accessed or modified. The NetSpective
LogonAgent for Mac OS X will run as a daemon service through LaunchD. To start and stop
LogonAgent the ‘launchctl’ command can be used. The ‘launchctl’ command requires
administrative privileges, so you must run it with the ‘sudo’ command to request those privileges
(see example below).
Setting up the ‘Default Config’
The installation of LogonAgent does not create a default config. To set the configuration for
LogonAgent, a property list file must be created in the ‘/Library/Preferences/’ folder. This again
requires administrative privileges and can be performed from the terminal with the ‘defaults’
command.
Sample default Configure for installing LogonAgent onto multiple Macintosh systems
sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array
'192.168.101.27' '192.168.101.28'
(Note: The ‘- array’ of IP Addresses for broadcasting logons of User ID and IP address
association to more than one NetSpective appliance.)
sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array
'192.168.101.27'
(Note: In this example the default config is broadcasting to a single NetSpective Appliance.)
A simple script can be created to execute all steps required to configuration and installation the
LogonAgent from a central location. Below is an example
sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array
'192.168.101.27'
sudo /usr/sbin/installer -verbose -pkg logonagent.mpkg -target /
Modifications to the ‘Default Config’
You must restart the LogonAgent any time its configuration changes. This can be done by using
the above ‘launchctl’ load/unload commands or by restarting the machine. Use these
commands when you need to manually start/stop the LogonAgent:
Stop LogonAgent:
sudo launchctl unload /Library/LaunchDaemons/com.telemate.logonagent.daemon.plist
Start LogonAgent:
sudo launchctl load /Library/LaunchDaemons/com.telemate.logonagent.daemon.plist
The NetSpective Terminal Server Agent
The NetSpective Logon Agent will not work properly on Terminal/Citrix Servers because they
map each IP address to a single user name, and each Terminal Server hosts several users on a
single IP address at the same time. The NetSpective Terminal Server Agent addresses this by
extending the mapping down to the port level. As soon as any user-level application opens a
network socket and binds a port, the agent tells NetSpective (and/or NetAuditor) which user
locked that port. The agent sends an unlock message when the socket is closed (in case a
system service grabs that port next).
To get started, find and launch TerminalServerAgent.exe on one of your Terminal/Citrix Servers.
If you’re using NetSpective, you can find it on the Utilities page in its administrative interface. If
you’re using NetAuditor, you can find it in “<NetAuditor install folder>\Support”. Keep in mind
that it installs as a normal application and does not make any system changes until you enable
it in the configuration utility.
The Terminal Server Agent consists of a configuration utility and a Winsock Layered Service
Provider (LSP) module. LSPs are used by used by many anti-virus, anti-spam and anti-spyware
vendors to scan and shut down network connections in real-time. As most anti-virus software
blocks the installation of new LSPs, you may need to disable your anti-virus software to
configure the Terminal Server Agent. Depending on how strict the anti-virus software is, you
may even need to uninstall it, install and configure the Terminal Server Agent, and then reinstall
the anti-virus software.
The NetSpective LSP intercepts the initiation of TCP sessions to inform NetSpective about
connection ownership. This solution requires 2003 and/or Citrix Presentation Server 4. Please
install NetSpective Logon Agent for Terminal Server on every Terminal Server in your network
to provide personalized filtering policies for all of your users.
The Configuration Utility
This utility shows you what LSP's you currently have registered and allows you to register or
unregister the NetSpective LSP. You must also enter the IP addresses of all NetSpective
devices monitoring the current server’s connection to the internet. If you add, remove, or change
the IP address of a NetSpective device on your network, you need to run this utility to update
the IP addresses. You are not required to reboot after making this change. However, if you
choose to register or unregister the NetSpective LSP, it is necessary to reboot the server.
If you do encounter conflicts with another Layered Service Provider, we provide a command-line
utility for trouble-shooting, installing, and removing LSP's. By default, it is installed here:
•
Utility: %ProgramFiles%\NetSpective Logon Agent\LSPInstall.exe
•
Documentation: %ProgramFiles%\NetSpective Logon Agent\README.TXT
Windows Server 2003 / 2008 (x86-64)
The current release of the Terminal Server Agent has both 32-bit and 64-bit versions of the
LSP. This allows it to monitor both 32-bit and 64-bit WinSock applications. Depending on
whether your Terminal Server runs a 32-bit OS or a 64-bit OS, the configuration utility should
automatically detect and register/unregister the correct versions of the LSP.