NetSpective Logon Agent Guide for NetAuditor
Transcription
NetSpective Logon Agent Guide for NetAuditor
NetSpective Logon Agent Guide for NetAuditor The NetSpective Logon Agent The NetSpective Logon Agent is a simple application that runs on client machines on your network to inform NetSpective (and/or NetAuditor) which network user owns which IP addresses. It normally does not need to be installed on Windows clients because it can be launched as part of a domain logon script. However, the Mac version requires you to install it on each client machine. The Logon Agent supports various command-line arguments to allow it to run in different modes of operation. For example, you can configure it to run in persistent mode (where it stays running to report when a client’s IP address changes) or to shut down immediately after reporting the IP addresses assigned to the current login (only reliable if your users log out each day and then log in the next morning). You can configure it to create a system tray icon (for positive feedback when it’s running) or to stay hidden. You can also enable/disable logging for trouble-shooting purposes. Before you get started, you must gather a list of IP addresses of all NetSpective and/or NetAuditor machines you want the Logon Agents to communicate with. Next, you need to find and open LogonAgent.zip (or LogonAgent.dmg for Mac OS X). If you’re using NetSpective, you can find it on the Utilities page in its administrative interface. If you’re using NetAuditor, you can find it in “<NetAuditor install folder>\Support”. Note: NetSpective appliances are always listening for Logon Agent messages, but NetAuditor must be configured to listen for them. If you plan to have Logon Agent communicate with NetAuditor, you must create and enable a “Logon Agent” collection method on your NetAuditor server before you start. Logon Agent for Windows Before you attempt to configure the Logon Agent to be launched automatically for all domain users, we recommend that you test it manually on a client machine to get comfortable with it and make sure everything works as expected. On Windows you start with LogonAgent.zip, which contains two files: • wflogon.exe – The logon agent executable • wfcall.bat – An example logon script you may use as a base-line to help you get started with creating your own logon script. Usage: wflogon.exe [-v] [-p] [-s] [-dDOMAIN] [-uUSERNAME] IPADDRESS [IPADDRESS...] wflogon.exe [-v] -q IPADDRESS [IPADDRESS...] Options: • -v The verbose option tells wflogon.exe to log additional information to the Windows Event Log while it is running. • -p The persistent option tells wflogon.exe to remain running until logoff so it can detect and notify NetSpective/NetAuditor when local IP addresses change. If it’s not persistent, the Logon Agent can’t detect changes due to sleep, hibernate, or changing networks (e.g. switching between wi-fi and wired). • -s The silent option is only used with the persistent option. It tells wflogon.exe not to create a Windows systray icon (so it stays hidden). • -q The quit option tells NetSpective/NetAuditor to stop associating the current IP addresses with the current user. It should only be used from a logoff script, and only when the logon script does NOT use the persistent flag. • -d The domain option is used to override the domain name. This option should not be used if wflogon.exe correctly detects the current domain name. • -u The user name option is used to override the user name. This option should not be used if wflogon.exe correctly detects the current domain name. Note: The IP addresses must be specified at the end of the command-line (after any options) Recommended Initial Test: wflogon.exe -v -p <specify your own IP addresses here> Verification in the Client If you ran the recommended command above, you should have a blue NetSpective icon in your system tray. When you let the mouse cursor hover over it, a tool tip will pop up to show the domain name, user name, and all local IP addresses, like this: If you ran it in silent mode, you should look for wflogon.exe in the Windows Task Manager. (It will only be visible in the “Processes” tab.) You can also check the Windows Event Viewer for messages logged by WFLogon: Verification in NetSpective To verify that NetSpective correctly received the Logon Agent messages generated by your test run, log into its administrative web interface, select Users, and select the “[Current Logged On]” group. It should list all user names it has recently received from any running Logon Agents. Verification in NetAuditor To verify that NetAuditor correctly received the Logon Agent messages generated by your test run, you should open the NetAuditor administrative client and select the Logon Agent collection method you configured. It should provide you with a list of logs collected by date, and that list should include today’s date. If you click today’s date, it should open today’s log file in Wordpad. You should be able to find your user name in today’s file: Creating a Logon Script for Active Directory 2008 The easiest way to ensure that all of your Windows clients run the Logon Agent is to create an Active Directory Group Policy Object to launch it from a logon script. Note: Active Directory relies on the Domain Name Service (DNS) to provide Group Policy access. This may require installing DNS on the domain controller and configuring the client systems so that they use the controller as their DNS server. Consult the appropriate documentation on Active Directory from Microsoft for more details. Creating a Group Policy Object 1) Log into a domain controller (or another machine with access to the Group Policy Management Tools) and select Start, Programs, Administration Tools, and then Group Policy Management. Expand the forest and then the domain that contains the first set of users you want to track. 2) Right click on the ‘Group Policy Objects’ (GPO) and select ‘New’ 3) On the New GPO dialog enter a descriptive name like ‘NetSpective Logon Agent’. Leave the ‘Source Starter GPO’ set to ‘(none)’. 4) Expand the Group Policy Objects entry in the tree, right-click the new GPO, and select ‘Edit’. 5) In the GPO Management Editor window that appears, expand ‘User Configuration’ and ‘Windows Settings’, and then select ‘Scripts (Logon/Logoff)’. 6) Right-click or double-click the Logon entry on the right to display the logon script properties, and then select the Add button. 7) Select the ‘Browse’ button from the ‘Add a Script’ dialog. It should open the folder created for this GPO on your domain’s NETLOGON share. To ensure that all of your Windows clients can access the NetSpective Logon Agent files properly, we recommend that you copy wflogon.exe to this folder. If you plan to use wfcall.bat, you should also copy that file to this folder. 8) Select either wfcall.bat or wflogon.exe based on your requirements. If you select the exe, you must specify its command-line parameters in the “Script Parameters” field for the Logon Agent to function properly. If you select the bat, you must edit the batch file to have it specify the appropriate command-line parameters for wflogon.exe. Read the section below for a full explanation of the command-line parameters. 9) Once you have saved all settings and returned to the Group Policy Management window, select the Detail tab and change the GPO status to ‘Enabled’. Note: You may want to perform a limited test before enabling it for the entire domain. If so, change the “Authenticated Users” group in the “Scope” tab to a specific test user or group. When you have finished testing the GPO, change it back to include whatever groups you feel need to run the Logon Agent. 10) Soon after it is enabled, the Logon Agent should be launched every time a user logs into that domain. There are propagation delays between domain controllers as well as between server and client. Note: You can skip the delay on the client by running “gpupdate /force”, but that only works if the GPO has already been propagated to the server it connects to. Customizing a Logon Batch File If you have an existing logon script that executes a batch file, you may also get that batch file to launch the Logon Agent by adding a few lines to it. Please refer to the sample wfcall.bat included in the LogonAgent.zip file. The important lines in it are here: REM add a call to NetSpective logon agent, located in this share REM use full UNC path START \\PDC01\NETLOGON\wflogon.exe -p 10.0.30.1 Important: The START command is needed when using the persistent option to keep the batch file from waiting for wflogon.exe to exit. Note: You may use a different network share if you prefer, but it will be your responsibility to ensure that your users have the necessary privileges to access it. Either way, we recommend that you specify the full UNC path. Creating a Logon Script for Novell For Novell, the NetSpective Logon Agent executable should be placed in a specific shared folder on the domain server or somewhere on the network. The application can then be called from a logon script that can be set up on the Novell Server. The logon script must set the environment variables WF_USERNAME and WF_USERDOMAIN then execute the logon agent executable. Figure 8 contains a sample Novell logon script making the call to the Logon Agent. There are multiple ways to set up logon scripts on a Novell Domain. The logon scripts can be added per User, using a Profile or at the Organizational Unit (OU). For example, to set up a logon script at the OU, open the Novell ConsoleOne application. Navigate the Novell directory until you find the OU that the logon script will be added to. In order for the logon script to work it must be added to the OU that contains the users that are to be affected. Once the OU has been found, right click on the OU and select properties. From the properties window select the login script tab and add the logon script. Figure 3 illustrates the basic steps in adding a logon script to the Organizational Unit. Check your Novell documentation for more information on setting up logon scripts. Edit the Container Add the Logon Script Note: NetSpective does not support all of the characters that are usable in Novell usernames. The characters <>;:" do not work in NetSpective. Editing the Script If all users share the same logon script (or a master script is available), edit the script so that it contains the call to the Logon Agent as described in the previous sections. For multiple logon scripts, edit all appropriate scripts. Refer to the following examples at the end of this document. Novell Sample Please refer to the following example of a short Novell logon script, which includes the setting of the environment variables WF_USERNAME and WF_USERDOMAIN and the required call to the NetSpective Logon Agent. Note that the path for the executable may vary between domains. REM Sample Novell logon script REM set environment variables REM DOS SET WF_USERNAME="%LOGIN_NAME.%LOGIN_CONTEXT" REM Call netspective logon agent REM START @NOVELLSERVER/SYS:\PUBLIC\WFLOGON 192.168.10.227 Logon Agent for Mac OS X The Logon Agent for Mac OS X must be installed on each client. To begin the install, mount and open the LogonAgent.dmg disk image file. Inside that image is the install package logonagent.mpkg. Select the logonagent.mpkg to start the installation process. Note: The installation requires administrative credentials, and it will ask you to confirm the install by entering your password. The installation will install a LaunchDaemon property list file and the LogonAgent executable: /Library/LaunchDaemons/com.telemate.logonagent.daemon.plist /Library/Application\ Support/Telemate.Net/LogonAgent/LogonAgent Both files require administrative privileges to be accessed or modified. The NetSpective LogonAgent for Mac OS X will run as a daemon service through LaunchD. To start and stop LogonAgent the ‘launchctl’ command can be used. The ‘launchctl’ command requires administrative privileges, so you must run it with the ‘sudo’ command to request those privileges (see example below). Setting up the ‘Default Config’ The installation of LogonAgent does not create a default config. To set the configuration for LogonAgent, a property list file must be created in the ‘/Library/Preferences/’ folder. This again requires administrative privileges and can be performed from the terminal with the ‘defaults’ command. Sample default Configure for installing LogonAgent onto multiple Macintosh systems sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array '192.168.101.27' '192.168.101.28' (Note: The ‘- array’ of IP Addresses for broadcasting logons of User ID and IP address association to more than one NetSpective appliance.) sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array '192.168.101.27' (Note: In this example the default config is broadcasting to a single NetSpective Appliance.) A simple script can be created to execute all steps required to configuration and installation the LogonAgent from a central location. Below is an example sudo defaults write /Library/Preferences/com.telemate.logonagent "address" -array '192.168.101.27' sudo /usr/sbin/installer -verbose -pkg logonagent.mpkg -target / Modifications to the ‘Default Config’ You must restart the LogonAgent any time its configuration changes. This can be done by using the above ‘launchctl’ load/unload commands or by restarting the machine. Use these commands when you need to manually start/stop the LogonAgent: Stop LogonAgent: sudo launchctl unload /Library/LaunchDaemons/com.telemate.logonagent.daemon.plist Start LogonAgent: sudo launchctl load /Library/LaunchDaemons/com.telemate.logonagent.daemon.plist The NetSpective Terminal Server Agent The NetSpective Logon Agent will not work properly on Terminal/Citrix Servers because they map each IP address to a single user name, and each Terminal Server hosts several users on a single IP address at the same time. The NetSpective Terminal Server Agent addresses this by extending the mapping down to the port level. As soon as any user-level application opens a network socket and binds a port, the agent tells NetSpective (and/or NetAuditor) which user locked that port. The agent sends an unlock message when the socket is closed (in case a system service grabs that port next). To get started, find and launch TerminalServerAgent.exe on one of your Terminal/Citrix Servers. If you’re using NetSpective, you can find it on the Utilities page in its administrative interface. If you’re using NetAuditor, you can find it in “<NetAuditor install folder>\Support”. Keep in mind that it installs as a normal application and does not make any system changes until you enable it in the configuration utility. The Terminal Server Agent consists of a configuration utility and a Winsock Layered Service Provider (LSP) module. LSPs are used by used by many anti-virus, anti-spam and anti-spyware vendors to scan and shut down network connections in real-time. As most anti-virus software blocks the installation of new LSPs, you may need to disable your anti-virus software to configure the Terminal Server Agent. Depending on how strict the anti-virus software is, you may even need to uninstall it, install and configure the Terminal Server Agent, and then reinstall the anti-virus software. The NetSpective LSP intercepts the initiation of TCP sessions to inform NetSpective about connection ownership. This solution requires 2003 and/or Citrix Presentation Server 4. Please install NetSpective Logon Agent for Terminal Server on every Terminal Server in your network to provide personalized filtering policies for all of your users. The Configuration Utility This utility shows you what LSP's you currently have registered and allows you to register or unregister the NetSpective LSP. You must also enter the IP addresses of all NetSpective devices monitoring the current server’s connection to the internet. If you add, remove, or change the IP address of a NetSpective device on your network, you need to run this utility to update the IP addresses. You are not required to reboot after making this change. However, if you choose to register or unregister the NetSpective LSP, it is necessary to reboot the server. If you do encounter conflicts with another Layered Service Provider, we provide a command-line utility for trouble-shooting, installing, and removing LSP's. By default, it is installed here: • Utility: %ProgramFiles%\NetSpective Logon Agent\LSPInstall.exe • Documentation: %ProgramFiles%\NetSpective Logon Agent\README.TXT Windows Server 2003 / 2008 (x86-64) The current release of the Terminal Server Agent has both 32-bit and 64-bit versions of the LSP. This allows it to monitor both 32-bit and 64-bit WinSock applications. Depending on whether your Terminal Server runs a 32-bit OS or a 64-bit OS, the configuration utility should automatically detect and register/unregister the correct versions of the LSP.