Deploying transparent identification agents
Applies to:
- Forcepoint Web Security, v8.5.x
- Forcepoint URL Filtering, v8.5.x
- Forcepoint Web Security deployments, as an alternative or supplement to transparent or explicit proxy authentication
- Standalone Forcepoint URL Filtering deployments
- Integrated deployments in which the integration product does not send user information to Filtering Service
There are 4 transparent identification agents:
- DC Agent is used with a Windows Active Directory. The agent:
- Works by identifying domain controllers in the network, and then retrieving user logon session information from those domain controllers
- Can also be configured to poll client machines to verify logon status
- Runs on a Windows server and can be installed in any domain in the networkNote: Some DC Agent features require local and domain administrator privileges.
- May use NetBIOS port 139 for automatic domain detection. If NetBIOS port 139 is blocked in your network, deploy a DC Agent instance for each virtually or physically remote domain.
- Communicates with Filtering Service on port 30600
- Logon Agent identifies users as they log on to Windows domains. The agent:
- Runs on a Linux or Windows server
- Requires a Windows-only client application (the Logon Application, or LogonApp.exe) to be run on client machines
- Communicates with Filtering Service on port 30602
- eDirectory Agent is used with Novell eDirectory. The agent:
- Runs on a Linux or Windows server
- Uses Novell eDirectory authentication to map users to IP addresses
- Communicates with Filtering Service on port 30700
- RADIUS Agent can be used in conjunction with either Windows- or LDAP-based directory services. The agent:
- Runs on a Linux or Windows server
- Works with a RADIUS server and client to identify users logging on from remote locations
- Communicates with Filtering Service on port 30800Note: eDirectory Agent or RADIUS Agent can be installed on the same machine as Filtering Service, or on a separate machine in the same network, but not on the same machine as Log Server.
In deployments that cover multiple locations, you can install an agent instance in multiple domains.
For example:
- One DC Agent instance can handle multiple trusted domains. Add additional instances based on:
- The load placed on DC Agent
- Whether a DC Agent instance can see all the domains on the network, including remote offices
Load results from the number of user logon requests. With a large number of users (10,000+ users, 30+ domains), having multiple DC Agent instances allows for faster identification of users.
If multiple Filtering Services are installed, each Filtering Service instance must be able to communicate with all DC Agent instances.
- One Logon Agent is required for each Filtering Service instance.
- One eDirectory Agent is required for each eDirectory Server.
- One RADIUS Agent instance is required for each RADIUS server.
It is a best practice to install and run RADIUS Agent and the RADIUS server on separate machines. (The agent and server cannot have the same IP address, and must use different ports.)
In some environments, a combination of transparent identification agents may be appropriate within the same network, or on the same machine. See Combining transparent identification agents.
See Installing web protection components for transparent identification agent installation instructions. See the Administrator Help for configuration information.
Combining transparent identification agents
- eDirectory or RADIUS Agent can be installed on the same machine as Filtering Service, or on a separate server on the same network.
- Do not run eDirectory Agent and DC Agent in the same deployment.
| Combination | Same machine? | Same network? | Configuration required |
|---|---|---|---|
| Multiple DC Agents | No | Yes | Ensure that all instances of DC Agent can communicate with Filtering Service, and that the individual DC Agents are not monitoring the same domain controllers. |
| Multiple RADIUS Agents | No | Yes |
Configure each agent to communicate with Filtering Service. Multiple instances of the RADIUS Agent cannot be installed on the same machine. |
| Multiple eDirectory Agents | Configure each instance to communicate with Filtering Service. | ||
| Multiple Logon Agents | No | Yes | Configure each instance to communicate with Filtering Service. |
| DC Agent + RADIUS Agent | Yes | Yes | Each agent must use a unique port number to communicate with Filtering Service. By default, DC Agent uses port 30600; RADIUS Agent uses port 30800. |
| DC Agent + eDirectory Agent | No | No | Communication with both a Windows directory service and Novel eDirectory is not supported in the same deployment. However, both agents can be installed, with only one agent active. |
| DC Agent + Logon Agent | Yes | Yes | Configure each agent to use a unique port to communicate with Filtering Service. By default, DC Agent uses port 30600; Logon Agent uses port 30602. |
| RADIUS Agent + Logon Agent | Yes | Yes | Configure all agents to communicate with Filtering Service. |
| eDirectory Agent + Logon Agent | No | No | Communication with both Novell eDirectory and a Windows- or LDAP-based directory service in the same deployment is not supported. However, both agents can be installed, with only one agent active. |
| RADIUS Agent + eDirectory Agent | Yes | Yes |
Configure each agent to use a unique port to communicate with Filtering Service. By default, eDirectory Agent uses port 30700; RADIUS Agent uses port 30800. When adding agents to the Security Manager, use an IP address to identify one, and a machine name to identify the other. |
| DC Agent + Logon Agent + RADIUS Agent | Yes | Yes |
This combination is rarely required. Configure each agent to use a unique port to communicate with Filtering Service. By default, DC Agent uses port 30600; Logon Agent uses port 30602; RADIUS Agent uses port 30800. |