How DC Agent identifies users

  • DC Agent detects domain controllers: At startup, and (by default) every 24 hours thereafter, DC Agent identifies available domains and domain controllers in the network and saves the information to its dc_config.txt file.
  • DC Agent obtains logon session information: DC Agent obtains the user and computer name from each domain controller for user logon sessions.

    By default, the query occurs every 10 seconds. This interval can be configured in the Forcepoint Security Manager (go to Web > Settings > General > User Identification, and then click a DC Agent instance in the Transparent Identification Agents list).

    Note: This Query interval value is not used when the Event Subscriber option is enabled
    Note: If DC Agent is not running when a user logs on to a domain controller (because the DC Agent machine was restarted, for example), the logon session is not recorded. In this case, the computer or network policy (if it exists), or the Default policy, is used to manage user requests.
  • DC Agent records user name/IP address pairs: For each logon session, DC Agent performs a DNS lookup to resolve the computer name to an IP address, and then stores the user name/IP address pair in its user map in local memory. It periodically writes a copy of the user map to XidDcAgent.bak.

  • DC Agent sends user information to Filtering Service: DC Agent provides user names and IP addresses to Filtering Service each time its user map is updated.
    • The agent sends only those new user name/IP address pairs recorded since the last query.
    • Filtering Service adds new user name/IP address pairs to its copy of the user map in local memory.

    No confidential information (such as user passwords) is transmitted.

  • Filtering Service gets group information for logged-on users: Filtering Service queries User Service to get group information for users in its copy of the user map. User Service queries the directory service for this group information, and sends the information to Filtering Service.
  • Policies are applied to logged-on users: Filtering Service uses the information from DC Agent and User Service to ensure that the correct policies are applied to directory clients (users, groups, and OUs).

    Filtering Service does not check the policy every time an Internet request is made; policy data is cached for 3 hours by the server, unless the user cache is explicitly cleared in the Forcepoint Security Manager.

DC Agent can be used in conjunction with Logon Agent. In this configuration, user logon information provided by Logon Agent takes precedence over information from DC Agent. DC Agent communicates a logon session to Filtering Service only in the unlikely event that Logon Agent has missed one. For more information about Logon Agent, see Using Logon Agent for Transparent User Identification.