Prepare the Windows logon scripts

The default logon.bat file contains instructions for using the scripting parameters, and two sample scripts: a logon script that runs the logon application and a logout script. The logout script removes user information from the user map when the user logs out. Only Windows Active Directory can use both types of scripts.

Construct a logon or logout script using the samples provided and the parameters in the table below. When you have finished customizing the script, continue with Configure the Windows logon scripts to run.

The required portion of the logon script is:

LogonApp.exe http://<server>:<port>

Be sure to enter a hard return at the end of the line.

This command runs LogonApp.exe in persistent mode (the default).

Note: You can edit the sample, or create a new batch file containing a single command.
Parameter Description
<server> IP address or name of the Logon Agent machine. This entry must match the machine address or name entered in the Forcepoint Security Manager.
<port> The Logon Agent communication port (default 15880).
/NOPERSIST

Causes the logon application to send user information to the Logon Agent at logon only. The user name and IP address are communicated to the server at logon and remain in the user map until the user’s data is automatically cleared at a predefined time interval. The default user entry expiration is 24 hours, and can be changed in the Forcepoint Security Manager.

If the NOPERSIST parameter is omitted, LogonApp.exe operates in persistent mode, residing in memory on the domain server and updating the Logon Agent with the user names and IP addresses at predefined intervals. The default interval is 15 minutes, and can be changed in the Security Manager.
/COPY

Copies the logon application to the %USERPROFILE%\Local Settings\Temp directory on users’ machines, where it is run by the logon script from local memory. This optional parameter helps to prevent your logon script from hanging.

COPY can be used only in persistent mode.
/D

Debugging parameter that causes messages to be sent to a debugging file (Ws_LogonAppLog.txt). Use at the direction of Forcepoint Technical Support. The file is placed in the default temp directory for the current user (C:\Documents and Settings\<user_account>\Local Settings\Temp).
/DHCP

Designed to accommodate mobile users.

Forces LogonApp.exe to send updates to the Logon Agent when an IP address change is detected. By default, LogonApp.exe does not detect IP address changes.
/filename

Overrides the default name of the debugging file. Use the format:

/filename <debug_filename>
/IPV6 Causes LogonApp.exe to record IPv6 addresses in its user map. By default, only IPv4 addresses are recorded.
/VERBOSE Debugging parameter that must be used only at the direction of Technical Support.
/LOGOUT

Used only in an optional logout script, this parameter removes the user’s logon information from the user map when the user logs off. If you use Active Directory, this parameter can clear the logon information from the user map before the interval defined for Logon Agent has elapsed.

Use this optional parameter in a logout script in a different batch file than the one containing the logon script.