You are on page 1of 14

BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES

BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES WEBTITAN CLOUD User Identification Guide This guide explains how

WEBTITAN CLOUD

User Identification Guide

This guide explains how to install and configure the WebTitan Cloud Active Directory components required to report on users, groups and internal networks.

www.webtitan.com

info@webtitan.com

BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES WEBTITAN CLOUD User Identification Guide This guide explains how

2

Overview

The Active Directory user identification integration consists of two components that must be installed on your network:

  • 1. The WebTitan DNS Proxy, which is responsible for:

    • „ Securely uploading user and computer group info to the WebTitan Cloud service.

    • „ Redirecting all local DNS queries to your existing internal DNS servers

    • „ Redirecting all external DNS queries along with metadata to WebTitan Cloud

  • 2. The WebTitan Active Directory Agent (WADA), which is responsible for:

    • „ Maintaining a list of active logon sessions, mapping an IP to a username.

    • „ Securely transferring this information to the WebTitan DNS Proxy

    • „ The information is gathered from 3 different sources (LDAP, Event Logger and Network sessions)

      • a) The LDAP mechanism is gathering a list of computers in the domain and based on the lastLogon parameter will contact each computer using WMI protocol to check for active logon session and eventually get the username. Not all computers are checked, only those with lastLogon field within the range defined in the configuration (1 year by default).

      • b) The Event Logger mechanism is “listening” on special event that contains information about username and IP.

      • c) Additionally network sessions are enumerated (by default each 10 seconds) to discover active sessions. This method is important especially when there are users on the network that don’t turn-off their computers for a very long time and for some reason their computers are not reachable with WMI.

  • www.webtitan.com

    info@webtitan.com

    2 Overview The Active Directory user identification integration consists of two components that must be installed

    3

    Workflow

    3 Workflow 1. Install WebTitan DNS Proxy on either a hypervisor or on “bare-metal”. The WebTitan
    • 1. Install WebTitan DNS Proxy on either a hypervisor or on “bare-metal”. The WebTitan DNS Proxy will import all users and groups (currently we’re only importing the users) from active directory.

    • 2. These will then be securely transmitted to WebTitan Cloud. In return, the DNS Proxy will receive a unique user id for each user.

    • 3. Install WebTitan Active Directory Agent (WADA) on the Active Directory Server (or on another server in the domain). WADA will user several techniques to discover who is logged on where.

    • 4. The discovered user-IP mappings will be continuously transmitted to the WebTitan DNS Proxy.

    • 5. All internal computers must route their DNS traffic via the WebTitan DNS Proxy. Upon receipt of a DNS query, the WebTitan DNS Proxy will check to see if it has a user associated with the source IP address of the query. The WTC user id for that user (if found) will be appended to the query as metadata along with the internal source IP address.

    • 6. The request containing the metadata will then be forwarded onto the WebTitan Cloud server where each request can be successfully logged with user identification.

    www.webtitan.com

    info@webtitan.com

    3 Workflow 1. Install WebTitan DNS Proxy on either a hypervisor or on “bare-metal”. The WebTitan

    4

    WebTitan DNS Proxy

    Once configured, WebTitan DNS Proxy collects user and group data from your directory service and at scheduled intervals securely sends it to WebTitan Cloud. It will receive a unique user id for each user which will be used to form the metadata that will be attached to all DNS queries that are routed through the WebTitan DNS Proxy.

    If a query is for a local domain, then the request will be forwarded to the appropriate internal DNS server.

    Prerequisites

    Before you install the WebTitan Cloud AD components, you will need to meet following requirements:

    • „ VMware ESXi 4.1 or newer (alternatively may be installed on bare metal).

    • „ Minimum requirements for the DNS Proxy appliance are 1 CPU core, 512MB RAM, 6GB disk space.

    Install DNS Proxy Appliance

    The following outline the steps of installing WebTitan DNS Proxy from a CD image (ISO).

    1. After deploying the ISO or OVA image, you will be prompted to configure the appliance.

    4 WebTitan DNS Proxy Once configured, WebTitan DNS Proxy collects user and group data from your

    5

    • 2. Keyboard Layout

    5 2. Keyboard Layout The Keymap Selection screen will be displayed, allowing you to select the

    The Keymap Selection screen will be displayed, allowing you to select the keyboard layout that most closely represents the mapping of the keyboard attached to the system. If unsure, then use the default keymap or choose United States of America

    ISO-8859-1.

    • 3. Setting the hostname

    5 2. Keyboard Layout The Keymap Selection screen will be displayed, allowing you to select the

    The installer will prompt for the hostname to be given to the newly installed appliance. The hostname should be a fully-qualified hostname.

    www.webtitan.com

    info@webtitan.com

    5 2. Keyboard Layout The Keymap Selection screen will be displayed, allowing you to select the

    6

    • 4. Confirmation to proceed

    6 4. Confirmation to proceed Choose <Yes> to proceed. 5. Partitioning WebTitan DNS Proxy will automatically

    Choose <Yes> to proceed.

    • 5. Partitioning

    6 4. Confirmation to proceed Choose <Yes> to proceed. 5. Partitioning WebTitan DNS Proxy will automatically

    WebTitan DNS Proxy will automatically partition the disk. Choose <Commit> to proceed and partition the disk. This is the last chance for aborting installation to prevent changes to the hard drive.

    After verifying the integrity of the distribution files to ensure that they have not been misread from the installation media, the installer will extract the distributed files to disk.

    • 6. Configuring the Network Interface

    6 4. Confirmation to proceed Choose <Yes> to proceed. 5. Partitioning WebTitan DNS Proxy will automatically

    7

    A list of all network interfaces found on the computer is shown next. Select one to be configured.

    7 A list of all network interfaces found on the computer is shown next. Select one

    The application must be configured with a static IP address and does not provide the option to configure the interface using DHCP. Static configuration of the network interface requires some IPv4 information:

    • „ IP Address: The manually assigned IPv4 address to be assigned to this computer. This address must be unique and not already in use elsewhere on the local network.

    • „ Subnet Mask: The subnet mask used for the local network. Typically, this is
      255.255.255.0.

    • „ Default Router: The IP address of the default router/gateway on this network.

    7. Configuring DNS

    7 A list of all network interfaces found on the computer is shown next. Select one

    The Domain Name System (DNS) resolver converts hostnames to and from network addresses. Enter the local network’s domain name in the Search field. DNS #1 and DNS #2 addresses for the local DNS servers. At least one DNS server is required.

    www.webtitan.com

    info@webtitan.com

    7 A list of all network interfaces found on the computer is shown next. Select one

    8

    • 8. Setting the Time Zone

    8 8. Setting the Time Zone Setting the time zone for your application will allow it

    Setting the time zone for your application will allow it to automatically correct for any regional time changes and perform other time zone related functions properly. Select <Yes> or <No> according to how the machine’s clock is configured. If you don’t know whether the system uses UTC or local time, select <No> to choose the local region and country.

    • 9. Install Packages

    8 8. Setting the Time Zone Setting the time zone for your application will allow it

    www.webtitan.com

    info@webtitan.com

    8 8. Setting the Time Zone Setting the time zone for your application will allow it

    9

    The installer will then proceed with installation of packages and perform some further installation tasks.

    9 The installer will then proceed with installation of packages and perform some further installation tasks.

    After everything has been installed and configured, the installer will prompt to reboot into the new appliance. Select <Reboot> to reboot the computer and start the new WebTitan DNS Proxy application. Don’t forget to remove the installation media, or the computer may boot from it again.

    10. Completing the installation

    After the application has rebooted, use the displayed URL to connect your browser to the WebTitan DNS Proxy web-based user interface. The user interface will allow you to complete the configuration of you WebTitan DNS Proxy application setup.

    Log in with the following credentials:

    Administrator: admin

    Password: hiadmin

    Note: If your internet browser does not connect to the application, it is likely because the network settings are misconfigured. You can fix the configuration by logging into the console.

    www.webtitan.com

    info@webtitan.com

    9 The installer will then proceed with installation of packages and perform some further installation tasks.

    10

    Configuring the WebTitan DNS Proxy

    Once logged in to the user interface you navigate to the Configuration tab to complete the configuration of the DNS Proxy appliance.

    Under the Network -> DNS Settings tab, you must configure the appliance to route local DNS queries to your existing DNS servers. The DNS Settings table lists those queries that should be redirected to local DNS servers for resolution. It is also possible to specify queries that should always be dropped. The table should list all internal zones (e.g. mydomain.com) and any reverse zones. For instance, if your network is 192.168.1/24, then the domain to add would be 1.168.192.in-addr.arpa.

    All other requests will be forwarded to WebTitan cloud for resolution.

    Active Directory

    In order for WebTitan Cloud to report on users, you must first import all your users from your active directory server. These are then securely uploaded to WebTitan Cloud, and in return unique identifiers will be returned for each user. Subsequently, when the DNS proxy receives DNS requests, if it has a username -> IP mapping (from WebTitan Active Directory Agent) for the source address of the DNS request, then these unique identifiers will be used to form the metadata which is attached to the query that is forwarded to WebTitan Cloud.

    Navigate to the Active Directory tab under the Configuration section to add an Active Directory Domain. Click “Add” and input your Active Directory Server details and save.

    10 Configuring the WebTitan DNS Proxy Once logged in to the user interface you navigate to

    In order to be able to synchronize users with WebTitan Cloud, you must specify your WebTitan Cloud Credentials .

    www.webtitan.com

    info@webtitan.com

    10 Configuring the WebTitan DNS Proxy Once logged in to the user interface you navigate to

    11

    WebTitan Active Directory Agent (WADA)

    The WebTitan Active Directory Agent (WADA) is responsible for discovering who is logged into what machines on your active directory network.

    WADA must be installed on the domain controller or on a machine from which it can communicate with:

    • „ Windows Active Directory

    • „ WebTitan DNS Proxy

    WADA Installation

    As Admin, launch an elevated command prompt and run WADA.msi with administrator privileges and follow the steps in installation wizard.

    11 WebTitan Active Directory Agent (WADA) The WebTitan Active Directory Agent (WADA) is responsible for discovering
    11 WebTitan Active Directory Agent (WADA) The WebTitan Active Directory Agent (WADA) is responsible for discovering

    You will be prompted to provide your WebTitan DNS Proxy hostname or IP address and port number.

    www.webtitan.com

    info@webtitan.com

    11 WebTitan Active Directory Agent (WADA) The WebTitan Active Directory Agent (WADA) is responsible for discovering

    12

    Next you will be prompted to enter username and password for WebTitan AD Agent. This user must be a member of the Event Log Readers group and Distributed COM users group.

    12 Next you will be prompted to enter username and password for WebTitan AD Agent. This
    12 Next you will be prompted to enter username and password for WebTitan AD Agent. This

    The WADA.ini configuration file can be located at C:\ProgramData\WebtitanADAgent. The file contains the WebTitan DNS Proxy IP and looks like this:

    12 Next you will be prompted to enter username and password for WebTitan AD Agent. This

    WebTitanServers is the only required parameter and may contain a list of URLs separated with ‘,’ that will receive IP/users list in HTTP POST requests.

    www.webtitan.com

    info@webtitan.com

    12 Next you will be prompted to enter username and password for WebTitan AD Agent. This

    13

    Other parameters are optional but maybe useful for debugging or customizing specific needs:

    • „ DiscoveryThreads (default 10) - number of child threads used in the WMI discovery process, each thread connects to a computer using WMI and it is done in parallel to speed-up the initial discovery process.

    • „ DiscoveryIntMin (30) - number of minutes between discoveries (LDAP queries that read list of available computers and then WMI checks).

    • „ LastLogonDays (365) - max number of days of the last logon to a machine so it is checked against existing sessions with WMI, it is based on lastLogon LDAP attribute, computers with higher number of ‘idle’ days will be omitted.

    • „ TTLMin (60) - number of minutes after which an IP/user pair is removed from the map if the active login session wasn’t found on given IP during this period (either using WMI checks, events from Event Logger or Network sessions enumerator).

    • „ EnumSessIntS (10) - number of seconds between enumerating Network Sessions, note that Windows XP sessions are showing only for about 15 seconds, so don’t change this setting to a higher value or you may lose some information about active logon sessions.

    • „ WMICheckIntS (60) - number of seconds between single WMI check on a specific computer, this is to avoid flooding of Windows computers, so we don’t hit them too often.

    • „ WMIMaxCheckRetry (10) - number of retries when a WMI query to a specific computer is failing, if after this number of retries it is still failing an error is logged to a file waderror.log and the computer is not checked for active sessions with WMI unless there is some activity from other sources (Event Logger or Network Sessions).

    • „ DC - name of the remote domain controller, may be used to run WADA on a different computer on the network then the Domain Controller itself.

    • „ LogMinLevel – Debug level. 0 = Full debugging

    Route all DNS traffic via the WebTitan DNS Proxy

    In order to report and enforce policies on user activity, all DNS traffic from all clients on the network must be routed through the WebTitan DNS Proxy. If using DHCP, then this can be easily accomplished by changing the DNS settings for DHCP. You will have to wait until client computers renew their lease before the new settings are applied, or until a user logs in.

    www.webtitan.com

    info@webtitan.com

    13 Other parameters are optional but maybe useful for debugging or customizing specific needs: „ DiscoveryThreads

    14

    If you have any questions or would like some assistance with set up, one of our engineers will be happy to help.

    Please contact us by email at helpdesk@webtitan.com or Tel : +1 813 501 3610 (US) , +44 2037341040 (UK) or +353 91 545555 (IRL).

    www.webtitan.com

    info@webtitan.com