KB Article | Forcepoint Support

Problem Description

I am having identification issues, but I'm not sure how the Forcepoint software is getting the user names.
 

Resolution

There are multiple types of identification that can be in an environment. While there may be multiple types present, one will always be primary while the others may be secondary or fail over methods when it comes to Active Directory. Knowing how users are being filtered aids with locating the identification method. 


Hybrid (Cloud Web)

If using Web Hybrid, for users to be able to be filtered when outside of the office, the identification issues may be happening in different areas depending on where the user is currently located.
  1. Are users at a filtered location? If so, the issue is not related to the Web Hybrid endpoint, but the on-premises solution as described below (Windows Server Only, Windows Server + Content Gateway) 
  2. Are users not at a filtered location where an on-premises solution such as Content Gateway or Windows Standalone exist? If so, the issue is the sync for the users coming from the Directory Agent service. Please see Hybrid error message 3002: "Duplicate email address" and Hybrid error message 3004: "Not Found For Modification or Deletion"


Windows Server Only (Standalone)

If using only Windows server(s) running Network Agent and/or a Filtering Service that is integrated with another product, such as Microsoft TMG or Citrix Virtual Desktop solution. 

Check the Triton Manager user interface for Windows server identification by clicking Settings > General > User Identification.

Options that might be present: 
  • DC Agent (Windows based with Active Directory)
  • Logon Agent (Windows based with Active Directory)
  • Radius (Windows based with a Radius server)
  • Novell eDirectory (Windows based with a Novell eDirectory server)

Note Logon Agent requires an exe and bat file(s) to have been set up using GPO for the computers in the deployment. If this step wasn't done and DC Agent is the other identification method present, then DC Agent is the one in use. This can be checked by finding LogonApp.exe installed on the user's computer. Both identification types may be present, as DC Agent will take over if a computer doesn't have this exe and bat file present.


Windows Server + Content Gateway (Proxy)

When a Content Gateway is present, the proxy can be handling identification, or the Windows server. 
  1. Check the Content Gateway for Authentication by clicking Configure > My Proxy > Basic.
  2. Check what option is selected as on.
Options that might be present:
  • Integrated Windows Authentication (IWA)
  • LDAP
  • Radius
  • Legacy NTLM
  • Rule-Based Authentication
If IWA or Rule Based Authentication is present:
  1. In the Content Gateway click Configure > Security > Access Control.
  2. Make sure the IP and/or subnets for the users in question are not present on this page. If so, they are being bypassed and are not using this method of identification.
If bypassed or not using Authentication options in Content Gateway:

Check the Triton Manager user interface for Windows server identification by clicking Settings > General > User Identification.​

Options that might be present: 
  • DC Agent (Windows based with Active Directory)
  • Logon Agent (Windows based with Active Directory)
  • Radius (Windows based with a Radius server)
  • Novell eDirectory (Windows based with a Novell eDirectory server)

Article Feedback



Thank you for the feedback and comments.