• Troubleshoot the User Agent
  • Replace the Version 2.4 or Later User Agent with Version 2.3
  • The User Agent Configuration Process

    To use Version 2.5 of the user agent to collect user login data from up to five Microsoft Active Directory servers and send it to Management Centers, you must install it, connect it to each Management Center and Microsoft Active Directory server, and configure general settings. For more information, see the following sections:

    Set Up a User Agent

    Setting up a user agent is a multi-step configuration.

    To set up a user agent:


    Step 1blank.gif Configure each Management Center to do the following:

    Step 2blank.gif Configure the Active Directory server to log events for the user agent to communicate to the Management Center. For more information, see Configure the Active Directory Server.

    Step 3blank.gif Configure each computer on the domain to allow Windows Management Instrumentation (WMI) through the firewall for the domain. For more information, see Configure Domain Computers.

    Step 4blank.gif Install the prerequisite programs on the computer where you will install the agent. Set up the computer’s TCP/IP access to the Active Directory server. For more information, see Prepare the Computer for User Agent Installation.

    Step 5blank.gif If you have a previous user agent installation, optionally back up the agent database to retain configuration settings. For more information, see Back Up User Agent Configurations.

    Step 6blank.gif Configure permissions necessary to allow the agent to connect to an Active Directory server. For more information, see:

    Step 7blank.gif Install the agent on the computer.

    Step 8blank.gif Configure connections to one or more Microsoft Active Directory servers.

    Step 9blank.gif (Optional.) Configure a polling interval and maximum poll length for the agent. For more information, see Configure User Agent Active Directory Server Connections.

    Step 10blank.gif Make sure you have an available DNS server to resolve the user agent’s host before you set up the user agent identity source on the FMC.

    Failure to set up DNS properly prevents the FMC from connecting to a user agent using its host name.

    Step 11blank.gif Configure connections to up to five Management Centers. For more information, see Configure User Agent Management Center Connections.

    Step 12blank.gif (Optional.) Configure a list of user names and IP addresses to exclude from polling for login and logoff data. For more information, see:

    Step 13blank.gif (Optional.) Configure the agent logging settings. For more information, see Configure User Agent Logging Settings.

    Step 14blank.gif (Optional.) Configure the agent name, start and stop the service, and view the service’s current status. For more information, see Configure General User Agent Settings.

    Step 15blank.gif Click Save to save the user agent configuration.

    caut.gif

    Caution blank.gif Do not modify the user agent maintenance settings unless Cisco TAC directs you to do so.


     

    Management Center Configurations

    This section discusses how to prepare the Management Center to receive user data from the user agent.

    note.gif

    Noteblank.gif Version 2.4 of the user agent works only with the Firepower Management Center version 6.2.3 or later. If you have issues with the user agent and your version of the Firepower Management Center, you can replace the version 2.4 user agent with the version 2.3 user agent as discussed in Troubleshoot the User Agent.


    Configure a Version 6.2.3 or Later Management Center to Connect to User Agents

    To use Version 2.5 of the user agent to send login data to your Version 6.2.3 or later Management Centers, you must configure all of the following:

    • Configure each Management Center to allow connections from the agents you plan to connect to your servers. That connection allows the agent to establish a secure connection with the Management Center, over which it can send data.

    For more information about establishing this connection, see Configuring a User Agent Connection in the Version 6.x Firepower Management Center Configuration Guide.

    • To implement user access control, you must configure and enable a connection between the Management Center and at least one of your organization’s Microsoft Active Directory servers. In Version 6.x, this is called a realm.

    Realms contain connection settings and authentication filter settings for servers. The connection’s user download settings specify the users and groups you can use in access control rules. For more information about this configuration, see Creating a Realm in the Version 6.x Firepower Management Center Configuration Guide.

    Configure the Active Directory Server

    This section discusses how to verify that the Active Directory security logs are enabled so the Active Directory server can record login data to these logs.

    Configure the Active Directory Server for Logging

    To verify the Active Directory server is logging login data:


    Step 1blank.gif On the Active Directory server, click Start > [All Programs] > Administrative Tools > Event Viewer.

    Step 2blank.gif Click Windows Logs > Security.

    If logging is enabled, the Security log is displayed. If logging is disabled, see How to configure Active Directory and LDS diagnostic event logging on MSDN for information on enabling security logging.

    Step 3blank.gif Allow WMI through the firewall on the Active Directory server. If the Active Directory server is running Windows Server 2008 or Windows Server 2012, see Setting up a Remote WMI Connection on MSDN or more information.


     

    To enable auditing of logon/logoff events on Windows 2012 Server:


    Step 1blank.gif Click Start > Administrative Tools > Group Policy Management.

    Step 2blank.gif In the navigation pane, expand Forest: YourForestName, expand Domains > YourDomainName > Group Policy Objects.

    Step 3blank.gif Right-click Default Domain Policy and click Edit.

    Step 4blank.gif Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

    Step 5blank.gif In the right pane, double-click Audit Logoff.

    Step 6blank.gif In the Edit Logoff Properties dialog box, check Configure the following audit events and Success.

    Step 7blank.gif Click OK.

    Step 8blank.gif Repeat the same task for Audit Logon.


     

    note.gif

    Noteblank.gif The user agent does not report logoff events identified by Windows Security Log event 4634. The user agent uses a remote Windows Management Instrumentation (WMI) call to query domain computers for logoffs.


    Enable Idle Session Timeouts

    This section discusses how to optionally enable idle session timeouts in group policy. This helps prevent the agent from detecting and reporting extraneous logins due to multiple sessions on a host.

    Terminal Services (Windows Server versions up to 2008) allows multiple users to log into a server at the same time. Enabling idle session timeouts helps reduce the instances of multiple sessions logged into a server.

    Remote Desktop Services (Windows Server versions 2012 and later) allows one user at a time to remotely log into a workstation. However, if the user disconnects from the Remote Desktop session instead of logging out, the session remains active. Without user input, the active session eventually idles.

    If another user logs into the workstation using Remote Desktop Services while one session is idle, it’s possible that two logins are reported to the Management Center. Enabling idle session timeouts causes those sessions to terminate after the defined idle timeout period, which helps prevent multiple remote sessions on a host.

    Citrix sessions function similarly to Remote Desktop Services sessions. Multiple Citrix user sessions can be running on a computer at once. Enabling idle session timeouts helps prevent multiple Citrix sessions on a host, reducing extraneous login reporting.

    Note that depending on the configured session timeout, there might still be situations where multiple sessions are logged into a computer.

    Enable Terminal Services Session Timeout

    This section applies to Windows Server versions up to 2008.

    To enable Terminal Services session timeout, update the group policy settings for idle Terminal Services session timeout and disconnected Terminal Services session timeout for Windows Server 2008 or Windows Server 2012, as discussed in Configure Timeout and Reconnection Settings for Terminal Services Sessions on Microsoft TechNet.

    The paths in the Group Policy Object manager are:

    Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
    User Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    Set session timeouts shorter than the user agent’s logoff check frequency so idle and disconnected sessions have a chance to time out before the next logoff check. If you have a mandatory idle session or disconnected session timeout, set the user agent’s logoff check frequency longer than the session timeout. For more information on configuring the logoff check frequency, see Configure General User Agent Settings.

    When you’re done, continue with Configure the User Agent Computers.

    Enable Remote Desktop Session Timeout

    This section applies to Windows Server versions 2012 and later.

    To enable Remote Desktop session timeout, update the group policy settings for idle remote session timeout and disconnected session timeout. See Session Time Limits on Microsoft TechNet for more information on enabling the session timeouts.

    Set Remote Desktop timeouts shorter than the user agent’s logoff check frequency so idle and disconnected sessions have a chance to time out before the next logoff check. If you have a mandatory idle session or disconnected session timeout, set the user agent’s logoff check frequency longer than the Remote Desktop timeout. For more information on configuring the logoff check frequency, see Configure General User Agent Settings.

    The path in the Group Policy Object editor is:

    User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    When you’re done, continue with Configure the User Agent Computers.

    Enable Citrix Session Timeout

    To enable Citrix session timeout, consult Citrix’s documentation at http://support.citrix.com/

    Configure Domain Computers

    To enable the user agent to send logoff events to the Management Center, you must allow WMI traffic through the firewall on every computer that connects to the domain.

    You have the following options:

    Configure the User Agent Computers

    After you have prepared the Management Center and the Active Directory server, prepare the computers on which you will install and configure the agent.

    note.gif

    Noteblank.gif For the user agent to provide visibility for logins and logoffs for all computers in your Active Directory domain, you must configure the user agent on every domain controller. For example, if your Active Directory domain has five domain controllers—each installed on a different host—you must install and configure the user agent software five times, one on each domain controller.


    Prepare the Computer for User Agent Installation

    You can install the user agent on a Windows computer that meets the requirements discussed in this section.

    Computer Configurations

    The computer can be any of the following:

    • (Recommended.) A computer on a trusted network that can access the Active Directory server. This computer should be available only to network administrators.

    We recommend this installation method because it’s the most secure.

    • The Active Directory server.

    Prerequisites for Installing the User Agent

    The Windows computer must meet the following prerequisites:

    • The computer is running Windows Vista, Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012. For security reasons, we recommend you install the user agent on a domain computer and not on the Active Directory server computer.
    • The computer has Microsoft.NET Framework Version 4.0 Client Profile and Microsoft SQL Server Compact (SQL CE) Version 4.0 installed.

    blank.gif The Microsoft.NET Framework Version 4.0 Client Profile redistributable package is available from the Microsoft download site ( dotNetFx40_Client_x86_x64.exe).

    blank.gif SQL Server Compact 4 is available from the Microsoft download site

    note.gif

    Noteblank.gif If you do not have the.NET Framework, when you start the agent executable file (setup.exe), it prompts you to download it. See Install the User Agent for more information.


    • Create a user to run the user agent as discussed in Create a User for the User Agent.
    • The computer has TCP/IP access to the Active Directory servers you want to monitor, and uses the same version of the Internet Protocol as the Active Directory servers. If the agent is monitoring the Active Directory servers real time, the computer’s TCP/IP access must be on at all times to retrieve login data.
    note.gif

    Noteblank.gif If you install the user agent on Windows Server 2003 or an older operating system, the user agent cannot collect real time statistics from an Active Directory computer.


    • The computer has TCP/IP access to the Management Centers where you want to report data and an IPv4 address.
    • The computer has an IPv6 address, to detect logoffs from hosts with IPv6 addresses, or an IPv4 address, to detect logoffs from hosts with IPv4 addresses.
    • The computer does not have a legacy agent or Version 2.x agent already installed. Because these agents do not automatically uninstall, to uninstall an existing agent, use Add/Remove Programs in the Windows Control Panel.
    caut.gif

    Caution blank.gif If you have a previous version of the user agent installed, you must back up the database to retain configuration settings.

    Continue with Create a User for the User Agent.

    Create a User for the User Agent

    To be able to run the user agent with the minimum necessary permissions, you must create a user account for the user agent:

    • If you’re upgrading an older version of the user agent, this step isn’t necessary.

    In that case, see Back Up User Agent Configurations.

    • To run the user agent on a computer separate from the Active Directory server, the user must be a domain user.
    • To run the user agent on the Active Directory server, the user should be a local account.

    To create a user:


    Step 1blank.gif Log in to the Active Directory server as a member of the Domain Admins group.

    Step 2blank.gif To run the user agent on the Active Directory server, create a local user account. (This account must be in the Domain Admins group but the user does not need to be in the Administrators group.)

    Skip the remaining steps in this section and continue with Give the User Privileges.

    Step 3blank.gif To create a domain user so you can run the user agent on a separate computer, click Start > Active Directory Users and Computers.

    Step 4blank.gif In the left pane, expand the domain and folder in which to add the user.

    Step 5blank.gif Right-click the folder in which to add the user.

    Step 6blank.gif From the pop-up menu, click New > User.

    Step 7blank.gif Follow the prompts on your screen to create the domain user and to give the user a strong password.

    caut.gif

    Caution blank.gif For security reasons, make sure this user account is known only to network administrators.


     

    Give the User Privileges

    This section discusses the following possibilities:

    • Adding a local user to the Domain Admins group on the Active Directory server.

    This method is easy but it’s not recommended because it’s less secure. See Give Privileges to a Local User.

    Give Privileges to a Local User

    To run the user agent on the Active Directory server, you must add the user to the Domain Admins group. To make the user agent easier to install, you can optionally add it to the Administrators group as well.

    Give Limited Privileges to a Domain User (Summary)

    This section provides a summary of the tasks required to give a domain user minimal privileges to run the user agent. For an example, see Give Limited Privileges to a Domain User (Step-by-Step Example).

    To give a domain user limited privileges:


    Step 1blank.gif Log in to the Active Directory server as a member of the Domain Admins group.

    Step 2blank.gif Add the user agent user to the following groups:

    • Distributed COM Users
    • Event Log Readers

    Step 3blank.gif Use the Windows Management Instrumentation (WMI) Control console to give the user the following permissions to the Root\CIMV2 node as discussed on Microsoft TechNet :

    • Execute Methods
    • Enable Account
    • Remote Enable
    • Read Security

    Step 4blank.gif Enable the user agent to use real time processing of the Active Directory server.

      • Create a Group Policy Object (GPO) security policy for the Windows firewall rule to allow inbound network traffic to Remote Procedure Call (RPC) Endpoint Mapper service as discussed on Microsoft TechNet.
      • Create a GPO security policy for the Windows firewall rule to allow inbound traffic on random RPC ports as discussed on Microsoft TechNet.

    For more information about real time processing, see Configure User Agent Active Directory Server Connections.

    Step 5blank.gif Update your Group Policy Object (GPO) policies using the gupdate /force command or an equivalent method.


     

    Give Limited Privileges to a Domain User (Step-by-Step Example)

    This section provides a step-by-step example of giving a domain user minimal privileges to run the user agent.

    To follow the procedure in this section, we assume your system uses:

    • Windows Server 2012
    • User agent user name is limited.ua
    • Domain name is sesame.example.com
    • User agent connects to one Active Directory server and one Firepower Management Center
    • User agent processes events from the Active Directory server in real time

    Give the User Windows Management Instrumentation (WMI) Permissions

    This section discusses how to give the domain user WMI privileges to the Root > CIMV2 node on the Active Directory server so the user can retrieve logoff events from domain computers.

    To give a domain user WMI permissions:


    Step 1blank.gif Log in to the Active Directory server as a member of the Domain Admins group.

    Step 2blank.gif Add the user agent user to the following groups:

    • Distributed COM Users
    • Event Log Readers

    Step 3blank.gif Click Start and enter wmimgmt.msc.

    Step 4blank.gif Right-click Console Root > WMI Control (Local) and click Properties.

    Step 5blank.gif In the WMI Control (Local) Properties dialog box, click the Security tab.

    Step 6blank.gif Click Root > CIMV2.

    Step 7blank.gif Click Security.

    Step 8blank.gif In the Security for ROOT\CIMV2 dialog box, click Add.

    Step 9blank.gif In the Enter object names to select field, enter limited.ua and click Check Names.

    Windows locates the user name and displays it in the field.

    Step 10blank.gif Click OK.

    Step 11blank.gif Give the user the following permissions:

    • Execute Methods
    • Enable Account
    • Remote Enable
    • Read Security

    Step 12blank.gif In the Security for Root\CIMV2 dialog box, click OK.

    Step 13blank.gif In the WMI Control Properties dialog box, click OK.


     

    Test WMI Permissions

    After giving the user agent user WMI permissions on the Active Directory server, you should test the permissions from the computer on which you will install the user agent.

    To test WMI permissions:


    Step 1blank.gif Log in to the domain computer on which you’ll install the user agent.

    Step 2blank.gif In the search field, enter wbemtest. (In some versions of Windows, you must click Start first.)

    Step 3blank.gif In the Windows Management Instrumentation Tester dialog box, click Connect.

    Step 4blank.gif In the Connect dialog box, enter the following information:

      • Namespace field: Enter the name of the Active Directory server and path using the format: \\ namespace \root\cimv2. In this example, enter \\sesame.example.com\root\cimv2
      • Credentials field: Enter the user name in the format domain \ username in the User field and the user’s password in the Password field. In this example, the user name is sesame\limited.ua
      • There is typically no need to change the other options in this dialog box.

    Step 5blank.gif Click Connect.

    If the connection is successful, the Windows Management Instrumentation Tester dialog box is displayed as follows.

     

    421703.jpg

    If errors are displayed, try the following:

    • The RPC server is unavailable indicates either a bad namespace or the Active Directory server is inaccessible (network problems, server is down, and so on).
    • Access is denied indicates a bad user name or password.

    Step 6blank.gif If the test is successful, click Query.

    Step 7blank.gif In the Query dialog box, enter the following:

    select * from Win32_NTLogEvent where Logfile = 'Security' and (EventCode=672 or EventCode=4768 or EventCode=538 or EventCode=4364 or EventCode=528 or EventCode=4624 or EventCode=4634) and TimeGenerated > "date-code"

    date-code is a Microsoft time and date code in the format YYYYMMDDHHMMSS. fractionalSecond-utc_timezone_offset

    For example, to query from May 1, 2017 at midnight in the US Central time zone (UTC - 6 hours), enter the following:

    select * from Win32_NTLogEvent where Logfile = 'Security' and (EventCode=672 or EventCode=4768 or EventCode=538 or EventCode=4364 or EventCode=528 or EventCode=4624 or EventCode=4634) and TimeGenerated > " 20170501000000.000000-600 "

    Step 8blank.gif From the Query Type list, click WQL.

    Step 9blank.gif Click Apply.

    The query is displayed in a new dialog box.

    If the errors Invalid class or Invalid query are displayed, check the command syntax and try again. If no results are displayed, check your date code.

    Step 10blank.gif When you’re finished viewing the logs, click Close.

    Step 11blank.gif In the Windows Management Instrumentation Tester dialog box, click Exit.


     

    Allow the User Agent to Access Distributed Component Object Management (DCOM)

    This section discusses how to allow DCOM access so the user agent can remotely access objects on the Active Directory server.

    To give the user DCOM access:


    Step 1blank.gif Log in to the Active Directory server as member of the Domain Admins group.

    Step 2blank.gif Click Start > [ Run ], and enter dcomcnfg, then press Enter.

    Step 3blank.gif In the Component Services window, click Component Services > Computers.

    Step 4blank.gif Right-click My Computer and click Properties.

    Step 5blank.gif In the My Computer Properties dialog box, click the COM Security tab.

    Step 6blank.gif Under Launch and Activation Permissions, click Edit Limits.

    Step 7blank.gif In the Launch and Activation Permissions dialog box, click Add.

    Step 8blank.gif In the Enter the object names to select field, enter limited.ua and click Check Names.

    Step 9blank.gif If the name matches, click OK.

    Step 10blank.gif Grant the user the Remote Launch and Remote Activation permissions.

    Step 11blank.gif In the Launch and Activation Permissions dialog box, click OK.

    Step 12blank.gif In the My Computer Properties dialog box, click OK.


     

    To update Group Object Policy to allow access to the Active Directory security log:


    Step 1blank.gif Click Start > [All Programs] > Administrative Tools > Group Policy Management.

    Step 2blank.gif In the navigation pane, expand Forest: YourForestName, expand Domains > YourDomainName > Group Policy Objects.

    Step 3blank.gif Right-click Default Domain Policy and click Edit.

    Step 4blank.gif Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

    Step 5blank.gif In the right pane, double-click Manage auditing and security log.

    The following figure shows an example.

     

    421704.jpg

    Step 6blank.gif Check Define these policy settings.

    Step 7blank.gif Click Add User or Group.

    Step 8blank.gif In the User and group names field, either enter the user agent user name or click Browse to locate it.

    Step 9blank.gif In the Manage auditing and security log Properties dialog box, click OK.


     

    Create Group Policy Object Rules for the Windows Firewall

    This section is required for the user agent to use real time event processing for the Active Directory server. For more information about real time event processing, see Configure User Agent Active Directory Server Connections.

    To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in Group Policy Management to create two firewall rules:

    • The first rule allows incoming traffic to the RPC Endpoint Mapper service, which responds with a dynamically assigned port number that the client must use to communicate with the service.
    • The second rule allows network traffic that is sent to the dynamically assigned port number.

    Using the two rules helps to protect your computer by allowing network traffic only from computers that have received RPC dynamic port redirection and to only those port numbers assigned by the RPC Endpoint Mapper.

    Perform the tasks discussed in the following procedures on every Active Directory server to which the user agent requires access.

    To create a GPO firewall rule to allow RPC traffic:


    Step 1blank.gif If you haven’t done so already, log in to your Active Directory server as a member of the Domain Admins group.

    Step 2blank.gif Choose Start > Administrative Tools.

    Step 3blank.gif In the Administrative Tools window, double-click Group Policy Management.

    Step 4blank.gif In the navigation pane, expand Forest: YourForestName, expand Domains, > YourDomainName > Group Policy Objects, right-click the GPO you want to modify, and then click Edit.

    Typically, you should edit the Default Domain Policy.

    Step 5blank.gif In the left pane, expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security.

    The following figure shows an example.

     

    421705.jpg

    Step 6blank.gif Right-click Inbound Rules and click New Rule.

    Step 7blank.gif In the New Inbound Rule Wizard dialog box, click Custom and click Next.

    Step 8blank.gif Click This program path, and then enter %systemroot%\system32blank.gif\svchost.exe

    Step 9blank.gif Next to Services, click Customize.

    The following figure shows an example.

     

    421706.jpg

    Step 10blank.gif In the Customize Service Settings dialog box, click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, and click OK.

    Step 11blank.gif Click Next. You are required to confirm the action.

    Step 12blank.gif On the Protocol and Ports dialog box, for Protocol type, click TCP.

    Step 13blank.gif For Local port, choose RPC Endpoint Mapper, and then click Next.

    Step 14blank.gif On the Scope page, in the Which remote IP addresses does this rule apply to? section, choose These IP addresses, click Add, and enter the user agent computer’s IP address.

    Step 15blank.gif Click Next.

    Step 16blank.gif On the Action page, select Allow the connection, and then click Next.

    Step 17blank.gif On the Profiles page, check only Domain and click Next.

    Step 18blank.gif On the Name page, enter a name to identify this rule and click Finish.


     

    To create a GPO rule to allow dynamically-mapped ports:


    Step 1blank.gif Complete steps 1 through 4 in Create Group Policy Object Rules for the Windows Firewall.

    Step 2blank.gif In the New Inbound Rule Wizard dialog box, click Custom and click Next.

    Step 3blank.gif Click This program path, and then enter %systemroot%\system32blank.gif\svchost.exe

    Step 4blank.gif Next to Services, click Customize.

    Step 5blank.gif In the Customize Service Settings dialog box, click Apply to this service, select Windows Event Log with a short name of EventLog, and click OK.

    Step 6blank.gif Click Next. You are required to confirm the action.

    Step 7blank.gif On the Protocol and Ports dialog box, for Protocol type, click TCP.

    Step 8blank.gif For Local port, click RPC Dynamic Ports, and then click Next.

    Step 9blank.gif On the Scope page, click These IP addresses, click Add, and enter the user agent computer’s IP address.

    Step 10blank.gif Click Next.

    Step 11blank.gif On the Action page, click Allow the connection and click Next.

    Step 12blank.gif On the Profiles page, check only Domain and click Next.

    Step 13blank.gif On the Name page, enter a name to identify this rule and click Finish.


     

    To apply the GPO policies:


    Step 1blank.gif Apply the new GPO policies using the command gpupdate /force or an equivalent method.

    For more information about applying GPO policies, see the following references:

    note.gif

    Noteblank.gif You must run the gpupdate /force command using elevated permissions. Either log in to the Active Directory server as Administrator or run the command prompt as administrator. (Right-click the command prompt shortcut and click Run as Administrator.)



     

    Back Up User Agent Configurations

    If you have an earlier version of the user agent installed, installing a newer version of the user agent removes your existing configuration. To preserve these configuration settings, back up the database before installing the newer version of the user agent.

    note.gif

    Noteblank.gif If you have Version 2.2 or later of the user agent installed, you do not need to back up the database. Configuration settings are automatically imported when you install a newer version of the user agent. Continue with Install the User Agent.


    To retain your configuration settings:


    Step 1blank.gif On the computer where you installed the agent, click Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    Step 2blank.gif Click the stop button (373715.tif) to stop the agent service.

    Step 3blank.gif Locate CiscoUserAgent.sdf on the computer where the agent is installed, and copy the file locally.

    note.gif

    Noteblank.gif If you are updating from Version 2.2 or before, locate and copy SourcefireUserAgent.sdf. Make copy of the file and rename the copy to CiscoUserAgent.sdf.


    Step 4blank.gif Uninstall the Cisco User Agent using the Control Panel’s Add/Remove Programs option. Remove the agent.

    Step 5blank.gif Install the latest version of the user agent. See Install the User Agent for more information.

    Step 6blank.gif On the computer where the agent is installed, select Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    Step 7blank.gif Click the stop button (373715.tif) to stop the agent service.

    Step 8blank.gif Locate CiscoUserAgent.sdf on the computer where the latest version of the agent is installed. Replace the current file with the local backup made from the previous version of the agent.

    Step 9blank.gif On the computer where the latest version of the agent is installed, select Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    Step 10blank.gif Click 373714.tif to start the service.

    Continue with Install the User Agent.


     

    Install the User Agent

    After you configure permissions to connect to the Active Directory server, and after you configure idle remote session timeouts, install the agent.

    caut.gif

    Caution blank.gif If you have a previous version of the user agent installed, to retain configuration settings, you must complete a backup of the database before installation. For more information, see Back Up User Agent Configurations.

    By default, the agent runs as a service using the Local System account. If the Windows computer where the agent is running is connected to the network, the service continues to poll and send user data even if a user is not actively logged in to the computer.

    For each agent, you can configure connections to one or more Active Directory servers and up to five Management Centers. Before you add a Management Center connection, make sure you add the agent to the Management Center configuration. For more information, see:

    For more information about deploying more than one user agent, see Deploy Multiple User Agents.

    In a high availability configuration, add both Management Centers to the agent to enable update of user login data to both the primary and the secondary so the data remains current on both.

    To install the user agent:


    Step 1blank.gif Log in as the user you created in Create a User for the User Agent to the Windows computer on which to install the user agent:

    • If you are upgrading an older version of the user agent, log in to the same computer.
    • (Recommended.) To install the user agent on a computer separate from the Active Directory server, log in to that computer.
    • To install the user agent on the Active Directory server, log in to the Active directory server as a member of the Domain Admins group, and, optionally the Administrators group.

    Step 2blank.gif Download the User Agent setup file ( Cisco_Firepower_User_Agent_for_Active_Directory_2.5-148.zip) from the Support Site.

    note.gif

    Noteblank.gif Download the compressed archive containing the user agent setup files directly from the Support Site. Do not transfer the file over email because it might become corrupted.


    Step 3blank.gif Right-click the .zip file and choose Extract All.

    Step 4blank.gif Choose a folder in which to extract the files.

    The agent requires 3 MB free on the hard drive for installation. We recommend you allocate 4 GB on the hard drive for the agent local database.

    Step 5blank.gif In the folder to which you extracted the files, double-click setup.exe.

    note.gif

    Noteblank.gif Double-click setup.exe and not setup.msi. setup.msi does not check for prerequisite software before installing the user agent, which could result in errors installing or running the agent.


    tip.gif

    Tip If you are using an account that is not a member of the Administrators group and do not have permissions to install new applications on the Windows computer, you must elevate to a user that does belong to the Administrators group to have the appropriate permissions to start the installation. To access the escalation option, right click the setup.exe file and click Run As. Select an appropriate user and supply the password for that user.


    Step 6blank.gif You must accept the license agreements to continue the installation.

    Step 7blank.gif If you do not have the Microsoft.NET Framework Version 4.0 Client Profile and SQL Server Compact 4.0 on the Windows computer where you install the agent, you are prompted to download the appropriate files. Download and install the files.

    Step 8blank.gif Follow the prompts in the wizard to install the agent.

    If User Account Control is enabled on the computer, you must answer Yes to every prompt requesting permission to make changes.

    Step 9blank.gif To begin configuring the agent, see Configure the User Agent.


     

    Configure the User Agent

    After the agent is installed, you can configure it to receive data from Active Directory servers, report the information to Management Centers, exclude specific user names and IP addresses from the reporting, and log status messages to a local event log or the Windows application log.

    To configure the agent:

    Access: Any


    Step 1blank.gif On the computer where you installed the agent, select Start > All Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    The following table describes the actions you can take when configuring the agent and where to configure them.

     

    Table 2-1 User Agent Configuration Actions

    To...
    You can...

    Change the agent name, change the logoff check frequency, start and stop the service, and set a scheduling priority

    Click the General tab. See Configure General User Agent Settings for more information.

    Add, modify, or remove Active Directory servers, enable real time Active Directory server data retrieval, and modify the Active Directory server polling interval and maximum poll length

    Click the Active Directory Servers tab. See Configure User Agent Active Directory Server Connections for more information.

    Add or remove Management Centers or change the Management Center password

    Click the Firepower Management Centers tab. See Configure User Agent Management Center Connections for more information.

    Add, modify, or remove user names excluded from reporting

    Click the Excluded Usernames tab. See Configure User Agent Excluded Username Settings for more information.

    Add, modify, or remove IP addresses excluded from reporting

    Click the Excluded Addresses tab. See Configure User Agent Excluded Addresses Settings for more information.

    View, export, and clear the event log, log to Windows application logs, and modify how long messages should be kept

    Click the Logs tab. See Configure User Agent Logging Settings for more information.

    Perform troubleshooting and maintenance tasks, as directed by Cisco TAC

    Click the Logs tab, enable Show Debug Messages in Log, then select the Maintenance tab. See Configure User Agent Maintenance Settings for more information.

    Save changes to the agent settings

    Click Save. A message is displayed informing you when you have unsaved changes.

    Close the agent without saving changes to the agent settings

    Click Cancel.

    Configure User Agent Active Directory Server Connections

    You can add connections to one or more Active Directory servers from a user agent, and configure the following:

    • Whether the agent retrieves login and logoff data real time or polls the Active Directory servers at regular intervals for data.
    • How often the agent polls for user activity data, or attempts to establish or re-establish a real time connection with an Active Directory server if the connection is lost.
    • What IP address the agent reports for logins to the Active Directory server itself.
    • How much login and logoff data the agent retrieves when it establishes or re-establishes a connection with an Active Directory server.

    When a user agent is configured to retrieve data real time and real time monitoring is unavailable, the agent instead attempts to poll the Active Directory servers for data until real time monitoring is again available.

    tip.gif

    Tipblank.gif If your user agent retrieves significant amounts of user activity, We recommend configuring polling instead of real time data retrieval. In a high-activity environment, configure a 1 minute polling interval and no more than a 10 minute maximum polling length.


    Note that real time monitoring requires an Active Directory server running Windows Server 2008 or later.

    note.gif

    Noteblank.gif If you install the user agent on Windows Server 2003 or an older operating system, the user agent cannot collect real time statistics from an Active Directory computer.


    From the user agent, you can view the current Active Directory server polling status at the time the tab is selected, the last login reported to the agent, and the last time the agent polled an Active Directory server.

    You can also view whether the agent is polling an Active Directory server in real time, and the real time data retrieval status at the time the tab is selected. See the following table for more information on server statuses.

     

    Table 2-2 Active Directory Server Statuses

    Active Directory Server Status
    Polling Availability
    Real Time Availability
    available

    The server is available for polling.

    The server is available for real time data retrieval.

    unavailable

    The server is not available for polling.

    The server is not available for real time data retrieval, or the server is configured for polling.

    pending

    The server configuration is added, but communication hasn’t started yet.

    It takes some time after you add and save a server configuration for it to start communicating with the user agent. If the pending status persists, check communication between the user agent and the server.

    unknown

    The agent has started and a status is not yet available, or the agent has not yet checked the Active Directory server.

    The agent has started and a status is not yet available, or the agent has not yet checked the Active Directory server.

    note.gif

    Noteblank.gif You should not connect more than one user agent to the same Active Directory domain controller because the user agent reports extraneous logins as each detects the other's connections. If you do, configure each user agent to exclude the IP address of every other host running an agent that is polling the same Active Directory server and the user name the agent uses to log in. For more information, see Configure User Agent Excluded Addresses Settings.


    To configure Active Directory server connections:


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.

    Step 3blank.gif Click the Active Directory Servers tab.

    Step 4blank.gif You have the following options:

    • To add a new connection to a server, click Add.
    • To modify an existing connection, double-click the server name.
    • To remove an existing connection, click the server name and click Remove.

    Step 5blank.gif In the Server Name/IP Address field, enter the Active Directory server or domain controller’s fully qualified server name or IP address. To detect logins to the Active Directory server, enter the IP address.

    If the agent is installed on an Active Directory server, to add the server where you installed the agent, enter localhost as the server name. You have the option to add a user name and password. If you omit that information, you cannot detect logoffs for users authenticating to the Active Directory server. You can poll the server regardless of whether you enter a user name and password.

    note.gif

    Noteblank.gif If your Active Directory system has multiple domain controllers, enter the host name or IP address of the domain controller with which you want the user agent to communicate. (Active Directory domain controllers don’t share their security logs so you must have a separate user agent connection to each controller.) In a distributed or heavily trafficked system, you can optionally install more than one user agent as discussed in Deploy Multiple User Agents.


    Step 6blank.gif In the Authorized User and Password fields, enter a user name and password with rights to query for user login and logoff data on the Active Directory server.

    To authenticate using a proxy, enter a fully qualified user name.

    By default, the domain for the account you used to log into the computer where you installed the agent auto populates the Domain field.

    note.gif

    Noteblank.gif If your user password contains 65 or more characters, you cannot configure new server connections. To regain this functionality, shorten your password.


    Step 7blank.gif In the Domain field, enter the name of the Active Directory domain.

    Step 8blank.gif To detect logins to the Active Directory server, select an IP address from the Local Login IP Address field. The agent automatically populates this field with all IP addresses associated with the server specified in the Server Name/IP Address field.

    If the Server Name/IP Address field is blank or contains localhost, this field is populated with all IP addresses associated with the local host.

    Step 9blank.gif Check Process real time events to enable the user agent to retrieve login events from this Active Directory server real time.

    Step 10blank.gif Click Add to add a new server or click Save to save changes to an existing server.

    The server connection definition is displayed in the list of Active Directory servers. If you have more than one server connection configured, you can sort on Host, Last Reported, Polling Status, Last Polled, Real Time Status, or Real Time by clicking the respective column headers.

    note.gif

    Noteblank.gif If the user agent cannot connect to the Active Directory server at configuration time, you cannot add the server. Check that the agent has TCP/IP access to the server, that the credentials you used can connect, and that you correctly configured the connection to the Active Directory server. See Configure the Active Directory Server for more information.


    Step 11blank.gif (Optional.) Change the interval at which the agent automatically polls the Active Directory server for user login data, select a time from the Active Directory Server Polling Interval list.

    After you save the settings, the next poll occurs after the selected number of minutes elapse, and recurs at that interval. If a poll takes longer than the selected interval, the next poll starts in the next interval after the poll ends.

    If real time event processing is enabled for an Active Directory server, and the user agent loses connectivity with the server, the agent keeps attempting polls until it receives a response and real time data retrieval is available. After the connection is established, real time data retrieval resumes.

    Step 12blank.gif (Optional.) Change the maximum time span polled when the agent first establishes or reestablishes a connection to poll an Active Directory server for user login data, select a time from the Active Directory Server Max Poll Length list.

    note.gif

    Noteblank.gif The user agent does not allow saving a configuration that would skip user activity data in each poll. Therefore, you cannot save a value in the Active Directory Server Max Poll Length list less than the value selected from the Active Directory Server Polling Interval list.


    Step 13blank.gif To save and apply configuration changes to the agent, click Save.

    Step 14blank.gif You have the following options:

    You must add at least one Management Center to the agent to report user login and logoff data.

    • To configure the agent, you can take any of the actions described in Table 2-1.


     

    Configure User Agent Management Center Connections

    You can send Active Directory user data to up to five Management Centers from a user agent. From the agent, you can also view the Management Center status at the time the tab is selected ( available, unavailable, or unknown when the agent first starts) and the last login reported by the agent.

    Before you add a connection, make sure you add the user agent to the Management Center configuration. For more information, see Configure a Version 6.2.3 or Later Management Center to Connect to User Agents.

    In a high availability configuration, add both Management Centers to the agent to enable update of user login and logoff data to both the primary and the secondary so the data remains current on both.

    To configure Management Center connections:

    Access: Any


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.

    Step 3blank.gif Click the Firepower Management Centers tab.

    Step 4blank.gif In the Server Name/IP Address field, enter the hostname or IP address of the Management Center you want to add.

    Step 5blank.gif In the Password field, enter the password you configured for the user agent to log in to the Firepower Management Center. If you did not configure a password, leave the field blank. For more information about configuring a password, see the chapter on the Firepower Management Center CLI Reference in the Firepower Management Center Configuration Guide.

    To change the user agent password, see Change the User Agent Password.

    Step 6blank.gif Click Add.

    The Management Center connection configuration is added. You cannot add a hostname or IP address more than once. You should not add a Management Center by both hostname and IP address. If the Management Center has more than one network adapter, you should not add it multiple times using different IP addresses.

    If you have more than one Management Center connection configured, you can sort on Host, Status, or Last Reported by clicking the respective column headers.

    note.gif

    Noteblank.gif If the user agent cannot connect to a Management Center at configuration time, it cannot add that Management Center. Check that the agent has TCP/IP access to the Management Center.


    Step 7blank.gif To save and apply configuration changes to the agent, click Save. The updated settings are applied to the agent.

    Step 8blank.gif You have the following options:

    Change the User Agent Password

    You can change the user agent password using user agent 2.5 or later and Firepower Management Center 6.5 or later.

    If you changed the user agent password, either from the default or from another password, you must do the following:


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.

    Step 3blank.gif Click the Firepower Management Centers tab.

    Step 4blank.gif Remove the Firepower Management Center from the user agent.

    Step 5blank.gif Add the Firepower Management Center with the password you set on the FMC. See the preceding section for more information.

    Step 6blank.gif Restart the user agent service. See Configure General User Agent Settings.

    Configure User Agent Excluded Username Settings

    You can define up to 500 user names to be excluded when polling for login or logoff events. If the agent retrieves a login or logoff event by an excluded user name, the agent does not report the event to the Management Center.

    Login and logoff events for a user name that are reported before the exclusion are not affected. If you remove a user name from the excluded user name list, future login and logoff events for that user name are reported to the Management Center.

    You can choose whether to exclude all logins and logoffs by a user from all domains, or from specific domains. You can also export and import lists of user names and domains, stored in comma-separated value files. Note that if you exclude a user already reported to the Management Center, the user is never unmapped from the host unless the host is purged from the database.

    For example, if you installed the user agent on a computer separate from the Active Directory server, you can use this option to exclude the user agent user from logging to the Management Center.

    To configure excluded user names:


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.Select the Excluded Usernames tab.

    Step 3blank.gif In the next available row, enter a user name you want to exclude in the Username column.

    Excluded user names cannot include the dollar sign character ( $) or the quotation mark character ( ").

    Step 4blank.gif Enter the domain associated with the user name in the Domain column.

    You can define only one domain per row. If you do not specify a domain, the user name in every domain is excluded.

    Step 5blank.gif Repeat steps 3 and 4 to add additional user names. If you have more than one excluded user name configured, you can sort on Username or Domain by clicking the respective column headers.

    Step 6blank.gif To remove a row, you have the following options:

    • Highlight the row and press the Delete key.
    • Place your pointer at the end of the user name and press the Backspace key until it is deleted.

    The row is removed.

    To remove multiple rows, press Control+click to select multiple rows and press Delete.

    Step 7blank.gif To export the list of user names and domains to a comma-separated value file, click Export List. Select a file path to save the file.

    The file is saved. By default, the file is named Cisco_user_agent_excluded_users.csv.

    Step 8blank.gif To import a list of user names and domains from a comma-separated value file, click Import List. Select a file to upload.

    The existing user names are cleared, and the user names in the file are loaded. You cannot upload a file that contains duplicate user names. If there are any syntax errors in the file, you cannot upload the file.

    Entries in the comma-separated value file must be in the following format:

    "username","domain"

    A domain value is optional, but quotes are required as a placeholder.

    Step 9blank.gif Click Save to save and apply configuration changes to the agent.

    Step 10blank.gif You have the following options:


     

    Configure User Agent Excluded Addresses Settings

    You can configure up to 100 IPv4 and IPv6 addresses to be excluded when polling for login events. If the user agent retrieves a login or logoff event that contains an excluded IP address, the agent does not report the event to the Management Center.

    Login and logoff events from an IP address that are reported before the exclusion are not affected. If you remove an IP address from the excluded address list, future login and logoff events for that address are reported to the Management Center.

    For example, if you installed the user agent on a computer separate from the Active Directory server, you can use this option to exclude the user agent user from logging to the Management Center.

    note.gif

    Noteblank.gif If you use both the user agent and TS Agent in the same network, you should exclude the TS Agent’s IP address to prevent non-critical errors from being logged to the Firepower Management Center. When both the TS Agent and user agent detect the same user logging in, non-critical errors are written to the logs.


    To configure excluded IP addresses:


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.Select the Excluded Addresses tab.

    Step 3blank.gif In the next available row, enter an IP address you want to exclude in the Address column. Repeat this to add additional IP addresses.

    If you have more than one excluded IP address configured, you can sort on Address by clicking the respective column headers.

    If you enter an invalid IP address, an exclamation mark icon (373713.tif) is displayed in the row header. You cannot enter another address without fixing the invalid address.

    Step 4blank.gif To remove an IP address, highlight the row and press the Delete key.

    The IP address is removed. To remove multiple rows, Control+click to select multiple rows and press the Delete key.

    Step 5blank.gif To export the list of IP addresses to a comma-separated value file, click Export List. Select a file path to save the file.

    The file is saved. By default, the file is named Cisco_user_agent_excluded_addresses.csv.

    Step 6blank.gif To import a list of IP addresses from a comma-separated value file, click Import List. Select a file to upload.

    The existing IP addresses are cleared, and the IP addresses in the file are loaded. You cannot upload a file that contains duplicate IP addresses. If there are any syntax errors in the file, you cannot upload the file.

    Step 7blank.gif Click Save to save and apply configuration changes to the agent.

    Step 8blank.gif You have the following options:


     

    Configure User Agent Logging Settings

    You can view up to 250 status messages logged by the agent in the Logs tab. The agent logs status messages to the local event log for the following events when they occur:

    • The agent successfully polls data from an Active Directory server
    • The agent fails to connect to an Active Directory server
    • The agent fails to retrieve data from the Active Directory server
    • The agent successfully connects to a Management Center
    • The agent fails to connect to a Management Center

    The agent logs each status message with a timestamp and the severity level. The following table describes the possible severity levels by increasing severity.

     

    Table 2-3 User Agent Logging Severity Levels

    Level
    Color
    Description

    Debug

    gray

    The event is logged for debugging purposes.

    These messages are not displayed by default.

    Information

    green

    The event is consistent with normal agent operation.

    Warning

    yellow

    The event is unexpected, but does not necessarily disrupt normal agent operation.

    Error

    red

    The event is unexpected, and normal agent operation is disrupted.

    The agent can log status messages to Windows application logs in addition to the local event log. The agent can also export the local event log contents to a comma-separated value file.

    You can configure whether status messages are stored, how long they are stored, and you can clear the event log of all status messages. You can also configure maintenance options, such as viewing debug status messages and accessing the Maintenance tab.

    note.gif

    Noteblank.gif Debug status messages are stored for seven days before being removed from the event log. Configuring how long status messages are stored and clearing the event log does not affect debug status message storage.


    To configure user agent logging settings:


    Step 1blank.gif If necessary, log in to the computer on which the user agent is installed.

    Step 2blank.gif Click Start > [ All ] Programs > Cisco > Configure Cisco Firepower Agent for Active Directory.

    Step 3blank.gif Click the Logs tab.

    Step 4blank.gif If directed to do so by Cisco TAC, select Show Debug Messages in Log to view debug status messages in the event log and enable the Maintenance tab page.

    note.gif

    Noteblank.gif Select this option only if Cisco TAC directs you to do so.


    Step 5blank.gif Select Log Messages to Windows Application Log to log non debug status messages to both the Windows application logs and to the local event logs.

    To view the Windows application logs, open the Windows Event Viewer.

    Step 6blank.gif Select a time period from the Message Cache Size drop-down list to configure how long status messages are saved before they are automatically deleted from the local event log.

    Status messages, once logged to the local event log, are saved for the time period selected in the Message Cache Size drop-down list, then deleted.

    note.gif

    Noteblank.gif The Message Cache Size setting affects only the local event log, not the Windows application logs, even if you select Log Messages to Windows Application Log.


    Step 7blank.gif Click Refresh to view new status messages logged since the last refresh.

    If new status messages have been logged since the last refresh, a message is displayed stating there are new status messages available. If the refresh results in more than 250 messages, the oldest status messages are removed from the Logs tab page. To view more than 250 messages, export the logs. See step 8 for more information.

    Step 8blank.gif Click Export Logs to export the local event log contents to a comma-separated value file.

    The comma-separated value file contains all event log status messages and debug messages.

    Step 9blank.gif Click Clear Event Log to remove all non-debug status messages from the local event log.

    The local event is cleared, except for a status message stating the agent removed the messages.

    Step 10blank.gif To save and apply configuration changes to the agent, click Save.

    Step 11blank.gif You have the following options:


     

    Configure General User Agent Settings

    The General tab contains basic user agent configuration. You can change the agent name reported to the Management Center when the agent reports login data. You can also start and stop the agent service, change the logoff check frequency, and view the current service status.

    To configure general User Agent settings:


    Step 1blank.gif On the computer where you installed the agent, select Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    Step 2blank.gif Click start (373714.tif) to start the agent service.

    Step 3blank.gif Click stop (373715.tif) to stop the agent service.

    Step 4blank.gif (Optional.) Modify the Agent Name for the agent, which defaults to Cisco FUAfAD. You can enter letters, numbers, underscores ( _), and dashes ( -).

    Step 5blank.gif (Optional.) Change the frequency the agent checks for logoff data, select a time period from the Logout Check Frequency list. Select 0 to disable checking for logoff data.

    Step 6blank.gif (Optional.) Change the agent scheduling priority, choose a level from the Priority list. Choose High only if your agent monitors and retrieves significant amounts of user activity and it is affecting performance.

    Step 7blank.gif To save settings, click Save.

    Step 8blank.gif To configure the agent, you can take any of the actions described in Table 2-1.


     

    Configure User Agent Maintenance Settings

    In addition to configuration settings, the agent stores user-to-IP-address mapping information, the local event log, and reporting state information in the SQL CE database. The agent Maintenance tab allows you to clear portions of the database for maintenance purposes. You can clear cached user-to-IP-address mapping information and local event log information. You can also clear the reporting state cache, which forces a manual polling of the configured Active Directory servers.

    caut.gif

    Caution blank.gif Do not change any settings on the Maintenance tab page unless Support directs you to do so.

    To configure user agent maintenance settings:


    Step 1blank.gif On the computer where you installed the agent, select Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory.

    Step 2blank.gif Click the Logs tab.

    Step 3blank.gif Click Show Debug Messages in Log to enable the Maintenance tab.

    Step 4blank.gif Click the Maintenance tab.

    Step 5blank.gif Click Clear user mapping data cache to clear all stored user-to-IP-address mapping data.

    The agent deletes all stored user-to-IP-address mapping data from the local agent database. Stored user-to-IP-address mapping data in the Management Center database is not affected by clearing the local agent database.

    Step 6blank.gif Click Clear logon event log cache to clear all stored login event data.

    Step 7blank.gif Click Clear reporting state cache to clear data related to the last time the agent reported login and logoff information to the configured Management Centers.

    The agent deletes all information related to the last time it reported login and logoff information to the configured Management Centers. At the start of the next polling interval, the agent manually polls all configured Active Directory Servers, retrieving information within the time span defined in the Active Directory Server Max Poll Length field. See Configure User Agent Active Directory Server Connections for more information.

    Step 8blank.gif Select a level of logging granularity from the Debug Log Level list to configure how detailed the logged debug messages are.

    Step 9blank.gif To configure the agent, you can take any of the actions described in Table 2-1.


     

    Troubleshoot the User Agent

    The following sections discuss solutions to issues you might encounter using the user agent:

    Can’t Install the User Agent

    When you install the user agent, an error related to Microsoft SQL Server Compact Edition might be displayed:

    446370.jpg

    The text of the error is similar to the following:

    SSCERuntime_x64-ENU,exe has changed since it was initially published. Click OK to retry the download, or click Cancel to exit setup

     

    To resolve the issue:


    Step 1blank.gif Click Cancel to exit setup.

    Step 2blank.gif Download and install Microsoft SQL Server Compact Edition 4.0 (SP1 x64 bit) from the Microsoft site.

    Step 3blank.gif Run setup again as discussed in Install the User Agent, making sure to run setup.msi and not setup.exe.

    Can’t Connect to a Management Center

    This section discusses the following issues that might prevent the user agent from connecting to the Firepower Management Center:

    User Agent not an Identity Source

    In the user agent’s Firepower Management Centers tab page, if the status of a Management Center is unavailable, make sure you added the user agent as an identity source in the Management Center. For more information about user agent configuration, see the Configuration Guide.

    To verify the user agent identity source in a version 6.X Management Center:


    Step 1blank.gif Log in to the Management Center as an administrator.

    Step 2blank.gif Click System > Integration.

    Step 3blank.gif Click the Identity Sources tab.

    Step 4blank.gif Click User Agent.

    Step 5blank.gif Verify a user agent is defined and verify its IP address. If you make any changes, click Save.

    Step 6blank.gif Check the status of the Management Center again in the user agent’s Firepower Management Centers tab page.


     

    If the Management Center is configured properly and you still can’t connect, try the following:

    • Double-check the Management Center’s hostname or IP address you’ve configured in the user agent.
    • If you’re accessing the Management Center by hostname, use the nslookup hostname command to verify the hostname resolves to an IP address.
    • If you’re accessing the Management Center by IP address, use the ping ip-address command to verify it is reachable by the user agent computer.

    Incorrect Windows Ciphers

    If the Windows machine on which the user agent is installed does not have the appropriate ciphers installed, you observe the following symptoms:

    • The user agent shows the Firepower Management Center as unavailable in the user agent’s Firepower Management Centers tab page.
    • The Firepower Management Center can download users and groups from the Active Directory domain controller.

    This situation applies to you only if you restricted the ciphers on the Windows machine, which is relatively uncommon.

    To view the list of available ciphers:


    Step 1blank.gif Log in to the user agent machine.

    Step 2blank.gif At a command prompt, enter gpedit.msc, and then press Enter.

    Step 3blank.gif Click Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

    Step 4blank.gif Under SSL Configuration Settings, select SSL Cipher Suite Order.

    Step 5blank.gif Set the cipher list to include one or more of the ciphers shown in the following section.


     

    Ciphers Supported by the Firepower Management Center

    The Firepower Management Center supports the following ciphers for connecting with the user agent. The ciphers are shown in OpenSSL format. Windows ciphers are usually listed in RFC format. To translate the cipher names, see the RFC mapping list on the https://testssl.sh site.

    caut.gif

    Caution blank.gif Use caution when deciding which ciphers to select because not all ciphers are secure. For information about secure ciphers, consult a resource such as the Open Web Application Security Project (OWASP). For example, you can refer to their TLS Cipher String Cheat Sheet.

    Supported ciphers:

    AES256-GCM-SHA384

    AES256-SHA

    AES256-SHA256

    CAMELLIA256-SHA

    DES-CBC3-SHA

    ECDH-ECDSA-AES256-GCM-SHA384

    ECDH-ECDSA-AES256-SHA

    ECDH-ECDSA-AES256-SHA384

    ECDH-ECDSA-DES-CBC3-SHA

    ECDH-RSA-AES256-GCM-SHA384

    ECDH-RSA-AES256-SHA

    ECDH-RSA-AES256-SHA384

    ECDH-RSA-DES-CBC3-SHA

    ECDHE-ECDSA-AES128-GCM-SHA256

    ECDHE-ECDSA-AES128-SHA

    ECDHE-ECDSA-AES128-SHA256

    ECDHE-ECDSA-AES256-GCM-SHA384

    ECDHE-ECDSA-AES256-SHA

    ECDHE-ECDSA-AES256-SHA384

    ECDHE-ECDSA-DES-CBC3-SHA

    ECDHE-RSA-AES128-GCM-SHA256

    ECDHE-RSA-AES128-SHA

    ECDHE-RSA-AES128-SHA256

    ECDHE-RSA-AES256-GCM-SHA384

    ECDHE-RSA-AES256-SHA

    ECDHE-RSA-AES256-SHA384

    ECDHE-RSA-DES-CBC3-SHA

    EDH-DSS-DES-CBC3-SHA

    EDH-RSA-DES-CBC3-SHA

    PSK-3DES-EDE-CBC-SHA

    PSK-AES256-CBC-SHA

    SRP-DSS-3DES-EDE-CBC-SHA

    SRP-DSS-AES-128-CBC-SHA

    SRP-DSS-AES-256-CBC-SHA

    SRP-RSA-3DES-EDE-CBC-SHA

    SRP-RSA-AES-128-CBC-SHA

    SRP-RSA-AES-256-CBC-SHA

    DNS Server Not Available

    If you configured the user agent identity source with a host name, there must be an available DNS server to resolve that host name for the FMC to connect to it. Check the host name and check whether or not the FMC can resolve the host name and try again.

    User Agent Unresponsive

    If you suspect you aren’t getting data from the user agent, you can do any of the following:

    • Log in to the user agent computer and check its status; for more information, see Configure General User Agent Settings.
    • Set up a user agent health policy to monitor its status on the Management Center as discussed in the procedure that follows.

    A user agent health policy informs you when the Management Center doesn’t receive a heartbeat from the user agent. For more information, see the configuration guide.

    To set up a user agent health policy in a 6.X Management Center:


    Step 1blank.gif Log in to the Management Center as a user with Administrator or Maintenance User privileges.

    Step 2blank.gif Click System > Health > Policy.

    Step 3blank.gif Click Create Policy.

    Step 4blank.gif On the Create Policy page, enter the following information:

    • Copy Policy list: Choose any policy, such as Default Health Policy.
    • New Policy Name field: Enter a name to identify this policy.
    • New Policy Description field: Enter an optional policy description.

    The new policy is displayed.

    Step 5blank.gif Click 422253.jpg (edit).

    Step 6blank.gif In the left column, click User Agent Status Monitor.

    Step 7blank.gif In the right column, click On.

    Step 8blank.gif At the bottom of the page, click Save Policy and Exit.

    Step 9blank.gif Click 422254.jpg (apply) next to the name of the policy.

    Step 10blank.gif Follow the prompts on your screen to apply the policy to managed devices.

    Step 11blank.gif To monitor user agents at any time, click Health > Monitor or watch the Management Center’s 422255.jpg (monitor) icon for messages.

    A message similar to the following is displayed if the user agent heartbeat isn’t detected by a managed device:

    Some user agents are not up-to-date


     

    User Agent Doesn’t Show Every Login

    The user agent tracks user names per IP address. If the same user logs in to the same IP address multiple times, you’ll see only one User Login event in the Management Center for that user.

    In the following scenario, you’ll see multiple User Login events for a user:

    • The user logs in from different IP addresses (for example, desktop and phone).
    • User patricia.nolan logs in from the following IP addresses in this sequence:

    blank.gif 192.0.2.102

    blank.gif 192.0.2.210

    blank.gif 192.0.2.102

    It doesn’t matter if patricia.nolan logs out from any of the IP addresses; the Management Center reports at least two User Login events, one for each unique IP address. (In other words, the Management Center doesn’t report the last login because it’s from the same IP address as the first.)

    User Agent Silently Fails to Connect to Active Directory

    If you enter the wrong user name or password for an Active Directory server, or if the user agent software doesn’t have sufficient privileges to the Active Directory server, the connection silently fails. The only way to verify this is the case is to look at user agent logs ( Logs tab page).

    For more information, see:

    User Agent Isn’t Processing Real Time Events

    To be able to process real time events from the Active Directory server, the user agent requires Remote Procedure Call (RPC) access to the Active Directory server. If the status of real time processing is displayed as unknown or unavailable in the user agent’s Active Directory Servers tab page for an extended period of time, look for errors in the user agent log and try the other suggestions discussed in this section.

    To troubleshoot real time processing issues:


    Step 1blank.gif If necessary, log in to the computer where the user agent is installed.

    Step 2blank.gif Click Start > Programs > Cisco > Configure Cisco Firepower User Agent for Active Directory

    Step 3blank.gif Click the Logs tab.

    Step 4blank.gif Check Show debug messages in log.

    Step 5blank.gif Observe the log messages or click Export logs to export log messages to a file.

    Step 6blank.gif Look for messages like the following:

    “error”,”[2317] - Unable to attach event listener to host or IP address. Check firewall settings on AD server. RPC server is unavailable

    The preceding message indicates a configuration issue with the Active Directory Server’s firewall. Review the instructions in Allow the User Agent to Access Distributed Component Object Management (DCOM) and try again.

    To isolate the firewall as the issue, optionally disable the Active Directory Server’s firewall for a few minutes and see if the user agent can process real time events.

    Step 7blank.gif Try deleting the Active Directory Server configuration in the user agent and adding it back.


     

    User Agent Doesn’t Show User Logoff Events

    If you don’t see any User Logoff events in the Management Center, make sure you allowed WMI through the firewall on all domain computers. For more information, see Configure Domain Computers.

    User Agent and TS Agent in Same Network

    If you use both the Terminal Services (TS) Agent and the user agent, you can avoid non-critical errors in the logs by excluding the TS Agent IP address from the user agent. If the same user is detected by both the TS Agent and the user agent, non-critical errors are written to logs.

    For more information, see Configure User Agent Excluded Addresses Settings.

    Error 1001: Cannot start service AgentService

    This error is displayed if you try to use the version 2.3 user agent after installing the version 2.4 user agent. The error means that the version 2.4 user agent database cannot be accessed by the version 2.3 user agent.

    To resolve the issue, see Troubleshoot the User Agent.

    The following figure shows the error.

    435046.jpg

    Install Error System.IO.FileNotFoundException

    If you install the user agent with setup.msi instead of setup.exe, user agent will not start because not all dependencies are installed. You can observe the error in any of the following ways:

    • When the application fails to start, if you expand the error message, System.IO.FileNotFoundException is displayed
    • The Windows Event Viewer, Application log, displays errors related to the user agent

    To resolve the errors:


    Step 1blank.gif Use the Windows Control Panel to uninstall the user agent.

    Step 2blank.gif Install the user agent again using setup.exe.

    Replace the Version 2.4 or Later User Agent with Version 2.3

    If issues prevent you from using user agent version 2.4 or later, you can revert to version 2.3 using a manual replacement method discussed in this section.

    note.gif

    Noteblank.gif This procedure removes the user agent configuration. After installing the version 2.3 user agent, you must configure the user agent again.


    To replace version 2.4 with version 2.3:


    Step 1blank.gif Use the Programs and Features application in the Windows Control Panel to uninstall the user agent.

    Step 2blank.gif Manually delete the following files from C:\ :

      • CiscoUserAgent.sdf
      • UserAgentEncryptionBytes.bin

    Step 3blank.gif Install the User Agent version 2.3 ( Cisco_Firepower_User_Agent_for_Active_Directory_2.3-10.zip).