BLOCK WEB THREATS

BOOST PRODUCTIVITY
REDUCE LIABILITIES

WEBTITAN CLOUD
User Identification Guide

This guide explains how to install and configure

the WebTitan Cloud Active Directory components
required to report on users, groups and
internal networks.

www.webtitan.com info@webtitan.com

Overview
The Active Directory user identification integration consists of two components that
must be installed on your network:

1. The WebTitan DNS Proxy, which is responsible for:

Securely uploading user and computer group info to the WebTitan Cloud service.
Redirecting all local DNS queries to your existing internal DNS servers
Redirecting all external DNS queries along with metadata to WebTitan Cloud

2. The WebTitan Active Directory Agent (WADA), which is

responsible for:
Maintaining a list of active logon sessions, mapping an IP to a username.
Securely transferring this information to the WebTitan DNS Proxy
The information is gathered from 3 different sources (LDAP, Event Logger and
Network sessions)
a) The LDAP mechanism is gathering a list of computers in the domain and
based on the lastLogon parameter will contact each computer using WMI
protocol to check for active logon session and eventually get the username.
Not all computers are checked, only those with lastLogon field within the
range defined in the configuration (1 year by default).
b) The Event Logger mechanism is listening on special event that contains
information about username and IP.
c) Additionally network sessions are enumerated (by default each 10 seconds)
to discover active sessions. This method is important especially when there
are users on the network that dont turn-off their computers for a very long
time and for some reason their computers are not reachable with WMI.

www.webtitan.com info@webtitan.com

Workflow

1. Install WebTitan DNS Proxy on either a hypervisor or on bare-metal. The WebTitan

DNS Proxy will import all users and groups (currently were only importing the users)
from active directory.
2. These will then be securely transmitted to WebTitan Cloud. In return, the DNS Proxy
will receive a unique user id for each user.
3. Install WebTitan Active Directory Agent (WADA) on the Active Directory Server
(oron another server in the domain). WADA will user several techniques to discover
who is logged on where.
4. The discovered user-IP mappings will be continuously transmitted to the WebTitan
DNS Proxy.
5. All internal computers must route their DNS traffic via the WebTitan DNS Proxy.
Upon receipt of a DNS query, the WebTitan DNS Proxy will check to see if it has a
user associated with the source IP address of the query. The WTC user id for that user
(iffound) will be appended to the query as metadata along with the internal source
IP address.
6. The request containing the metadata will then be forwarded onto the WebTitan
Cloud server where each request can be successfully logged with user identification.

www.webtitan.com info@webtitan.com

WebTitan DNS Proxy

Once configured, WebTitan DNS Proxy collects user and group data from your directory
service and at scheduled intervals securely sends it to WebTitan Cloud. It will receive
a unique user id for each user which will be used to form the metadata that will be
attached to all DNS queries that are routed through the WebTitan DNS Proxy.
If a query is for a local domain, then the request will be forwarded to the appropriate
internal DNS server.

Prerequisites
Before you install the WebTitan Cloud AD components, you will need to meet following
requirements:
VMware ESXi 4.1 or newer (alternatively may be installed on bare metal).
Minimum requirements for the DNS Proxy appliance are 1 CPU core, 512MB RAM,
6GB disk space.

Install DNS Proxy Appliance

The following outline the steps of installing WebTitan DNS Proxy from a CD image (ISO).
1. After deploying the ISO or OVA image, you will be prompted to configure the
appliance.

5
2. Keyboard Layout

The Keymap Selection screen will be displayed, allowing you to select the keyboard
layout that most closely represents the mapping of the keyboard attached to the
system. If unsure, then use the default keymap or choose United States of America
ISO-8859-1.
3. Setting the hostname

The installer will prompt for the hostname to be given to the newly installed
appliance. The hostname should be a fully-qualified hostname.

www.webtitan.com info@webtitan.com

6
4. Confirmation to proceed

Choose <Yes> to proceed.

5. Partitioning

WebTitan DNS Proxy will automatically partition the disk. Choose <Commit> to
proceed and partition the disk. This is the last chance for aborting installation to
prevent changes to the hard drive.
After verifying the integrity of the distribution files to ensure that they have not been
misread from the installation media, the installer will extract the distributed files to disk.
6. Configuring the Network Interface

7
A list of all network interfaces found on the computer is shown next. Select one to be
configured.

The application must be configured with a static IP address and does not provide
the option to configure the interface using DHCP. Static configuration of the network
interface requires some IPv4 information:
IP Address: The manually assigned IPv4 address to be assigned to this computer.
This address must be unique and not already in use elsewhere on the local network.
Subnet Mask: The subnet mask used for the local network. Typically, this is
255.255.255.0.
Default Router: The IP address of the default router/gateway on this network.
7. Configuring DNS

The Domain Name System (DNS) resolver converts hostnames to and from network
addresses. Enter the local networks domain name in the Search field. DNS #1 and
DNS #2 addresses for the local DNS servers. At least one DNS server is required.

www.webtitan.com info@webtitan.com

8
8. Setting the Time Zone

Setting the time zone for your application will allow it to automatically correct for
any regional time changes and perform other time zone related functions properly.
Select <Yes> or <No> according to how the machines clock is configured. If you
dont know whether the system uses UTC or local time, select <No> to choose the
local region and country.
9. Install Packages

www.webtitan.com info@webtitan.com

9
The installer will then proceed with installation of packages and perform some
further installation tasks.

After everything has been installed and configured, the installer will prompt to
reboot into the new appliance. Select <Reboot> to reboot the computer and start
the new WebTitan DNS Proxy application. Dont forget to remove the installation
media, or the computer may boot from it again.
10. Completing the installation
After the application has rebooted, use the displayed URL to connect your browser
to the WebTitan DNS Proxy web-based user interface. The user interface will allow
you to complete the configuration of you WebTitan DNS Proxy application setup.

Log in with the following credentials:

Administrator: admin

Password: hiadmin


Note: If your internet browser does not connect to the application, it is likely
because the network settings are misconfigured. You can fix the configuration by
logging into the console.

www.webtitan.com info@webtitan.com

10

Configuring the WebTitan DNS Proxy

Once logged in to the user interface you navigate to the Configuration tab to complete
the configuration of the DNS Proxy appliance.
Under the Network -> DNS Settings tab, you must configure the appliance to route
local DNS queries to your existing DNS servers. The DNS Settings table lists those
queries that should be redirected to local DNS servers for resolution. It is also possible
to specify queries that should always be dropped. The table should list all internal
zones (e.g. mydomain.com) and any reverse zones. For instance, if your network is
192.168.1/24, then the domain to add would be 1.168.192.in-addr.arpa.
All other requests will be forwarded to WebTitan cloud for resolution.

Active Directory
In order for WebTitan Cloud to report on users, you must first import all your users
from your active directory server. These are then securely uploaded to WebTitan Cloud,
and in return unique identifiers will be returned for each user. Subsequently, when the
DNS proxy receives DNS requests, if it has a username -> IP mapping (from WebTitan
Active Directory Agent) for the source address of the DNS request, then these unique
identifiers will be used to form the metadata which is attached to the query that is
forwarded to WebTitan Cloud.
Navigate to the Active Directory tab under the Configuration section to add an
Active Directory Domain. Click Add and input your Active Directory Server
details and save.

In order to be able to synchronize users with WebTitan Cloud, you must specify your
WebTitan Cloud Credentials.

www.webtitan.com info@webtitan.com

11

WebTitan Active Directory Agent (WADA)

The WebTitan Active Directory Agent (WADA) is responsible for discovering who is
logged into what machines on your active directory network.
WADA must be installed on the domain controller or on a machine from which it can
communicate with:
Windows Active Directory
WebTitan DNS Proxy

WADA Installation
As Admin, launch an elevated command prompt and run WADA.msi with administrator
privileges and follow the steps in installation wizard.

You will be prompted to provide your WebTitan DNS Proxy hostname or IP address and
port number.

www.webtitan.com info@webtitan.com

12
Next you will be prompted to enter username and password for WebTitan AD Agent.
This user must be a member of the Event Log Readers group and Distributed COM users
group.

The WADA.ini configuration file can be located at C:\ProgramData\WebtitanADAgent.

The file contains the WebTitan DNS Proxy IP and looks like this:

WebTitanServers is the only required parameter and may contain a list of URLs
separated with , that will receive IP/users list in HTTP POST requests.

www.webtitan.com info@webtitan.com

13
Other parameters are optional but maybe useful for debugging or customizing specific
needs:
DiscoveryThreads (default 10) - number of child threads used in the WMI discovery
process, each thread connects to a computer using WMI and it is done in parallel to
speed-up the initial discovery process.
DiscoveryIntMin (30) - number of minutes between discoveries (LDAP queries that
read list of available computers and then WMI checks).
LastLogonDays (365) - max number of days of the last logon to a machine so it is
checked against existing sessions with WMI, it is based on lastLogon LDAP attribute,
computers with higher number of idle days will be omitted.
TTLMin (60) - number of minutes after which an IP/user pair is removed from the
map if the active login session wasnt found on given IP during this period (either
using WMI checks, events from Event Logger or Network sessions enumerator).
EnumSessIntS (10) - number of seconds between enumerating Network Sessions,
note that Windows XP sessions are showing only for about 15 seconds, so dont
change this setting to a higher value or you may lose some information about active
logon sessions.
WMICheckIntS (60) - number of seconds between single WMI check on a specific
computer, this is to avoid flooding of Windows computers, so we dont hit them too
often.
WMIMaxCheckRetry (10) - number of retries when a WMI query to a specific
computer is failing, if after this number of retries it is still failing an error is logged
to a file waderror.log and the computer is not checked for active sessions with WMI
unless there is some activity from other sources (Event Logger or Network Sessions).
DC - name of the remote domain controller, may be used to run WADA on a different
computer on the network then the Domain Controller itself.
LogMinLevel Debug level. 0 = Full debugging

Route all DNS traffic via the WebTitan DNS Proxy

In order to report and enforce policies on user activity, all DNS traffic from all clients
on the network must be routed through the WebTitan DNS Proxy. If using DHCP, then
this can be easily accomplished by changing the DNS settings for DHCP. You will have
to wait until client computers renew their lease before the new settings are applied, or
until a user logs in.

www.webtitan.com info@webtitan.com

14

If you have any questions or would like some assistance with set up,
one of our engineers will be happy to help.
Please contact us by email at helpdesk@webtitan.com or
Tel : +1 813 501 3610 (US) , +44 2037341040 (UK) or
+353 91 545555 (IRL).

www.webtitan.cominfo@webtitan.com