cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5665
Views
5
Helpful
6
Replies

Sourcefire AD user agent

rich-nelson
Level 1
Level 1

We're seeing this error in the user agent:

Unable to attach event listener to adserver.domain.com. Check firewall settings on AD Server. Operation is not supported on this platform.

 

The agent is installed on a member server and the connection to the AD server is successful. 

6 Replies 6

tue_noergaard
Level 1
Level 1

Any hints to resolve this ?

 

best regards

Tue

After playing with this and trying to get the permissions correct for remote access I ended up just installing this on a domain controller. One of the demos I watched had installed it on a DC and that appears to resolve all issues.

Hi..

Normally there is not problem on a separate server - I have done this in the past. 

But this time it does not work.

If I assign domain admin rights to the user it works. 

We have double-checked the DCOM and WMI settings without luck..

Waiting for TAC to respond.

Best regards

 

Tue

Any update on this?  I have it installed on a 2012 DC using a domain admin account and still receive this error message.

Mark

Give this a shot (running on a member server with real-time reporting):

1. Create a user in AD for use with the agent

 

On ALL DC's:

2. Give that user rights to the things outlined in this guide (http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html)

3. Open the GPO editor:

a) To open this navigate to Administrative Tools and click ‘Group Policy Management’

b) Expand the forest,  domains, select your domain, and right click the ‘Default Domain Policy’ and click Edit.  If they have a different domain policy applied to their DC’s you will have to edit that policy instead of this default. 

c) Navigate to Default Domain Policy> Computer Configuration> Policies> Windows Settings> Advanced Audit Policy Configuration

d) Enable Audit Logoff.  Enable Audit Logon.  Enable for both Success and failure.

e) Navigate to Windows Settings > Security Settings > Local Policies> User Rights Assignment > Manage Audit and Security Logs and make sure the Sourcefire Agent user/group is added here.

 

After all of these changes are made you may need to issue a ‘GPUPDATE’ on the domain controllers to push these settings.

 

If windows firewall enabled on the User Agent machine.  The following ports need to be opened:
a. TCP 135 to all domain controllers
b. TCP 3306 to the FireSIGHT management console.

 

 

To determine that everything is working, make sure that users populate in the Firesight console under Analysis > Users>Users

 

 

Hope this helps...

Opened a ticket and found I needed a new license file.  The issue was that my license file allowed for 2,500,000,000 users which is way more than it can handle.  Changed it to 50,000 and I'm good to go.  Had nothing to do with the agent.

Mark
Review Cisco Networking for a $25 gift card