Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3202
Views
9
Helpful
15
Replies

Trend Micro CSC-SSM Problem

ANGELO DE MASI
Level 1
Level 1

‎04-28-2010 06:24 AM - edited ‎03-11-2019 10:38 AM

Hi, I've just upgraded a Trend Micro CSC-SSM module on a ASA 5510 8.0(4) to 6.3.1172.2 version.I configured url filtering policies for user and group in my Windows 2003 Domain, I installed 2 Domain Controller Agent respectively on PDC and BDC servers, and under user identification setting in Trend Micro console, I can see both servers correctly recognized with no errors. My problem is that url-filtering policies that I created are randomly applied to the users: some allowed sites are suddenly blocked, and viceversa. Looking at logs, it seems an userid verification issue, some userid can't be resolved and others are resolved discontinuosly.

I need some help to solve this issue. Thank you very much in advance.

Best Regards

Labels:
0 Helpful
15 Replies 15

Magnus Mortensen
Cisco Employee
Cisco Employee
In response to bus1nesssa

‎09-23-2010 07:08 PM

Peter,

     I have seen a ton of problems with User ID detection on WIndows 7 and i machines. The reason this is is because the Agent cannot resolve who is logged in on that machine. The way it all works is first the Agent latches on to the Security Event log in the Domain Controller (Like an RSS Feed) and looks for certain events indicating that a user has logged into a machine (Make sure your DC's are logging Event ID 672 and 673). When the Agent sees a logon event, it then proceeds to connect to the workstation that just logged in on TCP/445 in order to connect to the remote registry service. Once connected, it uses the credentials programmed in the User Identification settings page of the CSC GUI to pull information about what user truly is logged into the machine. If this fails, then we do not classify that machine as being logged in with a user, we can only classify by IP. Stuff that could break this would be:

- Firewall in the patch between the ID Agent Machine and then user's desktop PC

- Firewall running on the Desktop PC that does not allow connectivty from the IDAgent Machine to the remote registry service (Windows firewall tend to block this)

- Remote registry service being turned OFF ont he desktop PC (seems to be the default in Vista/7 from what I have seen)

- RPC Service turned OFF on the desktop PC.

Can you check those different things and fix what ever is not right.

A quick/dirty test would be to log in via RDP to the machine that is running the IDAgent process. Log in using the Domain Admin credential you fed it in the CSC module settings page. Go to Start -> Run -> regedit. after registry editor loads, click on File -> Connect Network Registry and then enter the IP of the workstation causing you greif. If you can load the remote computers registry, then the ID agent should be able to classify it just fine. If you cannot, it will tell you timeout (firewall issue on Desktop PC) or some other error.

- Magnus

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card