I added our IT group e-mail to the Ironport S160 to be alerted when product keys are about to expire. Our IronPort C160 e-mail filter does this but the S160 did not.
We periodically get this email:
Subject: Critical <System> webfilter.domain.com: TUI-AD: All AD agents are down for realm Windows
The Critical message is:
TUI-AD: All AD agents are down for realm Windows
Product: Cisco IronPort S160 Web Security Appliance
Serial Number: (removed for public posting)
Timestamp: 24 Mar 2014 07:20:27 -0400
Any idea what this means? Everything is working normally. How can I stop this message?
Check Network/Authentication and see if you configured the AD Realm with Transparent User Identification. If you did and are not using CDA (Context Directory Agent) then remove just the TUI configuration and leave your AD configuration.
Yes that is checked off. It is pointing to one of our servers that is running our certificate services and anti virus console. Would there be something installed on that server I should be looking for? Nothing Cisco or IronPort is listed in the start menu.
It should only be pointing to a Cisco CDA server. If you are not running Cisco CDA then uncheck use TUI and the messages will stop. CDA is not a Windows program, it is a standalone vm server running a linux kernel and our CDA processes.
Upon further investigation in services.msc on that server I see a Cisco AD Agent. I did some digging on this service and its located in C:\IBF.
First why is it called IBF?
Second, whats in here is this:
The emails came in at these times
3/24 11:59 PM
3/24 7:20 AM
3/23 12:59 AM
3/23 12:06 AM
3/22 10:56 PM
3/22 1:20 AM
3/21 12:52 PM
3/20 10:51 PM
Ah the often forgotten about AD Agent was the predecessor the CDA. It is a command line utility that collects login data and feeds it to ASA and WSA can query it also. I suggest you check with whomever installed it and/or your partner. If necessary contact Cisco TAC for assistance.
I guess maybe we are using this because I found in C:\IBF\adObserver I changed logconfig.cfg to log_verbose. I restarted the service, and that generated an email. But now I have a log called ADObserverLog and in there I can see what looks like timestamps, windows user names, entityID which is the IP address of the workstation that user is signed into (I know because I searched myself).
So maybe we would either add another one for high availability or just turn off email alerts and use outlook calendar reminders to remember when to renew our keys.