NetSpective® Logon Agent

General Information

The NetSpective Logon Agent is a command-line utility that provides user name information to the NetSpective appliance in Microsoft networks. The user names can be subsequently combined into groups within the NetSpective appliance to create group-based filtering policies. The required networking environment for the deployment of the Logon Agent is a domain-based network in which domain client stations execute a set of predefined environment configuration scripts during user logon. This scenario is illustrated in Figure 1.

NetSpective Logon Agent Process
Figure 1: NetSpective Logon Agent Process

The deployment of the Logon Agent requires:

  1. copying the Logon Agent executable to the appropriate network logon shares, and
  2. the modification (or creation) of logon scripts to include a call to the Logon Agent executable.

Note: Although you may install this software on any Windows-based computer, you must copy the executable file to the Domain Controller (as explained below) and make the appropriate logon script modifications on that server.

Important: Before installing the NetSpective Logon Agent, verify that all target client systems are correctly filtered by NetSpective Appliance using the Public Group policy. This will ensure that your client systems can communicate with the NetSpective Appliance. Consult the Getting Started guide included with your Appliance and the NetSpective Online Help.

The Logon Agent sends packets over UDP to a corresponding processing application on the NetSpective appliance. Since NetSpective processes the information with minimal overhead, the network will not be burdened with the traffic generated by the application.

Syntax

The NetSpective Logon Agent is invoked as "wflogon webfilter_ip", where webfilter_ip is the IP address of the NetSpective required).

Installation Notes

Basic Logon Scripts in Windows NT 4.0 and Windows 2000 Domains

The NetSpective Logon Agent executable should be placed in specific shared folders on the domain controller. The application can then be called from a default logon script (.bat or .cmd) file. In the basic NT 4.0/Windows 2000 Net Logon service, the NETLOGON share on the domain controller contains the script files that configure the initial user environment. The physical default locations of the NETLOGON share on NT 4.0 and 2000 servers are as follows:

ServerNETLOGON default location
Windows NT%SYSTEMROOT%\system32\ReplImportScripts
Windows 2000%SYSTEMROOT%\SYSVOL\sysvol\%USERDNSDOMAIN%\Scripts

Logon scripts placed in the NETLOGON share can be assigned to individual users by modifying the User Properties. Figure 2 illustrates the manual configuration on both Windows NT and Windows 2000 servers. On the User Manager for Domains in NT 4.0, the profile settings can be configured by clicking on the Profile button under the User Properties page.

Manual Configuration of Logon Script (Windows NT 4.0)
Figure 2a: Manual Configuration of Logon Script (Windows NT 4.0)
NetSpective Logon Agent Process (Windows 2000)
Figure 2b: Manual Configuration of Logon Script (Windows 2000)

On Windows 2000 servers, user properties can be modified from the Profile tab on the properties page in the Active Directory Users and Computers snap-in. The logon script (or logon script name in Windows NT) field points to the name of the script file relative to the root of the NETLOGON share on the domain controller.

Editing the Script

If all users share the same logon script (or a master script is available), edit the script so that it contains the call to the Logon Agent as described in the previous section. For multiple logon scripts, edit all appropriate script files. Refer to the example at the end of this document.

Windows 2000 Active Directory Group Policy Objects

Active Directory allows the creation of specific Group Policies to handle various aspects of user profiles, including computer startup/shutdown and user logon/logoff scripting. This is an effective way to implement logon scripts that apply to all users on a particular domain without editing individual user property pages.

This discussion assumes that you are somewhat familiar with the configuration of Group Policy Objects (GPO's) in Active Directory. Launch the Active Directory Users and Computers MMC Snap-In on the domain controller and select Properties from the context menu for the domain. Then, click on the Group Policy tab.

Accessing Users/Computers Properties and Adding/Editing GPO
Figure 3: Accessing Users/Computers Properties and Adding/Editing GPO

If there are no Group Policies defined except the Default Domain Policy, click New to define a new GPO (a new policy, renamed as DomainGPO, is used in the example on Figure 3). Use the Up/Down buttons so that the GPO is processed in the required order (in the example, DomainGPO is placed so that it is processed first). Select the GPO and click Edit (if there is an existing GPO defined, select it and click Edit).

On the Group Policy Snap-In, expand the Windows Settings folder under User Configuration (Figure 4). Select Scripts (Logon/Logoff) and double-click on Logon on the View.

Accessing User Logon Properties
Figure 4: Accessing User Logon Properties

On Logon Properties, you can specify the scripts that you want to run and the order of execution (Figure 5). If you have a written script, use Windows Explorer to copy it from its current location and then select the Show Files button to paste the script into the Logon script folder.

Logon Properties
Figure 5: Logon Properties

The Logon script share folder is managed by Active Directory, and contains all of the Logon scripts pertinent to the GPO in question. You will also place the Logon Agent executable in this folder. The default absolute path to this policy-based share is %SYTEMROOT%\SYSVOL\sysvol\%USERDNSDOMAIN%\Policies\{GPO_Key}\UserScripts\Logon where the GPO_Key is a key created and maintained by Active Directory during GPO setup. All displayed script names are relative to the root of the Logon share. Since the path is GPO-dependent, it is best to use the Show Files button and paste the selected script set and the Logon Agent executable into the folder.

Note: Active Directory relies on the Domain Name Service (DNS) to provide Group Policy access. This may require installing DNS on the domain controller and configuring the client systems so that they use the controller as their DNS server. Consult the appropriate documentation on Active Directory from Microsoft for more details. Active Directory Group Policies are not supported by the Active Directory Client Extensions for Windows 9x/Windows NT 4.0 Workstation.

Example - Basic Logon Script

Please refer to the following example of a short logon script, which includes the required call to the NetSpective Logon Agent (Figure 6). Note that some clients (e.g. Windows 9x) may require you to specify the full UNC path of scripts and executables in the NETLOGON share.

rem Sample net logon script
rem SMS calls for net boot, etc...
call \\PDC01\NETLOGON\smsls.bat
rem Add some basic network shares
net use H: \\Server1\UserFiles
net use K: \\Server2\Utilities
rem Sync time with server
net time \\PDC01 /set y
rem add a call to NetSpective logon agent, located in this share
rem use full unc path for 9x clients
\\PDC01\NETLOGON\wflogon 10.0.30.1
Figure 6: Sample Logon Script