the User-ID Agent
The following procedure shows how to install the User-ID agent on a member server in the domain and set up the service account with the required permissions. If you are upgrading, the installer will automatically remove the older version, however, it is a good idea to back up the config.xml file before running the installer.
For information about the system requirements for installing the Windows-based User-ID agent and for information on supported server OS versions, refer to “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
- Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings.
- Add the service account to the Event Log Reader builtin group to enable privileges to read the security log events.
- Run the MMC and launch the Active Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click theEvent Log Readergroup and selectAdd to Groupto open the properties dialog.
- ClickAddand enter the name of the service account that you configured the User-ID service to use, then clickCheck Namesto validate that you have the proper object name.
- Click OK twice to save the settings.
- Enable the service account to log on as a service.
- Select.Group Policy ManagementDefault Domain Controller PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
- Right-clickLog on as a service, then selectProperties.
- Add the service account username or builtin group (Administrators have this privilege by default.).
- Decide where to install the User-ID agent.The User-ID agent queries the Domain Controller and Exchange server logs using Microsoft Remote Procedure Calls (MSRPCs), which require a complete transfer of the entire log at each query. Therefore, always install one or more User-ID agents at each site that has servers to be monitored.
- You must install the User-ID agent on a system running one of the supported OS versions: see “Operating System (OS) Compatibility User-ID Agent” in the User-ID Agent Release Notes.
- Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
- As a best practice, install the User-ID agent close to the servers it will be monitoring (there is more traffic between the User-ID agent and the monitored servers than there is between the User-ID agent and the firewall, so locating the agent close to the monitored servers optimizes bandwidth usage).
- To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.
- Download the User-ID agent installer.Install the User-ID agent version that is the same as the PAN-OS version running on the firewalls. If there is not a User-ID agent version that matches the PAN-OS version, install the latest version that is closest to the PAN-OS version. For example, if you are running PAN-OS 7.1 on your firewalls, install User-ID agent version 7.0.
- Log in to the Palo Alto Networks Customer Support web site.
- SelectSoftware Updatesfrom the Manage Devices section.
- Scroll to the User Identification Agent section of the screen andDownloadthe version of the User-ID agent you want to install.
- Save theUaInstall-x.x.x-xx.msifile on the system(s) where you plan to install the agent.
- Run the installer as an administrator.
- Open the WindowsStartmenu, right-click theCommand Promptprogram, and selectRun as administrator.
- From the command line, run the .msi file you downloaded. For example, if you saved the .msi file to the Desktop you would enter the following:C:\Users\administrator.acme>cd DesktopC:\Users\administrator.acme\Desktop>UaInstall-6.0.0-1.msi
- Follow the setup prompts to install the agent using the default settings. By default, the agent gets installed to theC:\Program Files (x86)\Palo Alto Networks\User-ID Agentfolder, but you canBrowseto a different location.
- When the installation completes,Closethe setup window.
- Launch the User-ID Agent application.Open the WindowsStartmenu and selectUser-ID Agent.
- (Optional) Change the service account that the User-ID agent uses to log in.By default, the agent uses the administrator account used to install the .msi file. However, you may want to switch this to a restricted account as follows:
- Selectand clickUser IdentificationSetupEdit.
- Select theAuthenticationtab and enter the service account name that you want the User-ID agent to use in theUser name for Active Directoryfield.
- Enter thePasswordfor the specified account.
- Committhe changes to the User-ID agent configuration to restart the service using the service account credentials.
- (Optional) Assign account permissions to the installation folder.You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
- Give the service account permissions to the installation folder:
- From the Windows Explorer, navigate toC:\Program Files\Palo Alto Networksand right-click the folder and selectProperties.
- On theSecuritytab, clickEdit, thenAddthe User-ID agent service account and assign it permissions toModify,Read & execute,List folder contents,Read,andWriteand then clickOKto save the account settings.
- Give the service account permissions to the User-ID Agent registry sub-tree:
- Runregedit32and navigate to the Palo Alto Networks sub-tree in one of the following locations:
- 32-bit systems—HKEY_LOCAL_MACHINE\Software\ Palo Alto Networks
- 64-bit systems—HKEY_LOCAL_MACHINE\Software\ WOW6432Node\Palo Alto Networks
- Right-click the Palo Alto Networks node and selectPermissions.
- Assign the User-ID service accountFull Controland then clickOKto save the setting.
- On the domain controller, add the service account to the builtin groups to enable privileges to read the security log events (Event Log Reader group) and open sessions (Server Operator group):
- Run the MMC and Launch the Active Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain and then right-click each group you need to edit (Event Log Reader and Server Operator) and selectAdd to Groupto open the properties dialog.
- ClickAddand enter the name of the service account that you configured the User-ID service to use and then clickCheck Namesto validate that you have the proper object name.
- ClickOKtwice to save the settings.
Recommended For You
Recommended videos not found.