Install the Windows-Based User-ID Agent
The following procedure shows how to install the User-ID agent on a member server in the domain and set up the service account with the required permissions. If you are upgrading, the installer will automatically remove the older version, however, it is a good idea to back up the config.xml file before running the installer.
- Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings.
- Enable the service account to log on as a service by configuring either local or group policy.
The permission to log on as a service is only needed locally on the Windows server that is the agent host. If you are using only one User-ID agent, you can grant the permissions locally on the agent host using the following instructions.
- To configure the group policy if you are installing Windows-based User-ID agents on multiple servers, selectfor the Windows server that is the agent host.Group Policy ManagementDefault Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
- Right-clickLog on as a service, then selectProperties.
- Add the service account username or builtin group (Administrators have this privilege by default).
- To assign permissions locally, select.Control PanelAdministrative ToolsLocal Security Policy
- Select.Local PoliciesUser Rights AssignmentLog on as a service
- Add User or Group...to add the service account.
- Enter the service account name indomain\usernameformat in theEnter the object names to selectentry field and clickOK.
- If you want to use server monitoring to identify users, add the service account to the Event Log Reader builtin group to enable privileges for reading the security log events.
- On the domain controller or Exchange server that contains the logs you want the User-ID agent to read, or on the member server that receives events from Windows log forwarding, run the MMC and launch the Active Directory Users and Computers snap-in.
- Navigate to the Builtin folder for the domain, right-click theEvent Log Readergroup and selectAdd to Groupto open the properties dialog.
- ClickAddand enter the name of the service account that you configured the User-ID service to use and then clickCheck Namesto validate that you have the proper object name.
- ClickOKtwice to save the settings.
- Confirm that the builtin Event Log Reader group lists the service account as a member.
- Assign account permissions to the installation folder to allow the service account to access the agent’s installation folder to read the configuration and write logs.You only need to perform this step if the service account you configured for the User-ID agent is not either a domain administrator or a local administrator on the User-ID agent server host.
If you want to allow the service account to access the User-ID agent’s registry keys,AllowtheFull Controlpermission.
- From the Windows Explorer, navigate toC:\Program Files(x86)\Palo Alto Networksfor 32-bit systems, right-click the folder, and selectProperties.
- On theSecuritytab, clickEdit.
- Addthe User-ID agent service account and assign it permissions toModify,Read & execute,List folder contents,Read, andWrite, and then clickOKto save the account settings.
- Give the service account permissions to the User-ID Agent registry sub-tree:
- Runregedt32and navigate to the Palo Alto Networks sub-tree in one of the following locations:
- 32-bit systems—HKEY_LOCAL_MACHINE\Software\Palo Alto Networks
- 64-bit systems—HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks
- Right-click the Palo Alto Networks node and selectPermissions.
- Assign the User-ID service accountFull Controland then clickOKto save the setting.
- Decide where to install the User-ID agent.The User-ID agent queries the Domain Controller and Exchange server logs using Microsoft Remote Procedure Calls (MSRPCs). During the initial connection, the agent transfers the most recent 50,000 events from the log to map users. On each subsequent connection, the agent transfers events with a timestamp later than the last communication with the domain controller. Therefore, always install one or more User-ID agents at each site that has servers to be monitored.
- You must install the User-ID agent on a system running one of the supported OS versions: see “Operating System (OS) Compatibility User-ID Agent” in the Compatibility Matrix.
- Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
- As a best practice, install the User-ID agent close to the servers it will be monitoring (there is more traffic between the User-ID agent and the monitored servers than there is between the User-ID agent and the firewall, so locating the agent close to the monitored servers optimizes bandwidth usage).
- To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.
- If you are using the User-ID agent for credential detection, you must install it on the read-only domain controller (RODC). As a best practice deploy a separate agent for this purpose. Do not use the User-ID agent installed on the RODC to map IP addresses to users. The User-ID agent installer for credential detection is named UaCredInstall64-x.x.x.msi.
- Download the User-ID agent installer.Install the User-ID agent version that is the same as the PAN-OS version running on the firewalls. If there is not a User-ID agent version that matches the PAN-OS version, install the latest version that is closest to the PAN-OS version.
- Log in to the Palo Alto Networks Customer Support Portal.
- Select.UpdatesSoftware Updates
- SetFilter BytoUser Identification Agentand select the version of the User-ID agent you want to install from the corresponding Download column. For example, to download the 8.0.9 version of the User-ID agent, selectUaInstall-8.0.9.msi.If you are using the User-ID agent for credential detection, make sure you download theUaCredInstall64-x.x.x.msifile instead of the regular User-ID installation file, which is namedUaInstall-x.x.x.msi.
- Save theUaCredInstall64-x.x.x-xx.msiorUaInstall-x.x.x-xx.msifile (be sure to select the appropriate version based on whether the Windows system is running a 32-bit OS or a 64-bit OS) on the systems where you plan to install the agent.
- Run the installer as an administrator.
- Open the WindowsStartmenu, right-click theCommand Promptprogram, and selectRun as administrator.
- From the command line, run the .msi file you downloaded. For example, if you saved the .msi file to the Desktop, enter the following:C:\Users\administrator.acme>cd DesktopC:\Users\administrator.acme\Desktop>UaInstall-8.0.9.msi
- Follow the setup prompts to install the agent using the default settings. By default, the agent gets installed toC:\Program Files(x86)\Palo Alto Networksfor 32-bit systems orC:\Program Files\Palo Alto Networksfor 64-bit systems, but you canBrowseto a different location.
- When the installation completes,Closethe setup window.
- Launch the User-ID Agent application as an administrator.Open the WindowsStartmenu, right-click theUser-ID Agentprogram, and selectRun as administrator.You must run the User-ID Agent application as an administrator to install the application, commit configuration changes, or uninstall the application.
- (Optional) Change the service account that the User-ID agent uses to log in.By default, the agent uses the administrator account used to install the .msi file. To change the account to a restricted account:
- Selectand clickUser IdentificationSetupEdit.
- Select theAuthenticationtab and enter the service account name that you want the User-ID agent to use in theUser name for Active Directoryfield.
- Enter thePasswordfor the specified account.
- Committhe changes to the User-ID agent configuration to restart the service using the service account credentials.
- (Optional) Assign your own certificates for mutual authentication between the Windows User-ID agent and the firewall.
- Obtain your certificate for the Windows User-ID agent using one of the following methods. Upload the server certificate in Privacy Enhanced Mail (PEM) format and the server certificate’s encrypted key.
- Add a server certificate to Windows User-ID agent.
- On the Windows User-ID agent, selectServer Certificateand clickAdd.
- Enter the path and name of the certificate file received from the CA or browse to the certificate file.
- Enter the private key passphrase.
- ClickOKand thenCommit.
- Upload a certificate to the firewall to validate the Windows User-ID agent’s identity.
- Configure the certificate profile for the client device (firewall or Panorama).
- Select.DeviceCertificate ManagementCertificate Profile
- You can only assign one certificate profile for Windows User-ID agents and Terminal Services (TS) agents. Therefore, your certificate profile must include all certificate authorities that issued certificates uploaded to connected User-ID and TS agents.
- Assign the certificate profile on the firewall.
- Selectand click the edit button.DeviceUser IdentificationConnection Security
- Select theUser-ID Certificate Profileyou configured in the previous step.
- Commityour changes.
- To use the Windows-based User-ID agent to detect credential submissions and Prevent Credential Phishing, you must install the User-ID credential service on the Windows-based User-ID agent. You can only install this add-on on a read-only domain controller (RODC).
Recommended For You
Recommended videos not found.