Scribd Logo
Carica

Benvenuto in Scribd!

  • User-ID-Agent - Setup-4 1 PDF

    Caricato da

    brabusbl
    121 visualizzazioni11 pagine
    This document outlines the steps to install the 4.1.x version of the User Identification agent. The agent will be configured to use the service account "agent_user", which is not an administrative account. The account to be used must be provisioned.

    Descrizione originale:

    Titolo originale

    User-ID-Agent_Setup-4 1.pdf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document outlines the steps to install the 4.1.x version of the User Identification agent. The agent will be configured to use the service account "agent_user", which is not an administrative account. The account to be used must be provisioned.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    121 visualizzazioni11 pagine

    User-ID-Agent - Setup-4 1 PDF

    Caricato da

    brabusbl
    This document outlines the steps to install the 4.1.x version of the User Identification agent. The agent will be configured to use the service account "agent_user", which is not an administrative account. The account to be used must be provisioned.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 11

    User-ID Agent Initial Installation and Setup

    Tech Note
    PAN-OS 4.1

    Revision A

    2011, Palo Alto Networks, Inc. www.paloaltonetworks.com

    Contents
    Overview ......................................................................................................................... 3
    Installation ...................................................................................................................... 3
    Provisioning the Agent Account ...................................................................................... 5
    Revision History ............................................................................................................ 11

    2011 Palo Alto Networks

    Page 2

    Overview
    This document will outline the steps to install the 4.1.x version of the Palo Alto Networks User
    Identification (User-ID) Agent on a member server in a domain. It assumes that no prior version of the User
    Identification agent has been installed.

    Installation
    This example will describe the steps needed to install the User-ID Agent on a Windows 2008 member server
    that is part of the domain corp.local. The agent will be configured to use the service account
    agent_user, which is not an administrative account on the member server or in the domain.
    1.

    Download the installation .msi file from support.paloaltonetworks.com.

    2. On the member server, launch a command prompt as an administrator. This is done by right
    clicking on the command prompt icon on the Start menu and choosing the Run as administrator
    option.

    2011 Palo Alto Networks

    Page 3

    3. In the command prompt, navigate to the installation .msi file and run it.

    4. Install the agent with the default settings. When the installation has finished, run the Agent GUI by
    selecting it from the Windows Programs menu.

    5. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen
    shot that follows, you will see that the administrator account that installed the agent is now the
    agent service account. Use the Edit button on the configuration window to change the service
    account to a restricted user account if desired.
    Before

    2011 Palo Alto Networks

    Page 4

    After

    Provisioning the Agent Account


    Once the agent service is installed, the account to be used must be provisioned. These steps include adding
    the agent to Active Directory Groups, setting file permissions, setting local security policy on the agent
    server and setting registry permissions. If the agent account is a member of the administrators group in the
    domain, then all of these steps except the first step are no longer required.
    1.

    Allow the Agent account to log on the member server as a service. On the member server open the
    Local Security Policy mmc.

    Under the Local Policies > User Rights Assignments add the service account to the Log in as a

    2011 Palo Alto Networks

    Page 5

    Service option.

    2. Refresh Group Policy on the server. In a command prompt, run the gpupdate command. If this
    step is skipped then it may take up to 30 minutes for the change made in step 1 to take effect.

    3. Assign the account permissions to the installation directory on the server. By default, the account
    used to install the service has full access to the installation path. Using Windows Explorer, select the
    Palo Alto Networks folder in Program Files and open its properties. On the security tab, edit
    the existing rights assignments and add the service account with Modify privileges.

    2011 Palo Alto Networks

    Page 6

    Before

    After

    2011 Palo Alto Networks

    Page 7

    4. Assign the service account rights to the User-ID Agent registry sub-tree. In the Run box type
    regedt32 to launch the registry editing tool. Navigate to the
    Computer\HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub-tree. On 64 bit
    systems the key is located at
    Computer\HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks

    2011 Palo Alto Networks

    Page 8

    Right click on the Palo Alto Networks node and choose the permissions option. Assign the service
    account the Full Control permission for this sub tree.

    2011 Palo Alto Networks

    Page 9

    5. Add the service account user to the Event Log Reader and Server Operator built in local
    security groups in the domain.

    That concludes the steps needed to install, enable, and grant the necessary permissions for the User-ID
    Agent.

    2011 Palo Alto Networks

    Page 10

    Revision History
    Date
    October 8, 2012

    2011 Palo Alto Networks

    Revision
    A

    Comment
    Fixed a page break issue at page 7 that was causing
    readers to miss the registry path in step 4. Not changing
    the rev number since this was just a cosmetic change.

    Page 11

    Potrebbero piacerti anche