Configuring Windows Hosts
Once an API profile endpoint is created, windows hosts need to be configured to use this API key. This is done by downloading an “agent” which runs as a Windows Service and intercepts outbound DNS requests, filtering them appropriately.
To seamlessly configure Windows hosts to use the API key for your profile, follow this straightforward procedure:
-
Download the Agent:
-
Head to the "Agent Downloads" tab in the UI.
-
Download the installer provided.
-
-
Installation:
-
Double-click on the downloaded executable file and go through the installation process.
-
-
Enable DNS Proxy Agent Service:
-
During installation, ensure to enable the option to "install CyberSift DNS Proxy Agent Service" unless instructed otherwise by CyberSift support.
-
-
Configuration File:
-
Open the configuration file located at C:\Program Files (x86)\CyberSift DNS Proxy\config.json using a text editor.
-
Copy and paste the JSON code generated via the UI during the profile setup. The code typically resembles the one provided in the UI.
-
-
Service Configuration:
-
Verify that the CyberSift DNS Proxy service is set to "Automatic" and is currently running. This step is a one-time configuration.
-
-
Completion:
-
With these steps completed, your Windows host is now configured to utilize the specified API key for DNS requests.
-
By following this procedure, you ensure that the CyberSift DNS Proxy Agent Service is seamlessly integrated into your Windows environment, allowing for effective filtering of outbound DNS requests. If you have any questions or require further assistance, feel free to reach out to our support team. You're all set! 🌐🔒
Why use an agent?
The accompanying diagram provides a succinct overview of the use case scenarios.
When to Use the Agent:
-
Divergent Filtering Policies for Shared IPs:
-
The agent becomes indispensable when different filtering policies are required for hosts sharing the same IP. This situation arises, for example, when all users share a common IP (e.g., office or HQ public IP), but distinct profiles are desired for specific groups (e.g., HR and Marketing allowed access to Social Media while others are restricted).
-
-
Home-Based User Privacy:
-
For remote workers, especially when multiple individuals share the same home network, the agent ensures that filtering policies are personalized, addressing the need for user privacy within a shared environment.
-
-
Dynamic User Roaming:
-
In scenarios where users frequently change locations, and consistent filtering is essential regardless of the public IP they use, the agent proves invaluable.
-
Do I Have to Install Another Agent?
It's a valid concern not to want to manage additional agents. In essence, the use of an agent is not mandatory, especially if your users are utilizing DNS over HTTPS (DoH). However, for users within an on-prem Active Directory domain, an agent is essential due to Microsoft AD architecture, which heavily relies on internal DNS records. Microsoft does not currently support DNS over HTTPS in domain environments, making the DNS Agent necessary. This is particularly relevant for sysadmins working with on-prem Active Directory setups.
In summary, while using an agent may seem like Yet Another Agent™️ to administer, its deployment brings crucial benefits, especially in scenarios outlined above. For Active Directory sysadmins, the agent is a pivotal component for ensuring seamless DNS functionality within the Microsoft AD environment. If you have further questions or require detailed guidance, feel free to refer to our support resources. You're now equipped to make informed decisions regarding the use of the CS-DNS agent. 🌐🛡️
