browse
Introduction
The Virtual Appliance caches AD users and computer names against their unique source IP addresses. To get the most consistent experience, the following settings can be tuned to best suit your environment.
These changes require version 2.4.6+ of the Virtual Appliance.
AD Cache TTL
This setting determines how long (in seconds) to keep an AD user/computer mapped to an IP address when there is no DNS traffic being generated from that IP address. The default is 43200 seconds (12 hours).
By default an AD user will will be cached until...
- A new user logs on to an IP address. New user logons override old users.
- There has been no traffic from the source IP for the specified period of time. This indicates that the IP address has likely been re-assigned to another computer by the DHCP server.
For the best experience, we recommend to tune the AD Cache Expiry to match your DHCP Lease time. This means that the Virtual Appliance will always expire the user before the DHCP server can re-assign the IP address.
- Access the Virtual Appliance restricted shell feature by pressing CTRL+B on its console
- To view the current settings run: config admap show-timeout
- To create a new timeout, run: config admap set-user-timeout <time>
- Repeat these steps on each Virtual Appliance
Warning:
This setting should be changed with caution. Setting a short cache time will lead to inconsistent results. This option should generally be the same as your DHCP lease time.
AD Host GUID Timeout
This setting determines how long to retain knowledge of an AD computer when a new AD user logs on to an IP address. The default is 0 seconds; AD computers are immediately cleared when new users log on. The default behaviour is desirable in environments where users are NOT sharing workstations. A new user usually indicates that the IP address has been re-assigned and the cached computer name is incorrect. Computer information will be re-populated when there is another AD Computer logon event.
This setting should be tweaked in the following scenarios:
- When users are frequently sharing computers, and you need to make policies based on AD Computer Name.
- When you are using a Terminal Server and you need to create a policy based on its AD Computer Name
In these scenarios the setting can be given a value (seconds) so that we retain the AD Computer for longer. We recommend 600 seconds:
- Access the Virtual Appliance restricted shell feature by pressing CTRL+B on its console
- To view the current settings run: config admap show-timeout
- To create a new timeout, run: config admap set-host-timeout <time>
- Repeat these steps on each Virtual Appliance
Warning:
This setting should be changed with caution and should be left as default in most scenarios. Please contact Umbrella support for further information.