Tuning the NTLM Authentication TTL (Time-to-live) setting on the Symantec Web Gateway.

book

Article ID: 156228

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

You wish to understand and optimize the NTLM TTL (Time-to-live) setting for Authentication operations on the Symantec Web Gateway.

Resolution

Recommended settings:

  1. For most networks, the default setting of 15 minutes should be about right. This should nevertheless be increased if the SWG is very busy, and having to process a very large number of authentication requests.
  2. For networks where users never share systems, the TTL can be set as high as 480 minutes (8 hours). In this way, after their initial log in, they will use cached credentials for their working day.
  3. For Networks containing a high number of kiosk-type systems where users change regularly, a TTL of 2-3 minutes is recommended to ensure that the session information is constantly updated.
  4. For networks that contains a mixture of these types of systems, the traffic can be segragated and passed through different proxies, or an optimum intermediate setting can be decided.

Note that setting the TTL to "0" is not recommended except for testing purposes, as it risks overloading the SWG authentication sub-system with request traffic.

 


Applies To

The TTL setting (Configuration > Authentication > NTLM > TTL) controls the frequency of authentication requests being sent to the Active Directory controller. The default setting is 15 minutes, but the correct level depends on the type of system that is using the Web Gateway.

A setting of "0" will send every single authentication request to Active Directory. As each browsing session can generate multiple requests for each site and each component of a site, this can result a very large number of requests. This can potentially degrade the performance of both the Web Gateway itself and the Active Directory server.

Any other setting will cache the initial authentication session for the period of time specified (assuming that the session was allowed by the domain controller), thus increasing processing speed and reducing overhead significantly. Note that this will mean that the initial users details will be displayed until the TTL expires, even if another user logs on to the same system.

If for some reason the inital authentication request was refused by the DC, a new request will be sent each time the user refreshes the page.