VPM policy with numerous IWA Direct groups takes a long time to install

book

Article ID: 169021

calendar_today

Updated On:

Products

Management Center Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Installing Visual Policy Manager (VPM) policy takes a long time from either ProxySG / Advanced Secure Gateway (ASG) or Symantec Management Center(SMC).

Cause

Because the policy engine typically must connect to the domain controller (DC) to perform group verification during policy installation, the presence of numerous groups in policy causes installation to take longer depending on network latency between the ProxySG/ASG appliance and the DC.

Resolution

Workaround

Enable group caching so that the appliance does not have to check with the DC each time you install policy.

Connect to the appliance via SSH or serial console and issue the CLI commands as follows:

>en
#conf t
#(config)security windows-domains
#(config windows-domains)group-cache enable
  ok


Note: The group-cache command is disabled by default on versions prior to 6.5.9.2. Upgrading SGOS from a previous version to to 6.5.9.2 with an IWA-direct realm joined to a domain does NOT enable group-cache by default.

To disable group caching, enter the following commands:

>en
#conf t
#(config)security windows-domains
#(config windows-domains)group-cache disable
  ok