VPM policy with numerous IWA Direct groups takes a long time to install


Article ID: 169021


Updated On:


Management Center Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Installing Visual Policy Manager (VPM) policy takes a long time from either ProxySG / Advanced Secure Gateway (ASG) or Symantec Management Center(SMC).


Because the policy engine typically must connect to the domain controller (DC) to perform group verification during policy installation, the presence of numerous groups in policy causes installation to take longer depending on network latency between the ProxySG/ASG appliance and the DC.



Enable group caching so that the appliance does not have to check with the DC each time you install policy.

Connect to the appliance via SSH or serial console and issue the CLI commands as follows:

#conf t
#(config)security windows-domains
#(config windows-domains)group-cache enable

Note: The group-cache command is disabled by default on versions prior to Upgrading SGOS from a previous version to to with an IWA-direct realm joined to a domain does NOT enable group-cache by default.

To disable group caching, enter the following commands:

#conf t
#(config)security windows-domains
#(config windows-domains)group-cache disable