Auth Connector and domain controller connections

book

Article ID: 165557

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

  • Why does the Symantec Web Security Service (WSS) Auth Connector (BCCA) have a connection to all my domain controllers in my Active Directory (AD) forest?
  • How do I limit the scope of the Auth Connector connections to my domain controllers?
  • Does the Auth Connector need to connect to my domain controllers if I only use Unified Agent?

Resolution

The WSS Auth Connector has three main components

  1. Active Directory component
    1. Obtain users and groups from Active Directory (AD)
    2. Identify login and logout events
  2. Portal
    1. Send AD users and groups into your portal to be used in policy creation
  3. IPsec
    1. If IPsec is used, a connection is made to the data pod where your tunnel terminates. This IPsec tunnel is used to map IP addresses to users for use in policy execution and reporting.

Q1:  Why does the WSS Auth Connector (BCCA) have a connection to all my domain controllers in my AD forest?
A1
:  The Auth Connector service must connect to each domain controller to get all the login and logout events that occurred on that domain controller. By default, Auth Connector polls each domain controller every 15 seconds or so. This polling is done so a timely accounting can be made of user login and logout events. As a result, you may see the server that runs the Auth Connector connected to all of your domain controllers. This behavior is expected and normal.

Q2:  How do I limit the scope of the Auth Connector's connections to my domain controllers?
A2
:  In the SSO.INI file (found in the C:\Program Files\Blue Coat Systems\BCCA\ directory) you can limit which domain controllers BCCA contacts. This change is done in the [DCQDomainControllers] section. By default, BCCA contacts all domain controllers. To limit contact to specific domain controllers, then add the specific domain controllers here. 

IMPORTANT NOTE: If the user logs in to the domain using a domain controller not in the list, then the login event is not picked up by the Auth Connector's periodic polling. This event results in the user showing up as an "unauthenticated user" and specific policy for that user being missed. If you make this change and you start to have issues with unauthenticated users and policy issues, then you should back out this change and restart the Auth Connector (BCCA).

Q3:  Does the Auth Connector need to connect to my domain controllers if I only use Unified Agent?
A3: No.  If you only use the Unified Agent access method and not IPsec, then you can turn off the polling that happens as described above.

  1. Stop Auth Connector service
  2. To turn off polling, go to C:\Program Files\Blue Coat Systems\BCCA\ and edit the SSO.INI file
  3. Change the DCQEnabled=1 to DCQEnabled=0
  4. Restart the Auth Connector service

NOTE:  If you use IPsec in addition to the client connector, then Symantec recommends that you do not change the DCQEnabled setting.