Q1: Why does the WSS Auth Connector (BCCA) have a connection to all my domain controllers in my AD forest?
A1: The Auth Connector service must connect to each domain controller to get all the login and logout events that occurred on that domain controller. By default, Auth Connector polls each domain controller every 15 seconds or so. This polling is done so a timely accounting can be made of user login and logout events. As a result, you may see the server that runs the Auth Connector connected to all of your domain controllers. This behavior is expected and normal.
Q2: How do I limit the scope of the Auth Connector's connections to my domain controllers?
A2: In the SSO.INI file (found in the C:\Program Files\Blue Coat Systems\BCCA\ directory) you can limit which domain controllers BCCA contacts. This change is done in the [DCQDomainControllers] section. By default, BCCA contacts all domain controllers. To limit contact to specific domain controllers, then add the specific domain controllers here.
IMPORTANT NOTE: If the user logs in to the domain using a domain controller not in the list, then the login event is not picked up by the Auth Connector's periodic polling. This event results in the user showing up as an "unauthenticated user" and specific policy for that user being missed. If you make this change and you start to have issues with unauthenticated users and policy issues, then you should back out this change and restart the Auth Connector (BCCA).
Q3: Does the Auth Connector need to connect to my domain controllers if I only use Unified Agent?
A3: No. If you only use the Unified Agent access method and not IPsec, then you can turn off the polling that happens as described above.
NOTE: If you use IPsec in addition to the client connector, then Symantec recommends that you do not change the DCQEnabled setting.