Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Identity Sharing - updates from multiple sources

hey,

i am writing a document for a regarding the IA blade.

currently we have about 8 clusters which are connected to all of the DCs in the environment which is OK from my point of view because the environment is not that large and mandatory because of the network topology.

on some computers there is a use of the "switch user" function of Windows OS, so we need to start using the IA Agent for those computers. that brings up the need of using identity sharing between the security GWs.

from what i read there are 2 methods, "smart-pull" and "push". the first one the PEP only ask the PDP for the identity if it is unknown for the GW, but because the computer is connected to the DC it might get the identity from it and not ask the PDP for the identity even if a switch user was performed and the identity was updated on the PDP.

regarding the "push" method wont it create a sort of "loop" of notifications because all FWs connects to all DCs and an update from a DC will also update all the FWs using the Identity Sharing feature?

am i right or do i miss anything ? 

 

thanks

dor

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What precise methods are you using to acquire identities here?
You mention agents, what else?

In general gateways should acquire identities from sources as close to the user as possible and share identities between other gateways.
However, multiple gateway clusters should not be acquiring identities from the same AD servers.

0 Kudos
Dor_Marcovitch
Advisor

all GWs are connected to all of our Domain controllers to get Identities, we have acoutn 10 DCs spread over the network.

i didnt split the DCs between the GWs.

another source is for some users that use identity agent because of the need to use the switch user function of the OS

 

0 Kudos