Introduction
This document describes how to tune the user cache settings on the Virtual Appliance to best suit your environment for the most consistent experience. The Virtual Appliance caches AD users and computer names against their unique source IP addresses.
These changes require version 2.4.6+ of the Virtual Appliance.
AD Cache TTL
This setting determines how long (in seconds) to keep an AD user/computer mapped to an IP address when there is no DNS traffic being generated from that IP address. The default is 43200 seconds (12 hours).
By default an AD user is cached until:
- A new user logs on to an IP address. New user logons override old users.
- There has been no traffic from the source IP for the specified period of time. This indicates that the IP address has likely been re-assigned to another computer by the DHCP server.
For the best experience, we recommend to tune the AD Cache Expiry to match your DHCP Lease time. This means that the Virtual Appliance always expires the user before the DHCP server can re-assign the IP address.
- To access the Virtual Appliance restricted shell feature, press CTRL+B on its console.
- To view the current settings, run this command:
config admap show-timeout.
- To create a new timeout, run this command:
config admap set-user-timeout <time>.
- Repeat these steps on each Virtual Appliance.
Note: This setting must be changed with caution. Setting a short cache time leads to inconsistent results. This option generally matches your DHCP lease time.
AD Host GUID Timeout
This setting determines how long to retain knowledge of an AD computer when a new AD user logs on to an IP address. The default is 0 seconds; AD computers are immediately cleared when new users log on. The default behaviour is desirable in environments where users do NOT share workstations. A new user usually indicates that the IP address has been re-assigned and the cached computer name is incorrect. Computer information be re-populated when there is another AD Computer logon event.
This setting can be tweaked in these scenarios:
- When users frequently share computers and you need to make policies based on AD Computer Name.
- When you are using a Terminal Server and you need to create a policy based on its AD Computer Name.
In these scenarios, the setting can be given a value (seconds) so that we retain the AD Computer for longer. We recommend 600 seconds:
- To access the Virtual Appliance restricted shell feature, press CTRL+B on its console.
- To view the current settings, run this command:
config admap show-timeout.
- To create a new timeout, run this command:
config admap set-host-timeout <time>.
- Repeat these steps on each Virtual Appliance.
Note: This setting must be changed with caution and left as default in most scenarios. Please contact Umbrella support for further information.
Feedback