I have this customer, who doesnt have centralsed AD and has 40 domain controller sitting across the network. to provide the zscaler solution, customer wants user-based traffic forwarding, but unfortunately he has pretty much close to 40 domain controller he says. which i came to know after adding his two domain controllers from his head office.. Am wondering, if firewall has any limitation, by the number of domain controller i can add and also if it will create some load issue on management plane or data plane.
another solution, am looking into is to go kerberose SSO with Captive portal. Firewalls average CPU usage on data plane is above 50%, will this be any impact on that as well.
Do you have all of the traffic tunneling back to the head office or does the traffic stay local for the most part; essentially do you actually need the firewalls to know about everyone? Essentially what you wouldn't want to do is actually allow a single firewall to query all 40 sites.
What I would personally do, depending on how this infra is actually setup, is have the local firewalls query the local domain controllers for any of the sites. What you can do, if needed, is then configure redistribution within user-id to feed this information back to the head office as needed.
When you start talking about this many directories we generally want to be having a much more informed conversation about what the actual deployment is going to look like. Each platform has its own limits on the number of user groups and agents that can be active at any time and you'll want to ensure that the devices being selected can handle the number of groups you'll actually be throwing at it; but again this depends heavily on a lot of factors.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!