UseridID-Agent best practices - where to install ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UseridID-Agent best practices - where to install ?

L3 Networker

I'm new to this world and am looking for some advice of where to install the  UserID Agent.

I'm thinking one of the most efficient places to put it would be a domain controller.

User identification is very important to us and we want to be able to id and many users as possible. Anyone else put this on a domain domain controller ? Should I install multiple agents per domain ?

Any advice would be helpful, Thanks,


Justin

12 REPLIES 12

L4 Transporter

I'm sure there will be other responses here, but typically the best place to install is either on or near the domain controller.  The reason being is that the User ID Agent will constantly read the security logs of the Domain Controller in order to identify users, and will parse your AD tree for new groups being added and other AD information.  These logs can get fairly lengthy and as a consequence there could be a lot of data that goes across the network if you put the agent far away.  Because of this, it might be a bad idea to put it on the other side of a WAN from your DC for example.

As far as multiple agents go, you should be aware that your security appliance will select one as the "primary" agent to look at for group membership updates.  Nothing to configure here, the primary is automatically selected for you, and you can tell which one the "primary" is by typing "show user pan-agent statistics" in the CLI.  The one with the "*" is the primary.

Also, I've attached an older tech note on User ID.  While it's a bit dated and we are working on a new one, the concepts and "how-it-works" aspects are the same!  I hope this helps!

L2 Linker

We have around 45,000 users. We are using two PAN agents. One on a virutal server and one on a desktop server. Both are located in the core of our network. This seems to work fine for us.

Cyber Elite
Cyber Elite

also important to consider is to which servers your clients authenticate to log on every logon event is registered in the security log of the AD and it are these events the pan-agent picks up for user identification, but these logs are not synchronised across AD servers. if multiple servers authenticate users to spread the load, you will want to poll all of these to collect all the logon events

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L3 Networker

Thanks for all the great replies. 

We got bitten by this as we have DC's scattered throughout our network.  We have three Internet gateway points with PA's installed and three UIA's, one local to each gateway.  Each then queries the DC's for it's respective zone (Americas, EMEA, AsiaPac) to get a polling of user-to-IP mappings for each respective region.

We needed to tweak the timers on the UIA to stop hammering our WAN links as a result of this design.  We get a bit of lag in our mapping results (we only poll the DC's every two minutes), but that was acceptable to us so as to reduce the bandwidth utilization on the network.

Tariq

BWilliams could you provide more details about your environment? How many locations and DC's are you talking about roughly? Are you polling over WAN links?

Thanks

Something I wanted to clarify / confirm: it seems the agent needs to read the security logs from the domain controller which handles desktop (or console) logins, not from domain controllers which process authentication requests for access to resources (e.g. data or email servers)

Can someone confirm / deny this?

It would be ideal if we could just read the auth requests from (or near) our email server, since we have just a few centralized email servers but dozens and dozens of domain controllers.

Hi,

This is derived from the UID Guide:

Active Directory Integration – Use of pan-agents to retrieve user/group membership from Active Directory and user/IP mapping via security logs from Windows Domain Controllers (DC).

So it will need access and read from DCs that processes logon events.

Thanks, that's what we are finding as well.

It's been over a year since this post. has an Updated AD Agent design/best practices doc been completed for v3.1?  I could use it in discussions with my AD group (we have 114 DC's to integrate with in a single Domain)

+1 for jechaff's question: where is the updated UID agent best practice / design document? Our WAN links are suffering hard from the traffic to/from our PAN UID agent servers in our data centers and the remote domain controllers. It seems obvious after reading through these posts that the recommendation is to have a PAN UID agent server at each local site but I'd like to see some official documentation on the subject before we begin to deploy new vm servers everywhere.


As mentioned in my earlier post, you can try to tweak the timer values to lessen the impact on your WAN links.  What we saw was a huge burst of activity when a DC is first integrated with the UIA.  Once the initial burst is complete (depending on how large your DC logs are), then the queries pared down to a steady background chatter.  We found the two minute interval to be acceptable but YMMV.

Tariq

  • 10303 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!