Table of Contents
Advertisement
Depending on the firmware version running on the appliance, the SSO Agent does one of the following when the
entry is not present in its cache:
•
Replies back to the appliance with an In_Progress status
•
Does not send a reply back to the appliance
The SSO Agent initially starts a configurable number of threads (scanner thread count). These threads
periodically query the IP addresses that are present in the scanner queue. After completing each query, the
agent adds or updates the user or error information in its cache.
Upon identifying the user through either NETAPI or WMI, the agent sends a log in notification with the user name
if an In_Progress status was previously sent for the same IP address. If no reply was previously sent, the user
information is simply cached.
When the scanner is enabled and the SSO Agent detects a user change on a client machine, it sends the logoff or
update notification to the firewall.
Bad IP address handling by scanner
If the query returns an error for any IP address and the SSO Agent is not able to identify the user information,
the agent treats the IP address as a "Bad IP." This can occur for network devices such as printers, non-Windows
computers or other workstations that do not understand the query options. While processing requests in the
scanner queue, the agent skips any bad IP addresses and adds the IP address to the back of the queue for the
next fetch.
Priority queues in the scanner
With Agent-to-Agent communication, smart NETAPI/WMI scanners allow the transfer of polling requests
between SSO Agents. When one agent is overloaded with requests, a comparatively free agent can handle the
requests.
The scanner differentiates IP addresses into three queues, each with a specified priority:
•
New IP request (High Priority)
•
Succeeded IP (Mid Priority)
•
Bad IP (Low Priority)
Any IP address for which the agent already sent an In Progress status is treated as High Priority.
For any IP address present in either the Mid Priority queue or Bad IP queue, if the difference between the
current time and the time of the last request is greater than session time, the agent drops that IP address and
moves on to process another address in the queue.
The number of processing threads allocated for the scanner is divided into three categories:
•
High — 70 percent of threads
•
Mid — 20 percent of threads
•
Low — 10 percent of threads
This thread allocation is dynamic and depends on the frequency of requests for identifying new IP addresses
from the appliance. This dynamic thread allocation ensures that no thread is idle or wasted in any scenario.
To ensure that the agent does not process any IP addresses that have not been polled from the appliance for a
considerable amount of time, the agent maintains the session time and the time of the last request from the
appliance for each IP address. This allows the agent to minimize the queue size, ensures that threads are not
wasted, and prevents unnecessary traffic from the agent for IP addresses that are not polled from the
appliance. The session time can be modified from Windows registry settings using the registry value
"SESIONTIME."
Dell SonicWALL Directory Services Connector 3.7
39
Administration Guide
Advertisement
Table of Contents
