Because each User-ID agent can monitor up to 100 servers,
the firewall needs multiple User-ID agents to monitor a network
with hundreds of AD domain controllers or Exchange servers. Creating
and managing numerous User-ID agents involves considerable administrative
overhead, especially in expanding networks where tracking new domain
controllers is difficult. Windows Log Forwarding enables you to
minimize the administrative overhead by reducing the number of servers
to monitor and thereby reducing the number of User-ID agents to
manage. When you configure Windows Log Forwarding, multiple domain
controllers export their login events to a single domain member
from which a User-ID agent collects the user mapping information.
You can configure Windows Log Forwarding for Windows Server
versions 2012 and 2012 R2. Windows Log Forwarding is not available
for non-Microsoft servers.
To collect group mapping information in a large-scale network,
you can configure the firewall to query a Global Catalog server
that receives account information from the domain controllers.
The following figure illustrates user mapping and group mapping
for a large-scale network in which the firewall uses a Windows-based
User-ID agent. See Plan a Large-Scale User-ID Deployment to
determine if this deployment suits your network.