Because each User-ID agent can monitor up to 100 servers,
the firewall needs multiple User-ID agents to monitor a network
with hundreds of AD domain controllers or Exchange servers. Creating
and managing numerous User-ID agents involves considerable administrative
overhead, especially in expanding networks where tracking new domain
controllers is difficult. Windows Log Forwarding enables you to minimize
the administrative overhead by reducing the number of servers to
monitor and thereby reducing the number of User-ID agents to manage.
When you configure Windows Log Forwarding, multiple domain controllers
export their login events to a single domain member from which a
User-ID agent collects the user mapping information.
You can configure Windows Log Forwarding for Windows Server
versions 2003, 2008, 2008 R2, 2012, and 2012 R2. Windows Log Forwarding
is not available for non-Microsoft servers.
To collect group mapping information in a large-scale network,
you can configure the firewall to query a Global Catalog server
that receives account information from the domain controllers.
The following figure illustrates user mapping and group mapping
for a large-scale network in which the firewall uses a Windows-based
User-ID agent. See Plan a Large-Scale User-ID Deployment to
determine if this deployment suits your network.