A large-scale network can have hundreds of information
sources that firewalls query to map IP addresses to usernames and
to map usernames to user groups. You can simplify User-ID administration
for such a network by aggregating the user mapping and group mapping
information before the User-ID agents collect it, thereby reducing
the number of required agents.
A large-scale network can also have numerous firewalls that use
the mapping information to enforce policies. You can reduce the
resources that the firewalls and information sources use in the
querying process by configuring some firewalls to acquire mapping
information through redistribution instead of direct querying. Redistribution
also enables the firewalls to enforce user-based policies when users
rely on local sources for authentication (such as regional directory
services) but need access to remote services and applications (such
as global data center applications).
If you Configure Authentication Policy, your firewalls
must also redistribute the Authentication Timestamps associated
with user responses to authentication challenges. Firewalls use
the timestamps to evaluate the timeouts for Authentication policy
rules. The timeouts allow a user who successfully authenticates
to later request services and applications without authenticating
again within the timeout periods. Redistributing timestamps enables
you to enforce consistent timeouts for each user even if the firewall
that initially grants a user access is not the same firewall that
later controls access for that user.
If you have configured multiple virtual systems, you can share
IP address-to-username mapping information across virtual systems
by selecting a virtual system as a User-ID hub.