Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
3
Replies

Passive Identity : supported #DC - clarification needed

Go to solution
jdal
Cisco Employee
Cisco Employee

‎11-07-2018 09:04 AM

Hi,

 

My customer has slightly more than 200 domain controllers to monitor via WMI for Passive Identity.

From

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1418220509

 

Max AD Domain Controllers supported via WMI or ISE AD Agent 100

It is not clear however if this limit is per PSN or per cluster. Could someone confirm?

 

If this is per PSN, does this mean the maximum number of DC we can monitor per ISE cluster is limited to 200:

Recommended # PSNs enabled for WMI (Passive ID service) 2

Is this a hard limit or does it just mean we haven't tested higher number? With the use of "recommended", it sounds like we could try to go higher...

 

Any chance to increase these numbers in the future (v2.5?)

 

TIA,

JF

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2018 11:32 AM

JF,

The deployment limit is 100 controllers and a single PSN can monitor up to 100 controllers if that makes sense. 100 controllers is what we tested however we can scale beyond that using security event forwarding using GPO. I can't talk about roadmap in this forum, unfortunately.

Regards,
-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2018 11:32 AM

JF,

The deployment limit is 100 controllers and a single PSN can monitor up to 100 controllers if that makes sense. 100 controllers is what we tested however we can scale beyond that using security event forwarding using GPO. I can't talk about roadmap in this forum, unfortunately.

Regards,
-Tim
0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎11-08-2018 03:49 AM

Thanks Tim, I'll follow up internally for the roadmap.

0 Helpful

Go to solution
Greg Terkanian
Level 1
Level 1
In response to Timothy Abbott

‎12-03-2018 06:01 PM

Timothy,

Can you provide more information or at least point me in the right direction for setting up event forwarding to support passive ID for a domain with more than 100 DCs?  I have information on event subscription, however it seems I can't specify the security event log as the destination.  Can the AD connector read from "forwarded events" on the subscriber?  If so, do I need to specify this somewhere in the configuration?

 

Thanks

Greg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents