Best pratices to set Timers in CDA + WSA

Filippo Carzaniga · ‎09-29-2014

I'm deploying WSA in transparent mode with WCCP redirection from ASA.
Everything is OK, but I would like to know the best practices to setup the correct Time to avoid mismatch of ip-mapping.

In WSA the parameter possible are:

Credential Cache Options:

a) Surrogate Timeout: value to setup
b) Client IP Idle Timeout: value to setup

over CDA the paramentes possible are:

c) dcStatusTime
d) dcHistoryTime
e) userLogonTTL

can you suggest ?
Further, What are happen if I set more or less this value? what is risk about it?

thanks for support.

Filippo Carzaniga · ‎11-04-2014

- On CDA, we changed the History timer to 60mins so that after every 60mins, the CDA clears out the User-to-IP mapping cache and checks with the AD to get the new mapping. This setting would lower down the false positives on the WSA as CDA would have more updated mapping.
However we should not lower down this value too much otherwise CDA would requery the AD more frequently and thus would increase the load on the CDA as well as on the Active Directory might also result in performance issues on the CDA.

- As per the customer request, we have configured re-authentication timer to 20mins on the WSA ( tuiconfig command). This would enable the WSA to clear out the user's session every 20mins and would ask the end user to reauthenticate.
Please note, most of the web browsers cache the user credentials and thus reply to the WSA's re-authentication request with the cached credentials. This enables the user to have a seemless working environment without being prompted for re-authenticate again and again, without being aware that re-authentication has already happened in the background.