Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1680
Views
2
Helpful
2
Replies

Umbrella Windows Connector Scalability

paul
Level 10
Level 10

‎05-08-2017 08:40 AM

As I am deploying Umbrella into larger enterprises the one red flag I am coming across is the Windows Connector piece.  I haven't found exact hard number on how many domain controllers the Windows Connector service can handle, but I have been told 25-30.  The issue with that is there is no way other than Site definitions to control what Connector servers poll what domain controllers.  As soon as you assign a domain controller to a Site the connector services will start polling it.  I typically setup two dedicated Windows Connector servers at the customer.

Breaking up a large customer into Sites in Umbrella doesn't often work since the layout of the customer's network won't allow it.  Consider a large U.S customer with 100 remote sites and two datacenters.  Each remote site has a local domain controller (DC) and local DNS server.  They also have DCs back in the datacenters to authenticate users whose local site DC has failed or to service very small remote offices that don't have DCs. 

For the sake of this post lets say there are 3 DCs in each datacenter bring the total to 106 DCs.  There is no way to carve this setup into more than one Umbrella Site. 

I am guessing the long term answer is pxGrid or something, but is there anything that can be done in the short term?

The lack of multiple AD domains being supported under a single Org is also an issue, but that is for a different time. 

Thanks

Labels:
2 Replies 2

jonathan.cuthbert
Level 5
Level 5

‎05-12-2017 05:17 AM

The recommendation is one connector per site (or really two, because 2=1). 

That begs the question of "what is a site" in Umbrella terms.

Have you checked out Appendix B – Multiple Active Directory and Umbrella Sites?

It is an entire documentation section regarding your exact use case.

paul
Level 10
Level 10
In response to jonathan.cuthbert

‎05-12-2017 05:44 AM

Yep I understand what Umbrella sites are and my question laid out the exact issue with Umbrella’s site design. AD authentication information is local to a domain controller only, so you have to make sure your Umbrella Site includes all the domain controllers a user can authenticate against (just as the appendix says). In my scenario of large U.S. customer with 100 remote offices each with a DC and two datacenters each with 3 DCS tell me how you can break that up into more than one Umbrella site?

It is a simple Venn Diagram when you look at AD authentication. Sites and Services define your DCs into logical sets. In this case I have a 100 logical sets (each remote site) with a common intersection point of the datacenters that are allowed to authenticate all users in the event the users local domain controller fails. The Umbrella site must cover the entire Venn Diagram to ensure accurate user to IP mapping retrieval. Or at least that is how I read it and the reason for my question.

Thanks for the response.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents