An overload of IA queries can bring your firewall to it's knees. I've seen it many times. Think about what else is in your environment that needs authentication against your DC (EMR/EHR systems, mail, etc.) . In the example that there are Exchange servers internal to the environment....these Exchange servers are constantly authenticating against the DC’s. Every time this happens the DC creates a security event and sends it off to the gateway. If there is an overabundance of info being sent, the PDPD daemon on the gw can get overworked and will peg. The PDPD daemon is responsible for creating identities on the gateway. It’s child service is adlog which queries the dc’s. If the PDPD daemon is pegged then adlog cannot function. Therefore if another product is relying on IA, it will not function properly…for example AccessRoles within App/URL filtering.
To resolve this you need to EXCLUDE all exchange servers in the environment. You need make sure the DC’s do NOT pass on any security events to the gateway(s).
- Go to: Gateway Cluster Properties
- Select Identity Awareness
- Select Settings next to the checked Active Directory Query
- Select the Advanced button on the Active Directory Query Dialog
- Add each network specific to the Exchange server(s). If a network does not exist create one using 255.255.255.255 subnet.
- Push policy (effects of fix can take around 5 minutes)