Installation guide

ManualsBrandsMicroweb ManualsComputer equipmentPRO Series

101

102

103

104

105

106

107

108

109

110

Tuning and Troubleshooting

B-3

• User group membership cache: This cache can store group membership

information. By default, entries in this cache will be valid for two hours, or until the

cache fills (at which point the entries are replaced, starting with the oldest). 



The time to live (TTL) for entries in this cache can be configured in the Web

console: Administrator > IWSVA Configuration > User Identification.

• Client IP to User ID cache: This cache associates a client IP address with a user who

recently authenticated from that same IP address. Any request originating from the

same IP address as a previously authenticated request will be attributed to that user,

provided the new request is issued within a configurable window of time (15

minutes by default for HTTP, 90 minutes for ICAP) from that authentication. The

caveat is that client IP addresses seen by IWSVA must be unique to a user within

that time period, thus this cache is not useful in environments where there is a proxy

server or source NAT between the clients and IWSVA, or where DHCP frequently

reassigns client IPs. 



To enable or disable this cache, change the

enable_ip_user_cache

setting in

the [user-identification] section of the

intscan.ini

file. To change the TTL of

this cache, change the

ip_user_central_cache_interval

(unit is hours). For

example, to create a TTL of 30 minutes, enter

0.5

• User authentication cache: This avoids re-authenticating multiple HTTP requests

passed over a persistent connection. When users pass the credential validation over

a persistent connection, IWSVA adds an entry (two important keys in one cache

entry are the client’s IP address and the client’s username) in the user authentication

cache so the subsequent requests over a keep-alive connection will not authenticate

again. The client IP address and client’s username serve as two forward references,

or links, to the “client IP to user ID cache” and “user group membership cache,”

respectively. IWSVA will thus still be able to retrieve the user’s connection

information from both the IP-user and user-group caches.

When deploying IWSVA with LDAP integration, it is important to consider the

additional load that authenticating HTTP requests will place on the LDAP directory

server. In an environment that cannot effectively use the client IP to user ID cache, the

directory server will need to be able to handle queries at the same rate as IWSVA

receives HTTP requests.