Installation guide

ManualsBrandsMicroweb ManualsComputer equipmentPRO Series

101

102

103

104

105

106

107

108

109

110

Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide

B-4

Disable Verbose Logging When LDAP is Enabled

Trend Micro recommends turning off verbose logging in the

intscan.ini

file, under

the [http] section, “verbose” parameter) when LDAP is enabled for server performance

reasons. Verbose logging is primarily used by software developers to identify abnormal

application behavior and troubleshooting. In a production deployment, verbose logging

is usually unnecessary.

If verbose logging is enabled and LDAP is also enabled, IWSVA will log user

authentication information and group membership information in the HTTP log in the

\Log folder. Logs might contain hundreds of lines per user and, therefore, significantly

consume disk space, depending on the amount of internal traffic and the number of

groups with which a user is associated. Verbose logging keeps the service busy with

issuing I/O operations to the operating system. This might prevent the service from

responding to HTTP requests in a timely fashion, and latency might occur. In an

extreme bursting HTTP traffic environment, it’s possible to observe significant delays

when IWSVA starts up in the verbose mode.

LDAP Authentication in Transparent Mode

Before configuring LDAP authentication on IWSVA deployed in transparent mode,

review the following criteria to ensure each item is fully met.

• IWSVA must have a valid hostname assigned (click Administration >

Deployment Wizard, then update host name on Network Interface page). Make

sure the hostname is also entered in the corporate DNS server.

• Ensure that the user ID cache is enabled. By default, this is enabled. If it has been

disabled for any reason, it must re-enabled before enabling transparent mode

authentication. You can enable user ID cache using the

configure module

ldap ipuser_cache enable

command in the CLI.

• By default, IWSVA keeps user ID cache information for up to two hours. If you

need to lower the cache time-out value, use the

configure module ldap

ipuser_cache interval

command in the CLI to set a shorter cache interval.

• If authentication is enabled, IWSVA will block all nonbrowser applications trying to

access the Internet. For example, the MSN application might try to access the

Internet before the user has had a chance to log in the IWSVA server. If this

happens, the application will be blocked as the user has not successfully

authenticated to IWSVA. You can perform one of the following: