In a VSX environment, where multiple Virtual Systems require Identity Awareness, there are two recommended distributed deployment options:
- For small/medium scale environments
It is recommended to have a single Virtual System acquiring all identities and sharing them with other Virtual Systems.
In this case, one Virtual System is PDP, all other Virtual Systems are only PEPs.
- For large scale environments (many users and/or many domain controllers and/or many RADIUS Accounting clients)
It is recommended that each Virtual System will be configured as a PDP and share the identities with the other Virtual Systems.
- For AD Query: Each domain controller should be queried by only one Virtual System.
- For RADIUS Accounting: it could mean listening to different RADIUS Accounting clients.
- See sk88520 for other recommendations for Identity Awareness in large scale environments.
Note: Every Virtual System that acquires identities (PDP) must have valid LDAP connectivity to the LDAP/AD servers. The default VSX settings route all LDAP traffic through the context of VS0 (VSX Gateway itself). When it is not applicable, these setting must be changed as described in sk44726.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.