14.2 WAN Traffic Manager Policy Groups

WAN Traffic Manager comes with the following predefined policy groups.

For more information on applying policy groups, see Applying WAN Policies.

14.2.1 1-3am.wmg

The policies in this group limit the time traffic can be sent to between 1 a.m. and 3 a.m. There are two policies:

  • 1 - 3 am, NA

    Limits the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization to these hours.

  • 1 - 3 am

    Limits all other traffic to these hours.

To restrict all traffic to these hours, both policies must be applied.

14.2.2 7am-6pm.wmg

The policies in this group limit the time traffic can be sent to between 7 a.m. and 6 p.m. There are two policies:

  • 7 am - 6 pm, NA

    Limits the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization to these hours.

  • 7 am - 6 pm

    Limits all other traffic to these hours.

To restrict all traffic to these hours, both policies must be applied.

14.2.3 Costlt20.wmg

The policies in this group allow only traffic that has a cost factor below 20 to be sent. There are two policies:

  • Cost < 20, NA

    Prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization unless the cost factor is less than 20.

  • Cost < 20

    Prevents all other traffic unless the cost factor is less than 20.

To prevent all traffic with a cost factor of 20 or greater, both policies must be applied.

14.2.4 Ipx.wmg

The policies in this group allow only IPX traffic. There are two policies:

  • IPX, NA

    Prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization unless the traffic that is generated is IPX.

  • IPX

    Prevents all other traffic unless the traffic is IPX.

To prevent all non-IPX traffic, both policies must be applied.

14.2.5 Ndsttyps.wmg

The policies in this group are sample policies for various eDirectory traffic types. They contain the variables eDirectory passes in a request of this type.

Sample Catch All with Addresses

A sample policy for traffic types with addresses.

Sample Catch All without Addresses

A sample policy for traffic types without addresses.

Sample NDS_BACKLINK_OPEN

NDS_BACKLINK_OPEN is a traffic type that is used if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_BACKLINKS query.

This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to open a new connection for backlinking or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Input and Output, Type INTEGER)

    If ConnectionIsAlreadyOpen is TRUE, ExpirationInterval is set to the expiration interval already set on the existing connection. Otherwise, it is set to the ExpirationInterval assigned in the NDS_BACKLINKS query. A 0 value indicates that the default (2 hours) should be used. On exit, the value of this variable is assigned as the expiration interval for the connection.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • ConnectionIsAlreadyOpen (Input Only, Type BOOLEAN)

    This variable is TRUE if eDirectory can reuse an existing connection and FALSE if it needs to create a new connection.

    Value

    Description

    TRUE

    eDirectory determines that it already has a connection to this address and can reuse that connection.

    FALSE

    eDirectory does not have a connection to this address and must create one.

  • ConnectionLastUsed (Input Only, Type TIME)

    If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it is 0.

    Value

    Description

    TRUE

    ConnectionLastUsed is the time that eDirectory last sent a packet on this connection.

    FALSE

    ConnectionLastUsed will be 0.

Sample NDS_BACKLINKS

Before eDirectory checks any backlinks or external references, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. NDS_BACKLINKS does not have a destination address and requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, backlink checking will be put off and rescheduled. The following variables are supplied:

  • Last (Input Only, Type TIME)

    The time of the last round of backlink checking since eDirectory started. When eDirectory starts, Last is initialized to 0. If NDS_BACKLINKS returns SEND, Last is set to the current time after eDirectory finishes backlinking.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval for all connections created while backlinking.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • Next (Output Only, Type TIME)

    Tells eDirectory when to schedule the next round of backlink checking.

    Value

    Description

    In past, 0

    Use the default scheduling.

    In future

    Time when backlinking should be scheduled.

  • CheckEachNewOpenConnection (Output Only, Type INTEGER)

    Tells eDirectory what to do if it needs to create a new connection while doing backlinking.

    CheckEachNewOpenConnection is initialized to 0.

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER)

    This variable tells eDirectory what to do if it needs to reuse a connection it believes is already open while doing backlinking. CheckEachAlreadyOpenConnection is initialized to 0.

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

Sample NDS_CHECK_LOGIN_RESTRICTION

Before eDirectory checks a login restriction, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. The traffic type NDS_CHECK_LOGIN_RESTRICTIONS does not have a destination address and requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, the check errors out.

The following variables are provided:

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • Result (Output Only, Type INTEGER)

    If the result of NDS_CHECK_LOGIN_RESTRICTIONS is DONT_SEND, then the following values are returned to the operating system.

    Value

    Description

    0

    Login is allowed.

    1

    Login is not allowed during the current time block.

    2

    Account is disabled or expired.

    3

    Account has been deleted.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval that should be assigned to this connection.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • CheckEachNewOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

Sample NDS_CHECK_LOGIN_RESTRICTION_OPEN

NDS_CHECK_LOGIN_RESTRICTION_OPEN is only used if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_CHECK_LOGIN_RESTRICTIONS query. This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to:

  • Open a new connection before running Limber.

  • Open a new connection before checking the login restriction.

  • Reuse an already existing connection.

The following variables are provided:

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Input and Output, Type INTEGER)

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • ConnectionIsAlreadyOpen (Input Only, Type BOOLEAN)

    Value

    Description

    TRUE

    eDirectory determines that it already has a connection to this address and can reuse that connection.

    FALSE

    eDirectory does not have a connection to this address and must create one.

  • ConnectionLastUsed (Input Only, Type TIME)

    If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it will be 0.

    Value

    Description

    TRUE

    ConnectionLastUsed is the time that eDirectory last sent a packet on this connection.

    FALSE

    ConnectionLastUsed will be 0.

Sample NDS_JANITOR

Before eDirectory runs the janitor, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. The NDS_JANITOR does not have a destination address and requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, janitor work is put off and rescheduled.

The following variables are provided:

  • Last (Input Only, Type TIME)

    The time of the last round of janitor work since eDirectory started. When eDirectory starts, Last is initialized to 0. If NDS_JANITOR returns SEND, Last is set to the current time after eDirectory finishes the janitor.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval for all connections created while running the Janitor.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • Next (Output Only, Type TIME)

    Tells eDirectory when to schedule the next round of Janitor work.

    Value

    Description

    In the past, 0

    Use the default scheduling.

    In the future

    Time when the janitor should be scheduled.

  • CheckEachNewOpenConnection (Output Only, Type INTEGER)

    Tells eDirectory what to do if it needs to create a new connection while running the janitor.

    CheckEachNewOpenConnection is initialized to 0.

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER)

    Tells eDirectory what to do if it needs to reuse a connection it determines is already open while running the Janitor.

    CheckEachAlreadyOpenConnection is initialized to 0.

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

Sample NDS_JANITOR_OPEN

NDS_JANITOR_OPEN is used only if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_JANITOR query. This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to open a new connection before doing backlinking, or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection.

The following variables are provided:

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Input and Output, INTEGER)

    If ConnectionIsAlreadyOpen is TRUE, ExpirationInterval is set to the expiration interval already set on the existing connection. Otherwise, it is set to the ExpirationInterval assigned in the NDS_JANITOR query. A 0 value indicates that the default (2 hours, 10 seconds) should be used. On exit, the value of this variable is assigned as the expiration interval for the connection.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • ConnectionIsAlreadyOpen (Input Only, Type BOOLEAN)

    This variable is TRUE if eDirectory needs to reuse an existing connection and FALSE if it needs to create a new connection.

    Value

    Description

    TRUE

    eDirectory determines that it already has a connection to this address and can reuse that connection.

    FALSE

    eDirectory does not have a connection to this address and must create one.

  • ConnectionLastUsed (Input Only, Type TIME)

    If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it will be 0.

    Value

    Description

    TRUE

    ConnectionLastUsed is the time that eDirectory last sent a packet on this connection.

    FALSE

    ConnectionLastUsed will be 0.

Sample NDS_LIMBER

Before eDirectory runs limber, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. The traffic type NDS_LIMBER does not have a destination address and requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, limber is put off and rescheduled.

The following variables are provided:

  • Last (Input Only, Type TIME)

    The time of last limber since eDirectory started.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval for all connections created while running limber checks.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • CheckEachNewOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • Next (Output Only, Type TIME)

    Time for the next round of limber checking. If this is not set, NDS_LIMBER will use the default.

Sample NDS_LIMBER_OPEN

NDS_LIMBER_OPEN is used only if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_LIMBER query. This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to open a new connection before running limber. This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to open a new connection before doing schema synchronization or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Input and Output, Type INTEGER)

    The expiration interval that should be assigned to this connection.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • ConnectionIsAlreadyOpen (Input Only, BOOLEAN)

    Value

    Description

    TRUE

    eDirectory determines that it already has a connection to this address and can reuse that connection.

    FALSE

    eDirectory does not have a connection to this address and must create one.

  • ConnectionLastUsed (Input Only, Type TIME)

    If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from DS using this connection. Otherwise, it is 0.

    Value

    Description

    TRUE

    ConnectionLastUsed is the time that eDirectory last sent a packet on this connection.

    FALSE

    ConnectionLastUsed will be 0.

Sample NDS_SCHEMA_SYNC

Before eDirectory synchronizes the schema, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. The traffic type NDS_SCHEMA_SYNC does not have a destination address and requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, schema synchronization is put off and rescheduled.

The following variables are provided:

  • Last (Input Only, Type TIME)

    The time of the last successful schema synchronization to all servers.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval for all connections created while synchronizing the schema.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • CheckEachNewOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

  • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER)

    Value

    Description

    0

    Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).

    1

    Call WAN Traffic Manager and let the policies decide whether to allow the connection.

    2

    Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail.

Sample NDS_SCHEMA_SYNC_OPEN

NDS_SCHEMA_SYNC_OPEN is used only if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_SCHEMA_SYNC query. This query is generated whenever CheckEachNewOpenConnection is 1 and eDirectory needs to open a new connection before doing schema synchronization or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Input and Output, INTEGER)

    The expiration interval that should be assigned to this connection.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

  • ConnectionIsAlreadyOpen (Input Only, BOOLEAN)

    Value

    Description

    TRUE

    eDirectory determines that it already has a connection to this address and can reuse that connection.

    FALSE

    eDirectory does not have a connection to this address and must create one.

  • ConnectionLastUsed (Input Only, Type TIME)

    If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it is 0.

    Value

    Description

    TRUE

    ConnectionLastUsed is the time that eDirectory last sent a packet on this connection.

    FALSE

    ConnectionLastUsed will be 0.

Sample NDS_SYNC

Whenever eDirectory needs to synchronize a replica, it makes a query to WAN Traffic Manager using the traffic type NDS_SYNC. The following variables are provided by eDirectory for use in WAN policies:

  • Last (Input Only, Type TIME)

    Time of the last successful synchronization to this replica.

  • Version (Input Only, Type INTEGER)

    The version of eDirectory.

  • ExpirationInterval (Output Only, Type INTEGER)

    The expiration interval for the connection to the server holding the updated replica.

    Value

    Description

    <0, 0

    Use the default expiration interval (default).

    >0

    Expiration interval to be assigned to this connection.

14.2.6 Onospoof.wmg

The policies in this group allow only existing WAN connections to be used. There are two policies:

  • Already Open, No Spoofing, NA

    Prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization except on existing WAN connections.

  • Already Open, No Spoofing

    Prevents all other traffic to existing WAN connections.

To prevent all traffic to existing connections, both policies must be applied.

14.2.7 Opnspoof.wmg

The policies in this group allow only existing WAN connections to be used but assume that a connection that hasn’t been used for 15 minutes is being spoofed and should not be used. There are two policies:

  • Already Open, Spoofing, NA

    This policy prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization except on existing WAN connections that have been open less than 15 minutes.

  • Already Open, Spoofing

    This policy prevents other traffic to existing WAN connections that have been open less than 15 minutes.

To prevent all traffic to existing connections open less than 15 minutes, both policies must be applied.

14.2.8 Samearea.wmg

The policies in this group allow traffic only in the same network area. A network area is determined by the network section of an address. In a TCP/IP address, Wan Traffic Manager assumes a class C address (addresses whose first three sections are in the same network area). In an IPX address, all addresses with the same network portion are considered to be in the same network area. There are three policies:

  • Same Network Area, NA

    Prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization unless the traffic that would be generated is in the same network area.

  • Same Network Area, TCPIP

    Restricts TCP/IP traffic unless the traffic that would be generated is in the same TCP/IP network area.

  • Same Network Area, IXP

    Restricts IPX traffic unless that traffic that would be generated is in the same IPX network area.

14.2.9 Tcpip.wmg

The policies in this group allow only TCP/IP traffic. There are two policies:

  • TCPIP, NA

    Prevents the checking of backlinks, external references, and login restrictions, the running of Janitor or Limber, and schema synchronization unless the traffic that would be generated is TCP/IP.

  • TCPIP

    Prevents all other traffic unless the traffic is TCP/IP.

To prevent all non-TCP/IP traffic, both policies must be applied.

14.2.10 Timecost.wmg

The policies in this group restrict all traffic to between 1 a.m. and 1:30 a.m. but allow servers in the same location to talk continuously. This group uses the following policies, all of which must be applied:

  • COSTLT20

    Has a priority of 40 for NA and address traffic.

  • Disallow Everything

    Allows no traffic to be sent. If WAN Traffic Manager finds no (0) policies where the selector returned greater than 0, it defaults to SEND. This policy prevents this case.

  • NDS Synchronization

    Restricts NDS_SYNC traffic to between 1 a.m. and 1:30 a.m.

  • Start Rest. Procs, NA

    Allows all processes to start at any time, but WAN Traffic Manager must be consulted for each *_OPEN call. It schedules the process to run four times a day at 1:00, 7:00, 13:00, and 19:00.

  • Start Unrest. Procs 1-1:30, NA

    Allows all processes to start between 1:00 a.m. and 1:30 a.m. and run to completion without further queries to WAN Traffic Manager. The processes run four times a day, every six hours. The 1:00 process is handled by this policy. The other processes are handled by the Start Rest. Procs, NA.