What is the best practice for setting up policy servers over two locations connected over a WAN?
1. Policy servers can only serve one policy group.
2. Sudo plugins connect to their primary policy server in order to retrieve updated policies for offline policy evaluation.
Because of this, it probably makes best sense to have distinct policy groups for each geographic location, with each location having it's own primary and secondary policy servers, and possibly managing both groups under one MCU.
This would be the best setup for minimizing the WAN traffic. A slight drawback here is that in order to keept the same policy in both groups, the policy would have to be manually kept in sync. I can't see any benefit from having secondary servers in different geographic location than their primaries.