Integrated Windows Authentication (IWA) Direct lets you configure an IWA realm on the Edge SWG (Formerly ProxySG) or Advanced Secure Gateway (ASG) that connects directly to your Windows Active Directory. Previously, to use IWA you had to install and configure BCAAA on a server in your Windows domain. With this feature, you can join the Edge SWG (Formerly ProxySG) or ASG appliance to the Windows domain. Then configure the IWA realm to communicate directly with the Domain Controller to process authentication requests.
You cannot create an (IWA) direct realm until you have joined the appliance to the Windows Domain. See How to join a Windows Domain
NOTE: For information on IWA-Direct's Supported Directory Service Operating Systems. You can refer to the BCAAA Read me, which is posted with the BCAAA version on the Symantec download portal.
In an IWA Direct realm, Kerberos configuration is minimal because the appliance has its own computer account in Active Directory. Then uses its account password to decrypt service tickets from clients. Therefore, there is no need for you to create a privileged Active Directory account. Or to generate a service principal name (SPN) for the appliance as is required with an IWA BCAAA realm. To ensure that IWA uses the Kerberos protocol rather than downgrading to NTLM. You'll need to make sure that authentication requests are directed to the DNS name of the appliance’s Active Directory computer account name as follows:
ProxySG1.blue9.example.com Host (A) x.x.x.x
The IWA realm contains the configuration settings that the Edge SWG (Formerly ProxySG) appliance needs to be able to perform IWA authentication. Including how to connect to the Active Directory, and which authentication protocols to support. Also how long before timing out, and where to redirect transparent requests, if applicable.
After you create the IWA Direct realm, you can verify that the Edge SWG (Formerly ProxySG) appliance can successfully connect to the Domain Controller and authenticate a user as follows: