Should a BCAAA server be located closer to the proxy or the Domain Controller?

book

Article ID: 166913

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In large proxy deployments, the proxy may be located in a different building to the Domain Controller (DC) infrastructure. In such environments, it is advisable to install a BCAAA server as close to the DCs as possible, for a number of reasons.

  • The network communication between the BCAAA and the DCs is more susceptible to latency issues.
  • BCAAA uses multiple network protocols (SMB, DNS, Kerberos, LDAP). It would be difficult to add these to any firewall that exists between the BCAAA and the DCs.
  • BCAAA communicates over TCP port 16101 only, which is easier to add to a firewall. Additionally, it is easier to assign a higher bandwidth to this communication stream.

To further help reduce latency issues, it is recommended that the BCAAA server be located within the same subnet as the DCs and, preferably, one the same switch.

Note: Even if the BCAAA server is located next to multiple DCs, it may still be necessary to configure BCAAA to communicate to one specific DC (see 000009829).