Domain Controller preference based on performance or errors in an IWA-Direct deployment

book

Article ID: 168315

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Sometimes, a Domain Controller maybe on-line and sending SYN ACKs to a ProxySG in response to a ProxySG's ACK, but be in situation where it is not actually functional or is overloaded and therefore not responding to requests in a timely manner, as can be seen in the advanced url  https://<ProxyIP>:8082/lsa/stats under Schannel Server -> Number of Errors.

These errors could actually cause users not to be able to access the internet or experience slow browsing etc. Under these circumstances it is irrelevant how the DC was chosen by the ProxySG (it could have been based on Preferred or Alternate setting or default ldap pings). The main point is that the ProxySG has already chosen a DC and is communicating with it. The DC is sending back SYN ACK's but it has other issues which are impacting users.

Can the ProxySG automatically detect these errors and switch to another DC within the same Domain?

Cause

Customers may be faced with a situation with users not being able to access the internet because of the Domain Controller and may wish that the ProxySG automatically detects high-level errors and switch to a better DC.

Resolution

According to article 000011260:

"From SGOS 6.5.2.x onwards, IWA-Direct supports the option of providing a “Preferred” and an “Alternate” Domain Controllers to which proxy will open Schannel Connections for NTLM Credential Validation. Whenever the Preferred DC is on-line, ProxySG will use it to process the NTLM requests. If it is not on-line, then the ProxySG will use the alternate DC. When the Preferred DC comes back on-line, Proxy will switch back to it. If both Preferred and Alternate DCs are not on-line, Proxy will fall back to the normal DC selection method based on the LDAP Ping response."

After a ProxySG determines which domain controller to use based on the above, it will continue to use this domain controller as long as the DC is still on-line, meaning when the ProxySG sends it a SYN, the DC responds to it with a SYN ACK. This is connectivity and this is what determines if the ProxySG will stay with that DC or try to switch elsewhere.

If the DC is still on-line sending back SYN ACK to the proxy but it is having higher level errors, i,.e. performance related errors as seen under /lsa/stats, then the ProxySG does NOT switch and remains using this DC. This behaviour is consistent with how Windows currently behaves.

So the trigger to get the proxy to switch from a certain DC to another is the fact that this DC is not on-line any more (meaning not acknowledging the SYNs the ProxySG is sending it) and not any higher level errors the DC may be having.

Workaround

  • As of 6.5.2.x, customers can manually setup Preferred and Alternate Domain Controllers thus avoiding problematic Domain controllers. See 000011260   and/or
  • Remove the problematic Domain Controller from the Windows Active Directory so that the ProxySG does not choose this domain controller based on LDAP pings.