ProxySG unable to join the Windows domain if Active Directory (AD) local site has only Read-Only Domain Controllers (RODCs)

book

Article ID: 170483

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG SG-300 SG-600 SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

ProxySG is not able to join AD domain on SGOS versions 6.5.10.6, 6.6.5.8, 6.7.2.1 or higher.

You have only RODCs in your local site defined by AD in which the ProxySG belongs.

Cause

A change in SGOS was made where ProxySG will only contact Domain Controllers (DCs) in its local Active Directory (AD) site where SG belongs.  This change was introduced to address latency and firewall related issues on ProxySG when it contacts DCs in remote geographical locations.  With this change, ProxySG will not be able to join the AD domain if its local AD site includes only Read-Only Domain Controllers (RODC).  Read-Write Domain Controllers (RWDC) are required for ProxySG to join a domain. This worked in prior versions since the SG could contact other RWDCs in remote locations.

 

Resolution

This issue will be fixed in a patch release for SGOS 6.5 targeted for January 2018, SGOS 6.6 patch targeted for February 2018, and in SGOS 6.7.4.1.    

There will be a new CLI configuration setting for Active Directory Site Awareness under "security windows-domains" called "site-aware" which will have the options (enable|disable).

By default it is enabled.  If disabled, we simply don't return a site name for the domain even if one exists. So, disabling site-aware should fix this issue.

Workaround :  Configure at least one RWDC in the local AD site where SG belongs.