You are attempting to configure IWA Authentication (IWA-BCAAA or IWA-Direct) on your Edge SWG (formerly ProxySG) appliance and would like to determine what Domain Controller the proxy will connect to (if multiple).

The Edge SWG (formerly ProxySG) appliance (IWA-Direct) or the BCAAA server (IWA-BCAAA) queries an SRV record in DNS and sends an "LDAP ping" pack to the DCs that it finds. The LDAP ping is a small LDAP-over-UDP packet. The server that responds the quickest will be the DC in use until either

1. the server in question becomes non responsive, or
2. the S-Channels of the server currently in use become maxed out.

As of SGOS 6.5.2.x and later, customers can optionally specify a preferred and alternate DC, and the Edge SWG (formerly ProxySG) appliance will always use those. If neither is available, then it will fall back to using an LDAP ping.

Note: The Edge SWG (formerly ProxySG) will only ever actually connect to one DC at a time, per realm.