ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How does the ProxySG select a Domain Controller in IWA Authentication?

book

Article ID: 236856

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You are attempting to configure IWA Authentication (IWA-BCAAA or IWA-Direct) on your ProxySG appliance and would like to determine what Domain Controller the proxy will connect to (if multiple).

Resolution

The ProxySG appliance (IWA-Direct) or the BCAAA server (IWA-BCAAA) queries an SRV record in DNS and sends an "LDAP ping" pack to the DCs that it finds. The LDAP ping is a small LDAP-over-UDP packet. The server that responds the quickest will be the DC in use until either

  1. the server in question becomes non responsive, or
  2. the S-Channels of the server currently in use become maxed out.

As of SGOS 6.5.2.x and later, customers can optionally specify a preferred and alternate DC, and the ProxySG appliance will always use those. If neither is available, then it will fall back to using an LDAP ping.

Note: The proxy will only ever actually connect to one DC at a time, per realm.