It is possible to configure two BCAAA servers that the ProxySG can communicate with for IWA Authentication. These BCAAA servers are set as a Primary and an Alternate, as seen in the image below.
By default, the ProxySG appliance will connect to the Primary BCAAA server. If the Primary fails or becomes unavailable, the ProxySG will automatically switch to the Alternate BCAAA server.
If, at any given time, you want to change the BCAAA server the ProxySG appliance is actively connected to, you must bring the other BCAAA service offline.
For example, if you are using the Alternate BCAAA server due to a failure with the Primary, but want to switch back to the Primary after the issue has been resolved, you must take the Alternate BCAAA service offline. The ProxySG will then see the failure and try to connect to the other BCAAA server listed, the Primary, in this example.