The IWA Direct feature is available from SGOS 6.3. It allows you to configure an IWA realm on the ProxySG that connects directly to your Windows Active Directory with no need to install and configure BCAAA agent on a server in your Windows domain.
ProxySG appliance can now join a Windows domain and then configure the IWA realm to communicate directly with the Domain Controller to process authentication requests.
The following steps describe how to configure IWA direct.
Join the Windows domain:
1) From the ProxySG Management Console, select Configuration > Authentication > Windows Domain > Windows Domain
2) Click New; the Add Windows Domain dialog displays.
3) Enter a Domain name alias and then click OK.
4) Click Apply and then click OK.
5) Select the domain Name you created. When you select it, the Details fields become active.
6) In the DNS domain name field, enter the DNS name for the Windows Active Directory domain. This is not the fully qualified domain name of the ProxySG.
7) In the DNS domain name field, enter the DNS name for the Windows Active Directory domain. This is not the fully qualified domain name of the ProxySG.
8) In the SG host name field, enter the hostname to use for this ProxySG. Blue Coat recommends the appliance name or any name helpful for your recognition. The name you enter must be unique in your Active Directory.
9) Click Join Domain; the Join domain dialog displays.
10) Enter the primary domain access Username and Password in the format: username@dnsname. For example: firstname.lastname@example.org For SGOS 6.3.3 and later, the user account must have rights for joining the domain.
11) Click OK. The appliance displays a message indicating that the domain was successfully joined.
12) Click OK to close the dialog. The value in the Joined field changes to Yes.
Notes about NTP configuration:
In order to join the Windows domain make sure that Proxy clock is in sync with the Domain Controller. To ensure that the ProxySG clocks are synchronized with the Domain Controller clock, use either of the following techniques:
1) Specify the same NTP servers for the ProxySG appliances and the Domain Controller.
2) Configure the ProxySG appliances to use the Domain Controller as the NTP source server. As in the following example.
If a clocking issue should occur you will see an error message like this in the event log:
2011-12-13 21:49:31-00:00UTC "[LwKrb5GetTgtImpl /home/service-releng/p4/scorpius/sg_6_3/src/security/likewise/lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328347 (Message: Clock skew too great)" 0 250034:1 sg_syslog.cpp:78
and this error message will appear when you will try to join the domain:
Notes about DNS configuration:
Another common error is related to DNS. The ProxySG appliance must be able to resolve the DNS domain name you supply for the Active Directory domain or the appliance will not be able to join the domain.
Double check your DNS configuration as in the example:
Configure IWA direct:
1) From the ProxySG Management Console, select Configuration > Authentication > IWA > IWA Realms
2) Click on New
3) Enter a realm name, select Active Directory Connection: "Direct", Select domain name, clikc OK
Note that IWA Direct realms are compatible with Windows 2003 and Windows 2008 only (32- or 64-bit).
1) From the ProxySG Management Console, select Configuration > Authentication > IWA > IWA Servers
2) Click on "Test Configuration" button
3) Enter a Username and Password you want to test
Create a policy example:
1) From the ProxySG Management Console, select Configuration > Policy > Visual Policy Manager > Launch
2) Create a Web Authentication Layer and select the IWA direct realm
3) Create a Web Access Layer in order to allow Internet access only to a particular domain user
IWA Direct Health check:
For IWA Direct, the realm is considered “healthy” if the ProxySG appliance is able to establish a connection to the Windows domain to which it is a member. As with any other device in the Windows domain, the ProxySG appliance will establish a connection with the closest Windows Domain Controller upon successful domain login.