Failover for IWA and BCAAA
For BCAAA, the realm is considered “healthy” (and therefore won’t fail over) if the ProxySG appliance is able to establish a connection to the BCAAA service. This means that the ProxySG appliance is able to complete the TCP handshake with BCAAA on port 16101 (or whichever port the BCAAA service is configured to use), and the appliance has been able to send BCAAA its “login” message.
If the BCAAA service crashes or is stopped, but the Windows system on which it is running remains available, then Windows will reset the ProxySG appliance’s TCP connection. The ProxySG appliance will attempt to reconnect, but will fail. Only then will the appliance fail over to the secondary BCAAA server.
If the Windows server on which BCAAA is running crashes or becomes unavailable, it cannot reset the TCP connection. In this case, BCAAA must wait for the ProxySG appliance’s TCP stack to timeout. This can take a couple of minutes, and won’t occur until the ProxySG appliance attempts to send a new authentication request.
If the BCAAA server loses its connection to the Windows Domain Controller, it will automatically fail over to a different Domain Controller. However, a limitation of the current BCAAA failover process is that it will not properly handle the case where the primary BCAAA service cannot reach any Domain Controllers. In this case all authentication requests will fail, but because the connection between the BCAAA service and the ProxySG appliance is still considered healthy, the ProxySG will not fail over to the secondary BCAAA service.
In addition, authentication requests can be slowed significantly if BCAAA is querying a slow Domain Controller. However, this will not cause the ProxySG appliance to fail over to the secondary BCAAA server. By default, BCAAA will query whichever Domain Controller is chosen at boot time by the server it is installed on, and it only changes if the Domain Controller goes down or the server reboots. You can see and/or modify what Domain Controller the BCAAA server is communicating with using thenltest.exe utility, which is part of the Windows Support Tools.
To see which Domain Controller the BCAAA server is communicating with:
To switch to a different Domain Controller:
This information is now available asFAQ1438
Rate this Page
Please take a moment to complete this form to help us better serve you.