Solutions

How to configure IWA direct on SGOS 6.3

Solutions ID:    KB4822
Version:    3.0
Status:    Published
Published date:    12/14/2011
Updated:    05/22/2013
 

Problem Description

How to configure IWA direct on SGOS 6.3

Resolution

The IWA Direct feature is available from SGOS 6.3. It allows you to configure an IWA realm on the ProxySG that connects directly to your Windows Active Directory with no need to install and configure BCAAA  agent on a server in your Windows domain.
ProxySG appliance can now join a Windows domain and then configure the IWA realm to communicate directly with the Domain Controller to process authentication requests.

The following steps describe how to configure IWA direct.
 

Join the Windows domain:
1) From the ProxySG Management Console, select Configuration > Authentication > Windows Domain > Windows Domain
2) Click New; the Add Windows Domain dialog displays.
3) Enter a Domain name alias and then click OK.
4) Click Apply and then click OK.
5) Select the domain Name you created. When you select it, the Details fields become active.
6) In the DNS domain name field, enter the DNS name for the Windows Active Directory domain. This is not the fully qualified domain name of the ProxySG.
7) In the DNS domain name field, enter the DNS name for the Windows Active Directory domain. This is not the fully qualified domain name of the ProxySG.
8) In the SG host name field, enter the hostname to use for this ProxySG. Blue Coat recommends the appliance name or any name helpful for your recognition. The name you enter must be unique in your Active Directory.

Windows Domain


9) Click Join Domain; the Join domain dialog displays.
10) Enter the primary domain access Username and Password in the format: username@dnsname. For example: administrator@test.griccia.local For SGOS 6.3.3 and later, the user account must have rights for joining the domain.

 Windows Domain


11) Click OK. The appliance displays a message indicating that the domain was successfully joined.
12) Click OK to close the dialog. The value in the Joined field changes to Yes.

Windows Domain

 

Notes about NTP configuration:

In order to join the Windows domain make sure that Proxy clock is in sync with the Domain Controller. To ensure that the ProxySG clocks are synchronized with the Domain Controller clock, use either of the following techniques:
1) Specify the same NTP servers for the ProxySG appliances and the Domain Controller.
2) Configure the ProxySG appliances to use the Domain Controller as the NTP source server. As in the following example.

NTP configuration

 

If a clocking issue should occur you will see an error message like this in the event log:
2011-12-13 21:49:31-00:00UTC  "[LwKrb5GetTgtImpl /home/service-releng/p4/scorpius/sg_6_3/src/security/likewise/lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328347 (Message: Clock skew too great)"  0 250034:1   sg_syslog.cpp:78

and this error message will appear when you will try to join the domain:

NTP error on Windows domain join

 

 Notes about DNS configuration:

Another common error is related to DNS. The ProxySG appliance must be able to resolve the DNS domain name you supply for the Active Directory domain or the appliance will not be able to join the domain.
Double check your DNS configuration as in the example:

DNS configuration joining the domain

 

Configure IWA direct:
1) From the ProxySG Management Console, select Configuration > Authentication > IWA > IWA Realms
2) Click on New
3) Enter a realm name, select Active Directory Connection: "Direct", Select domain name, clikc OK

Note that IWA Direct realms are compatible with Windows 2003 and Windows 2008 only (32- or 64-bit).

Configure IWA realm

 

Test Configuration:
1) From the ProxySG Management Console, select Configuration > Authentication > IWA > IWA Servers
2) Click on "Test Configuration" button
3) Enter a Username and Password you want to test

Test Domain

Test domain

 

Create a policy example:
1) From the ProxySG Management Console, select Configuration > Policy > Visual Policy Manager > Launch
2) Create a Web Authentication Layer and select the IWA direct realm
3) Create a Web Access Layer in order to allow Internet access only to a particular domain user

policy test

Policy example


IWA Direct Health check:
For IWA Direct, the realm is considered “healthy” if the ProxySG appliance is able to establish a connection to the Windows domain to which it is a member. As with any other device in the Windows domain, the ProxySG appliance will establish a connection with the closest Windows Domain Controller upon successful domain login.

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question