If the deployment is transparent and an F5 appliance or WCCP is used for load balancing with no virtual IP assigned to a load balancer, no extra configuration is necessary. As long as all proxies have an entry in the local DNS server (AD DNS), time is synchronized, and the redirect page (Authentication Virtual URL) is set to the proxy name, all clients will authenticate with each specific proxy where the flow is directed, which will use its own machine account in AD to process Kerberos authentication.
Due to the connection or flow stickiness guaranteed by the WCCP protocol and/or F5 load balancing, each session will be directed to the same ProxySG appliance, hence no asymmetric routing will occur.
This case represents a standard IWA Direct Kerberos deployment, where the Kerberos service principal name (SPN) of the appliance is the appliance’s own Active Directory machine account name.
However, in a load balancing configuration with a load balancer virtual IP, multiple appliances must be able to decrypt the service tickets from the clients. For this reason, all ProxySG appliances in a load balancing group must share the same SPN. This will not work if each appliance uses its own machine account to process Kerberos authentication requests. In this case, you must create a new Active Directory account and use it to create a SPN that can be used by all appliances in the group.
Web Isolation
In some cases, you may want to use ProxySG's IP address as the value for Proxy IP address in the browser, in this case the ProxySG will return the following exception because it is expecting the request to be coming from load-balancer(lb.example.com).
Appliance Error(Configuration_error)
Your request could not be processed because of a configuration error:
"Either the realm has been
configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal."
For assistance, contact your network support team.
To prevent this issue:
Create a new DNS entry for the ProxySG interface IP that you want to use internet access.
After this operation you will have 2 DNS entry for Proxy access in DNS server. For example:
Add IWA Direct realm for real ProxySG interface IP address.
Note: You don't need to input "set credential".
Add new HTTP proxy port for real ProxySG interface IP for internet access.
This is very important when you want to use real ProxySG interface IP for internet access without error exception.
Set the new HTTP proxy port number in your browser's proxy port if you want to use direct access via ProxySG hostname without load balancer. For example:
The Port number 8888 is just example, you can also add another port not in use.
Add the real ProxySG interface IP access policy into Web Authentication Layer. You may have one of policy for load balancer access.
Add the new policy before the current load balancer policy.