If the deployment is transparent and an F5 appliance or WCCP is used for load balancing with no virtual IP assigned to a load balancer, no extra configuration is necessary. As long as all proxies have an entry in the local DNS server (AD DNS), time is synchronized, and the redirect page (Authentication Virtual URL) is set to the proxy name, all clients will authenticate with each specific proxy where the flow is directed, which will use its own machine account in AD to process Kerberos authentication.

Due to the connection or flow stickiness guaranteed by the WCCP protocol and/or F5 load balancing, each session will be directed to the same ProxySG appliance, hence no asymmetric routing will occur.
This case represents a standard IWA Direct Kerberos deployment, where the Kerberos service principal name (SPN) of the appliance is the appliance’s own Active Directory machine account name.

However, in a load balancing configuration with a load balancer virtual IP, multiple appliances must be able to decrypt the service tickets from the clients. For this reason, all ProxySG appliances in a load balancing group must share the same SPN. This will not work if each appliance uses its own machine account to process Kerberos authentication requests. In this case, you must create a new Active Directory account and use it to create a SPN that can be used by all appliances in the group.

 

Web Isolation

1. Set up a load balancing device in front of your appliances and designate a virtual IP address to use for all explicit proxy request. The load balancing device will then forward the requests to the ProxySGs in the group based on the load balancing rules you have defined.
2. Create a DNS entry for the device that resolves to this IP address. Note that the DNS name that you use must not map to an existing machine account name in Active Directory or the ProxySG appliance will not be able to authenticate Kerberos service tickets and authentication will fail.
3. Create an Active Directory account for the Kerberos load balancing user. This account does not need any special privileges. You will create the SPN using this account and the ProxySG appliances will use the account credentials to decrypt the service tickets from clients.
4. Use the Active Directory account you just created to create an SPN for the for the load balancing group as follows:
   1. Open a command prompt as administrator on the Domain Controller.
   2. Enter the following command:
      
      setspn –A HTTP/<Load_Balancer_FQDN> <AD_Account_Name>
      
      where <Load_Balancer_FQDN> is the fully qualified domain name (FQDN) of the load balancing device and <AD_Account_Name> is the name of the Active Directory user you created for the load balancing group. Note that this command is case-sensitive.
      
      For example, if the FQDN of the load balancing device is lb.example.com and the Active Directory account name you created is KerberosLBUser, you would enter the following command:
      
      setspn –A HTTP/lb.example.com KerberosLBUser
      
      Do not assign the same SPN to multiple Active Directory accounts as the browser might fall back to NTLM without providing any warning or explanation or Kerberos authentication might fail while decrypting the Kerberos tokens. To check for duplicate SPN entries, use the setspn -X command. If you find a duplicate, remove the extraneous SPN using the setspn -D <SPN Accountname> command.
       
5. On each ProxySG, create an IWA Direct realm (see 166031 for details). When configuring the realm on each appliance, you must provide the credentials for the AD Kerberos load balancing user you created. On the IWA Servers tab click Set credentials, enter the AD account User name (ex. [email protected]) and Password, and then click OK.  
   
   
   
6. Configure the client browser explicit proxy settings to point to the FQDN of the load balancing device.

OPTIONAL NOTES (related to pointing directly to proxy / Non-load balancing IP)

In some cases, you may want to use ProxySG's IP address as the value for Proxy IP address in the browser, in this case the ProxySG will return the following exception because it is expecting the request to be coming from load-balancer(lb.example.com).

Appliance Error(Configuration_error)
Your request could not be processed because of a configuration error:
"Either the realm has been
configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal."

For assistance, contact your network support team.

To prevent this issue:

Create a new DNS entry for the ProxySG interface IP that you want to use internet access.
After this operation you will have 2 DNS entry for Proxy access in DNS server. For example:

• for load balancer: lb.example.com
• for ProxySG interface IP address: direct.example.com

Add IWA Direct realm for real ProxySG interface IP address.
Note: You don't need to input "set credential".

Add new HTTP proxy port for real ProxySG interface IP for internet access.
This is very important when you want to use real ProxySG interface IP for internet access without error exception.

Set the new HTTP proxy port number in your browser's proxy port if you want to use direct access via ProxySG hostname without load balancer. For example:

• Add the new http port as 8888 for real ProxySG interface hostname use for as internet access.
• Change your browser's proxy IP as real ProxySG interface hostname and port 8888.
• After setup, your browser use as port 8888 for internet via ProxySG without error exception.

 The Port number 8888 is just example, you can also add another port not in use.

Add the real ProxySG interface IP access policy into Web Authentication Layer. You may have one of policy for load balancer access.
Add the new policy before the current load balancer policy.

1. Add a rule to a Web Authentication Layer.
2. Right click Source and select Set.
3. Click New and select Proxy IP Address/Port.
4. Specify the settings:

• IP Address: the ProxySG IP address
• Port: 8888