A common question in the Blue Coat forums is about the server specification for the BCAAA and how many users can be supported. While I am not sure sure about the performance that Blue Coat recommends I can tell you my experiences.
I understand that according to Microsoft the Domain Controller should be able to handle 6000 parallel authentication requests, so presumably Microsoft can handle the authentication performance.
Small to Medium Site
I would say that for up to 1000 users, a Pentium 4 (any type), with 512MB RAM running Windows XP is more than enough. I recommend using VMware (the free version) so that you can use the snapshot features to perform upgrades and to give you a simple roll back plan.
You should have at least two machines for high availability. You will not notice any CPU use, and memory will hardly be used.
Large to Very Large
I have used the BCAAA in a very large site with more than 50000 users in a global network, with multiple AD trees, distributed across many servers. A very large MS AD site indeed. We had the BCAAA agent installed on two Quad Core Xeon with 2GB RAM with Server 2003 Standard in separate data centers and at full load I did not see the CPU move above 3 percent. I think that even then it was the virus software causing the load.
From what I determine, BCAAA is a proxy software agent that receives the authentication request from the ProxySG and then uses a Windows Authentication API to verify the credentials. If successful, it sends back a success message, if not a it sends failure message. It doesn’t need a lot of CPU or memory to do this and it is very fast.
Most importantly, it is fully compliant with NTLM authentication, so it provides a transparent authentication to the user. Whereas, when you use AD authentication, every element of a web page will needs authentication and Windows does not allow caching of such a request (at least without some configuration). Therefore almost every Blue Coat ProxySG installation will use the BCAAA agent for authentication.