Contents

Related Topics

About Active Directory Single Sign-On (SSO)

When users log on to the computers in your network, they must give a user name and password. If you use Active Directory authentication on your Firebox to restrict outgoing network traffic to specified users or groups, your users must also complete an additional step. They must manually log in again to authenticate to the Firebox and get access to network resources or the Internet. To simplify the log in process for your users, you can use the WatchGuard Single Sign-On (SSO) solution. With SSO, your users on local networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox.

This topic provides detailed information about the WatchGuard SSO solution. For a quick summary of how to set up SSO for a single Active Directory domain, see Quick Start — Set Up Active Directory Single Sign-On (SSO).

The WatchGuard SSO Solution

The WatchGuard SSO solution for Active Directory includes these components:

  • SSO Agent — Required
  • SSO Client — Optional
  • Event Log Monitor — Optional
  • Exchange Monitor — Optional

The SSO Agent collects user login information from the SSO Client, Event Log Monitor, or the Exchange Monitor.

You can configure more than one SSO method. For example, you can configure the SSO Client as your primary SSO method, and configure the Event Log Monitor or the Exchange Monitor as backup SSO methods.

A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, see Install and Configure the Terminal Services Agent.

For more detailed information about the WatchGuard SSO solution, see these subsequent sections:

About SSO Components

About the SSO Agent

To use SSO, you must install the SSO Agent on a server in your network. This server can be the domain controller for your domain, or another domain member server in your network.

When you install the SSO Agent, make sure that it runs as a user account that is a member of either the Domain Admins or Domain Users security group. If you select a user account that is a member of the Domain Admins security group, the user account automatically has the correct security permissions. If you select a user account that is a member of the Domain Users security group, make sure the security permissions for the user account are configured correctly. With these privileges, when users try to authenticate to your domain, the SSO Agent can query the SSO Client on the client computer, the Event Log Monitor, or the Exchange Monitor for the correct user credentials, and provide those user credentials to your Firebox.

For more information, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

About the SSO Client

When you install the SSO Client software on your Windows or Mac OS X client computers, the SSO Client receives a call from the SSO Agent and returns the user name, security group membership information, and domain name for the user who is currently logged in to the computer.

The SSO Client runs as a local system service on each user computer. It requires no interaction from the user.

To enable RDP (remote desktop) users to authenticate with the SSO Client, your users must run the v11.9.3 or higher SSO Client.

About the Event Log Monitor

The Event Log Monitor is an optional SSO component that enables Windows users to authenticate with SSO without the WatchGuard SSO Client. This is known as clientless SSO. We recommend that you use clientless SSO with Event Log Monitor only as a backup SSO method.

After the Event Log Monitor successfully gets the user credentials, and the user is authenticated, the Event Log Monitor continues to poll the client computer every five seconds to monitor logon and logoff events, and connection abort issues. Any connection errors are recorded in the eventlogmonitor.log file in the WatchGuard > Authentication Gateway directory on the server where the Event Log Monitor is installed. If the Event Log Monitor cannot get the logon credentials for a user, it notifies the SSO Agent, and the user is not authenticated.

To enable RDP users to authenticate with Event Log Monitor, you must install Event Log Monitor v11.10 or higher.

About the Exchange Monitor

The WatchGuard SSO Exchange Monitor is an optional component that you can install on your Microsoft Exchange Server to enable clientless SSO for any computer or device that can authenticate to your Microsoft Exchange Server. You can use the Exchange Monitor as the primary SSO method for Linux computers and mobile devices with iOS, Android, or Windows. You can also use the Exchange Monitor as a backup SSO method for Windows and Mac OS X computers that are not shared by many users.

Event Log Monitor Installation

With clientless SSO, you install the Event Log Monitor on a server in each domain in your network. This can be the domain controller or another domain member server. The Event Log Monitor must run as a user account that is a member of either the Domain Users or Domain Admins security group.

One domain

If you have one domain that you use for SSO, you can install the Event Log Monitor on the same server or domain controller where you install the SSO Agent.

Multiple domains

If you have more than one domain, you must install one instance of the Event Log Monitor in each domain, but you only install one instance of the SSO Agent for your entire network. The Event Log Monitor does not have to be installed on the domain controller computer; it can be installed on any domain member server in that domain.

How Event Log Monitor Works

After you install the Event Log Monitor, you configure the SSO Agent to get user login information from the Event Log Monitor. For more information about how to specify domains and Event Log Monitors for the SSO Agent, see Configure the SSO Event Log Monitor.

When a user logs in to a Windows computer:

  1. A logon event is written to the Windows Event Log on the computer.
  2. The Firebox receives traffic from the user, but does not find a session for the IP address of the computer.
  3. The Firebox contacts the SSO Agent to request the user name, domain, and group information.
  4. The SSO Agent redirects this request to the Event Log Monitor.
  5. The Event Log Monitor contacts the computer over TCP port 445.
  6. The Event Log Monitor gets the user name and domain from the Windows Event Log on the computer.
  7. The Event Log Monitor contacts the Active Directory domain controller to get group information for the user.
  8. The Event Log Monitor adds the computer to the list of monitored computers.
  9. The Event Log Monitor sends the user name, domain, and group information to the SSO Agent.
  10. The SSO Agent sends the user name, domain, and group information to the Firebox.
  11. The Firebox creates a session for the IP address of the computer.
  12. To find new logoff events, Event Log Monitor polls every computer in the monitor list every five seconds.

When a user logs off of a Windows computer:

  1. A logoff event is written to the Windows Event Log on the computer.
  2. The Event Log Monitor sends a notification to the SSO Agent about the logoff event.
  3. The SSO Agent sends a notification to the Firebox to delete the session.
  4. The Event Log Monitor keeps the computer on the monitor list and continues to poll the computer.
  5. If the computer is shut down, or not connected to the network:
    1. The Event Log Monitor deletes the computer from the monitor list.
    2. The Event Log Monitor sends a notification to the SSO Agent that the user logged off.
    3. The SSO Agent sends a notification to the Firebox to delete the session.

If the Event Log Monitor is shut down, the monitor list is cleared.

To get the user credentials, the SSO Agent sends a reverse DNS lookup to the DNS server to find the host name associated with the IP address for the user. When the host name is confirmed, the SSO Agent gets the domain information from the host name (the fully-qualified domain name, or FQDN) to contact an Event Log Monitor configured for that domain, and get the user credentials to use for authentication. For the SSO Agent to successfully get the domain information, you must make sure that the DNS server includes PTR records, which are the DNS records for an IP address to a FQDN for all domain client computers.

This diagram shows how the Event Log Monitor works.

 

Diagram of the Event Log Monitor clientless SSO process

Load Balancing and Failover for Event Log Monitor

Whether you have only one domain, or many domains in your network, you can install more than one instance of the Event Log Monitor in each domain to use for load balancing and failover. This can help you to provide faster and more reliable SSO to your users.

One Domain

When you install more than one Event Log Monitor in a domain, all of the instances of the Event Log Monitor work in parallel to collect user login information for the users in that domain. This enables faster authentication. Many Event Log Monitors also enable successful failover. If one of the Event Log Monitors cannot complete the authentication request, another Event Log Monitor can instead send the user credentials to the SSO Agent.

If you have more than one Event Log Monitor in a single domain, and you add each Event Log Monitor to the SSO Agent configuration, the SSO Agent randomly chooses an Event Log Monitor in the list and contacts it for the user credentials and login information. If the selected Event Log Monitor cannot authenticate the user, the SSO Agent contacts the next Event Log Monitor in the list. The SSO Agent continues to contact the subsequent Event Log Monitors in the list until it either gets the user credentials, or authentication has failed for all subsequent Event Log Monitors. The SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

Multiple Domains

If you have many domains in your network, and more than one Event Log Monitor installed in each domain, the SSO Agent can also use the Event Log Monitors from other domains in your network for load balancing and failover. With this SSO configuration, the SSO Agent chooses an Event Log Monitor from the local domain of the SSO Agent and contacts that Event Log Monitor for the user credentials. If that Event Log Monitor cannot authenticate the user, the SSO Agent randomly chooses an Event Log Monitor included in the SSO Agent configuration from another domain and contacts it for the user credentials. If that Event Log Monitor also cannot authenticate the user, the SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

Exchange Monitor Installation

You must install the Exchange Monitor on the same server where your Microsoft Exchange Server is installed. Your Exchange Server must generate IIS logs in the W3C Extended log file format, and RPC client access log messages.

How Exchange Monitor Works

The Exchange Monitor gets user login information from the IIS logs on your Microsoft Exchange Server. Because Microsoft Exchange Server is integrated with your Active Directory server, Exchange Server can easily get the user credentials from the IIS and RPC client access log messages in your user store.

When a user successfully connects to the Exchange Server to download email:

  1. The IIS service on the Exchange Server generates a log message of the user logon event.
  2. The Exchange Monitor verifies the logon events with the IIS service and keeps a list of all currently active users.
  3. The Exchange Monitor sends a query to the IIS log file every three seconds to make sure user information is current.
  4. When the SSO Agent contacts the Exchange Monitor, Exchange Monitor sends the user information to the SSO Agent.
    • If the user is included in the list of users that are logged in to the Exchange Server, the SSO Agent notifies the Firebox that the user is currently logged in, and the user is authenticated.
    • If the user is not included in the list of users that are logged in, the SSO Agent notifies the Firebox that the user is not found in the list of active users, and the user is not authenticated.

For more information about how to configure the SSO Agent to use the Event Log Monitor and the Exchange Monitor, see Configure the SSO Agent.

This diagram shows how the Exchange Monitor works.

Diagram of the Exchange Monitor clientless SSO process

How SSO Works

For SSO to work, you must install the SSO Agent software. The SSO Client, Event Log Monitor, and Exchange Monitor are optional. We recommend that you install the SSO Client for Windows and Mac OS X clients on your network. For more information about recommended configurations, see the Choose Your Components section.

If the SSO Client, Event Log Monitor, or Exchange Monitor are installed, the SSO Agent contacts these components for user credentials. The SSO Client, Event Log Monitor, or Exchange Monitor sends the correct user credentials and security group membership information to the SSO Agent.

When you configure the SSO Agent settings, you specify which SSO component (the SSO Client, Event Log Monitor, or Exchange Monitor) the SSO Agent queries first. For SSO to work correctly, you must either install the SSO Client on all your client computers, or use either the Event Log Monitor or Exchange Monitor to get correct user information.

For examples of how the SSO Agent can contact the other SSO components for user information, see the Example Network Configurations for SSO section.

Active Directory (AD) Mode

For the most reliable SSO deployment, you must install the SSO Client, Event Log Monitor, or Exchange Monitor. If at least one of these components is not installed, or not configured correctly, the SSO Agent uses Active Directory (AD) Mode for SSO.

In AD Mode, to get the user credentials, the SSO Agent makes a NetWkstaUserEnum call to the client computer over TCP port 445. The SSO Agent then uses the information it gets to authenticate the user for SSO. The SSO Agent uses only the first answer it gets from the computer. It sends a notification about that user to the Firebox as the user that is logged on. The Firebox verifies the user information against all the defined policies for that user and user group at one time. The SSO Agent caches this data for 10 minutes by default, so that a query does not have to be generated for every connection.

AD mode is not intended as the primary SSO method. It has access control limitations that can result in failed SSO attempts and security risks. For example, if you configure SSO without the SSO Client, Event Log Monitor, or Exchange Monitor, for services installed on a client computer (such as a centrally administered antivirus client) that have been deployed so that users can log on with domain account credentials, the Firebox gives all users the same access rights as the first user that is logged on (and the groups of which that user is a member), and not the correct credentials of each individual user that logs on. Also, all log messages generated from user activity show the user name of the service account, and not the individual user.

If you do not install the SSO Client, the Event Log Monitor, or the Exchange Monitor, we recommend you do not use SSO for environments where users log on to computers with service or batch logons. When more than one user is associated with an IP address, network permissions might not operate correctly. This can be a security risk.

SSO Component Compatibility

For information about which operating system and Microsoft Exchange Server versions are compatible with your SSO components, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

SSO Component Compatibility List

SSO Component Windows Mac OS X Linux iOS Android Windows Mobile
SSO Agent 1

         
SSO Client 2

       
Event Log Monitor 3

         
Exchange Monitor 4

1 The SSO Agent must only be installed on a Windows domain member server or your Active Directory domain controller.

2 The SSO Client is available in two versions: Windows and Mac OS X.

3 The Event Log Monitor must only be installed on a Windows domain member server or your Active Directory domain controller.

4 The Exchange Monitor must be installed on a Windows server with Microsoft Exchange Server. If you configure Exchange Monitor, users can authenticate with SSO from any computer or device that can authenticate to a Microsoft Exchange server.

 

Choose Your SSO Components

For SSO to work, you must install the SSO Agent software. We recommend that you also install one or more of these components:

  • SSO Client — Windows and Mac OS X
  • Event Log Monitor (Clientless SSO) — Windows
  • Exchange Monitor (Clientless SSO) — Mac OS X, Linux, and mobile clients

To find which WatchGuard SSO components are compatible with your network, see the previous SSO Component Compatibility section.

For the most reliable SSO deployment, we recommend:

For a network with only Windows computers

  • Install the SSO Client on each Windows computer
  • Specify the SSO Client as the primary contact for the SSO Agent
  • Specify the Event Log Monitor as a secondary contact for the SSO Agent

For a network with Windows, Mac OS X, and Linux computers, and devices with mobile operating systems

  • Install the SSO Client on each Windows and Mac OS X computer
  • Specify the SSO Client as the primary contact for the SSO Agent
  • Specify the Exchange Monitor as a secondary contact for the SSO Agent

In your network environment, if more than one person uses the same computer, we recommend you choose one of these component configurations:

  • Install the SSO Client software on each client computer
  • Install one or more instances of the Event Log Monitor in each domain
  • Install the Exchange Monitor on your Exchange server

If you configure SSO without the SSO Client, the Event Log Monitor, or the Exchange Monitor, the SSO Agent uses Active Directory (AD) Mode to get user information. AD mode is not intended to be used as the primary SSO method because it has access control limitations that can result in failed SSO attempts and security risks. For more information about AD Mode, see the Active Directory (AD) Mode section.

If you configure more than one Active Directory domain, you can choose to use either the SSO Client, Event Log Monitor, or Exchange Monitor. For more information about how to configure the SSO Client when you have more than one Active Directory domain, see Configure Active Directory Authentication and Install the WatchGuard Single Sign-On (SSO) Client.

If you enable SSO, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, see Firewall Authentication.

The WatchGuard SSO solution is not supported for terminal sessions.

Example Network Configurations for SSO

There are many ways that you can configure your SSO solution for your network. You can configure SSO for a network with a single domain or with more than one domain. In this section, we describe two example SSO configurations: a network with a single domain and a network with two domains.

In this first example, the diagram shows one possible configuration for a network with a single domain. The SSO Agent and the Event Log Monitor are installed on the domain controller, the Exchange Monitor is installed on the Microsoft Exchange server, and the SSO Client is installed on the client computer. With this configuration, you can specify whether the SSO Agent contacts the SSO Client, the Event Log Monitor, or the Exchange Monitor first.

For example, when you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor second, and the Exchange Monitor third, if the SSO Client is not available, the SSO Agent contacts the Event Log Monitor for the user credentials and group information. If the client computer is a Linux or mobile device, the SSO Agent contacts the Exchange Monitor for the user logon and logoff information.

The SSO Agent and the Event Log Monitor do not have to be installed on the domain controller. You can install both the SSO Agent and the Event Log Monitor on another computer in the same domain, but they both must run as a user account in the Domain Users or Domain Admins security group.

Diagram of a single domain configuration for SSO

In this second example, the diagram shows one possible configuration of a network with two domains. The SSO Agent is installed on only one domain controller in your network, the SSO Client is installed on each client computer, the Event Log Monitor is installed on a Windows member server in each domain in your network, and the Exchange Monitor is installed on your Microsoft Exchange Server. With this configuration, you can specify whether the SSO Agent contacts the SSO Clients, the Event Log Monitors, or the Exchange Monitor first.

For example, when you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor second, and the Exchange Monitor third, if the SSO Client is not available, the SSO Agent contacts the Event Log Monitor that is in the same domain as the client computer and gets the user credentials and security group information. If the client computer is a Mac OS X or mobile device, the SSO Agent contacts the Exchange Monitor for the user logon and logoff information.

Diagram of a multiple domain configuration for SSO

Before You Begin — Verify Network Requirements

Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.

Active Directory

  • You must have an Active Directory server configured on your local network.
  • Your Firebox must be configured to use Active Directory authentication.
  • Each user must have a user account on the Active Directory server.
  • Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
  • The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users or Domain Admins security group. Tip!We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
    If the user account is in the Domain Users security group, it must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information.
  • All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.
  • Mac OS X computers must join the Active Directory domain before the SSO Client can be installed.
  • The Exchange Monitor must run as a user account in the Domain Admins security group.

Ports

  • TCP port 445 (port for SMB) must be open on the client computers.
  • TCP port 4116 must be open on the client computers where you install the SSO Client.
  • TCP port 4114 must be open on the server where you install the SSO Agent.
  • TCP port 4135 must be open on the server where you install the Event Log Monitor.
  • TCP port 4136 must be open on the server where you install the Exchange Monitor.

To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.

Event Logs

  • For the Event Log Monitor to operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
  • If your Windows network is configured for Fast User Switching, you must:
    • Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
      This enables Event Log Monitor to operate correctly.
    • Install Event Log Monitor v11.10 or higher.
      The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
  • For Remote Desktop Protocol (RDP) users to use clientless SSO:
    • Event Log Monitor v11.10 or higher must be installed.
    • Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.

Microsoft .NET Requirements

  • Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the SSO Agent.
  • For Windows Server 2008 R2 and earlier and Microsoft Exchange Server 2010 and earlier, Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
  • For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NET Framework 3.5 or higher must be installed on the server where you install the Exchange Monitor.

Set Up SSO

To use SSO, you must install the SSO Agent software. For the most reliable SSO deployment, we recommend that you also install the SSO Client on Windows and Mac OS X clients on your network. You can install the Event Log Monitor as a backup SSO method for Windows users.

For Linux or mobile users, you can install the Exchange Monitor for SSO. The Exchange Monitor can also be a backup SSO method for Mac OS X users.

The versions of the SSO components in your SSO solution do not have to be the same, and they do not have to be the same as the version of Fireware on your Firebox. We recommend that you install the highest available version of the SSO Agent, even if your Firebox runs a lower version of Fireware.

To set up SSO:

  1. Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (Event Log Monitor is optional)
  2. Install the WatchGuard Single Sign-On (SSO) Client (Optional, but recommended)
  3. Install the WatchGuard Single Sign-On (SSO) Exchange Monitor (Optional)
  4. Enable Active Directory Single Sign-On (SSO)

For information about how to troubleshoot problems with your SSO configuration, see Troubleshoot SSO.

See Also

About User Authentication

Set Global Firewall Authentication Values

Configure Active Directory Authentication

Install and Configure the Terminal Services Agent

Use Telnet to Debug the SSO Agent

About SSO Log Files

Give Us Feedback     Get Support     All Product Documentation     Technical Search