Choose Your Active Directory SSO Components

This topic explains operating system compatibility, the benefits and limitations of each component, and best practices so you can choose the SSO components that work best for your network.

For SSO to work, you must install the SSO Agent software.

We recommend that you also install one or more of these components:

  • SSO Client — Windows and macOS
  • Event Log Monitor (Clientless SSO) — Windows
  • Exchange Monitor (Clientless SSO) — Windows, macOS, Linux, and mobile clients

If you only install the SSO Agent, your SSO deployment uses Active Directory (AD) Mode to get user information. AD mode is not intended to be used as the primary SSO method because it has access control limitations that can result in failed SSO attempts and security risks. For more information about AD Mode, go to How Active Directory SSO Works.

SSO Component Compatibility

For information about which operating system and Microsoft Exchange Server versions are compatible with your SSO components, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

SSO Component Compatibility List

SSO Component Windows macOS Linux iOS Android Windows Mobile
SSO Agent 12

         
SSO Client 3

       
Event Log Monitor 4

         
Exchange Monitor 5

1 The SSO Agent must only be installed on a Windows domain member server or your Active Directory domain controller.

2 To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.

3 The SSO Client is available in two versions: Windows and macOS.

4 The Event Log Monitor must only be installed on a Windows domain member server or your Active Directory domain controller.

5 The Exchange Monitor must be installed on a Windows server with Microsoft Exchange Server. If you configure Exchange Monitor, users can authenticate with SSO from any computer or device that can authenticate to a Microsoft Exchange server.

SSO Component Comparison

SSO components have different deployment methods, operating system compatibility, and levels of accuracy and performance. You can use this list to compare the benefits and limitations of each SSO component.

SSO Component Benefits Limitations OS Support
SSO Client
  • More accurate than other SSO methods
  • Requires only one Active Directory GPO for deployment
  • Uses minimal network bandwidth
  • Compatible with RDP (Fireware v11.9.3 and higher)
  • Reliable over BOVPN connections
  • Reliable on networks where users frequently log in and out of workstations
  • Must be successfully deployed on each domain computer

Windows, macOS
Event Log Monitor
  • Requires no workstation software
  • Works with RDP (Fireware v11.10 or higher)
  • Uses more network bandwidth than other SSO methods
  • Requires more than one Active Directory GPO
  • Unreliable over BOVPN connections
  • Inaccurate when Windows Event Log is stopped or unable to generate logs for new events
 Windows
Exchange Monitor
  • Compatible with mobile devices
  • Requires no workstation software
  • Uses minimal network bandwidth
  • Requires users to open email software that connects to Microsoft Exchange Server before they browse the Internet
  • Does not detect RDP logons
  • Unreliable on networks where users frequently log in and log out of workstations
 Any OS

Best Practices

For the most reliable SSO deployment, we recommend:

For a network with only Windows computers

  • Install the SSO Client on each Windows computer
  • Specify the SSO Client as the primary contact for the SSO Agent
  • Specify the Event Log Monitor as a secondary contact for the SSO Agent

For a network with Windows, macOS, and Linux computers, and devices with mobile operating systems

  • Install the SSO Client on each Windows and macOS computer
  • Specify the SSO Client as the primary contact for the SSO Agent
  • Specify the Exchange Monitor as a secondary contact for the SSO Agent

In your network environment, if more than one person uses the same computer, we recommend you choose one of these component configurations:

  • Install the SSO Client software on each client computer
  • Install one or more instances of the Event Log Monitor in each domain
  • Install the Exchange Monitor on your Exchange server

If you configure more than one Active Directory domain, you can use the SSO Client, Event Log Monitor, or Exchange Monitor. For more information about how to configure the SSO Client when you have more than one Active Directory domain, go to Configure Active Directory Authentication and Install the WatchGuard Active Directory SSO Client.

If you enable SSO, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, go to Firewall Authentication.

A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, go to Install and Configure the Terminal Services Agent.

Related Topics

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Example Network Configurations for Active Directory SSO

Quick Start — Set Up Active Directory Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor

Install the WatchGuard Active Directory SSO Client

Install the WatchGuard Active Directory SSO Exchange Monitor

Troubleshoot Active Directory SSO