Contents

Enable Active Directory SSO on the Firebox

This procedure describes how to enable Active Directory Single Sign-On. For information about how to enable RADIUS Single Sign-On, see Enable RADIUS Single Sign-On.

Before you can enable Active Directory SSO, you must:

If your device runs Fireware v11.0–v11.3.x, the Authentication Settings for Terminal Services are not available.

Enable and Configure SSO

When you enable and configure the settings for SSO on your Firebox, you must specify the IP address of the SSO Agent.

In Fireware v12.2 or higher, you can specify up to four SSO Agents. Only one SSO Agent is active at a time. If the active SSO Agent becomes unavailable, the Firebox automatically fails over to the next SSO Agent in your configuration. You can also manually fail over to an SSO Agent. For more information about SSO Agent failover, see the Failover section in this topic.

You can also specify the IP addresses (or ranges) to exclude from SSO queries, and enable SSO through the branch office VPN tunnels on your Firebox.

When you enable SSO through your BOVPN tunnels, SSO connections through the tunnel to your domain workstations can increase the bandwidth consumption of the tunnel.

If your Firebox has Fireware v12.1.1 or lower, the steps to enable and configure SSO are different. For instructions that apply to Fireware v12.1.1 or lower, see Enable Active Directory Single Sign-On (Fireware v12.1.1 or lower) in the WatchGuard Knowledge Base.

Define SSO Exceptions

If your network includes devices with IP addresses that do not require authentication, such as network servers, switches and routers, print servers, or computers that are not part of the domain, if you have users on your internal network who must manually authenticate to the Authentication Portal, or if you have terminal servers for the Terminal Services Agent, we recommend that you add their IP addresses to the SSO Exceptions list.

Each time a connection attempt occurs from an IP address that is not in the SSO Exceptions list, the Firebox contacts the SSO Agent to try to associate the IP address with a user name. This takes about 10 seconds. You can use the SSO Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and enable users to authenticate and connect to your network without delay.

When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network IP address, subnet, host DNS name (from Policy Manager only), or a host range.

You can also edit or remove entries from the SSO Exceptions list.

Failover

If you specify more than one SSO Agent, automatic failover occurs if the active SSO Agent becomes unavailable. Failover occurs sequentially. For example, if the first SSO Agent in the list becomes unavailable, failover occurs to the second SSO Agent in the list. If the last SSO Agent in the list is active and becomes unavailable, failover occurs to the first SSO Agent in the list.

Failback does not occur. For example, if the first SSO Agent in the list becomes unavailable, failover occurs to the second agent in the list. If the first SSO Agent becomes available again, the second SSO Agent remains the active agent. Failback does not occur back to the first SSO Agent.

You can also select to manually fail over to a different SSO Agent. The SSO Agent must be v12.2 or higher to support failover.

To manually fail over to a different SSO Agent, from Fireware Web UI:

  1. Select System Status > SSO Agents.
  2. Select an agent.
  3. Click Fail Over to SSO Agent.

To manually fail over to a different SSO Agent, from Firebox System Manager:

  1. Select Tools > SSO Agents.
  2. Select an agent.
  3. Click Fail Over to SSO Agent.

See Also

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Quick Start — Set Up Active Directory Single Sign-On (SSO)

Troubleshoot Active Directory SSO

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search