After you install the Event Log Monitor, you must configure port, event log, and Group Policy settings for your network. You must also configure the SSO Agent to use the Event Log Monitor.
For a detailed explanation of how the Event Log Monitor works, go to How Active Directory SSO Works.
For information about how to install the Event Log Monitor, go to Install the WatchGuard SSO Exchange Monitor.
Best Practices
For the most reliable SSO deployment, we recommend that you use the SSO Client as the primary SSO method and the Event Log Monitor as the backup SSO method. For information about how to configure these deployment methods, go to Quick Start — Set Up Active Directory Single Sign-On (SSO).
If the SSO Client is not installed on user computers or is not available, you can use the Event Log Monitor as the primary SSO method for Windows users. This is called clientless SSO. For clientless SSO, you configure the SSO Agent to get user login information from the WatchGuard SSO Event Log Monitor installed on your network. The Event Log Monitor polls all IP addresses on your network every five seconds to find new Windows logon events. The Event Log Monitor is installed on one or more domain member servers in each domain.
For the best VPN and SSO performance, we recommend that you do not use the Event Log Monitor over a BOVPN tunnel.
To configure clientless SSO for users of macOS, Linux, iOS, Android, or Windows mobile operating systems, you must use the WatchGuard SSO Exchange Monitor. The Exchange Monitor is installed on the same computer where your Microsoft Exchange Server is installed. For information about how to configure Exchange Monitor, go to Configure the SSO Exchange Monitor.
IPv6 Support
IPv6 is supported in Fireware v12.3 or higher. If user computers on your network have both IPv4 and IPv6 addresses, we recommend that you enable both IPv4 and IPv6 support on servers where Event Log Monitor or the SSO Agent are installed.
IPv4 and IPv6 traffic is processed separately in environments that use both. For example, a user named jsmith has a computer with both IPv4 and IPv6 addresses. In the Authenticated Users list on the Firebox, two different sessions appear for the user jsmith.
To see the IPv6 address of an authenticated user:
- Fireware Web UI — Select System Status > Authentication List.
- Firebox System Manager — Select the Authentication List tab.
Prerequisites
Before you install and configure the Event Log Monitor, verify that your network configuration supports these requirements.
Ports
Before you configure and enable the settings for clientless SSO, make sure the client computers on your domain support one of these options:
- TCP port 445 is open
- File and printer sharing is enabled
If TCP port 445 is not open, the Event Log Monitor cannot get user or group information, and SSO does not work correctly. To test whether port 445 is open, you can use the SSO Port Tester tool. For more information, go to Troubleshoot SSO.
Windows Event Logs
Event Log Monitor uses Windows logon events for SSO. To enable Event Log monitor to get the necessary user credentials for SSO, on all Windows computers on your network, you must make sure that the Windows Event Log is active and generates logs for new events. You must also enable audit logging on all Windows domain computers for these events:
- 4624 and 4634
- 4647, 4778, and 4779, if your Windows network is configured for Fast User Switching
Before Remote Desktop Protocol (RDP) users can use Event Log Monitor for SSO, Microsoft events 4624 and 4634 must be generated on their client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events. Attribute 10 specifies an RDP logon or logoff event.
Group Policies
On your domain controller, you must configure group policies that require Windows clients to audit logon events.
- Open the Group Policy Object Editor and edit the Default Domain Policy.
- Make sure the Audit Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit logon events policies enabled.
- Open a command prompt and run the command gpupdate/force /boot.
A confirmation message appears.
Configure the SSO Agent Contacts Settings
Before the Event Log Monitor can send user login information to the SSO Agent, you must configure the SSO Agent Contacts settings to enable the SSO Agent to connect to the Event Log Monitor. You must add a contact domain (the domain name and IP address of the Event Log Monitor), if you have:
- One domain and the SSO Agent is not installed on your domain controller
- More than one domain and the Event Log Monitor is installed on a different domain than the SSO Agent
To configure the SSO Agent Contacts settings:
- Log in to the SSO Agent Configuration Tool.
- Select Edit > SSO Agent Contacts Settings.
The SSO Agent Contacts Settings dialog box appears. - In the SSO Agent Contacts list, select the check box for Event Log Monitor.
- To change the position of the Event Log Monitor in the SSO Agent Contacts list, select the Event Log Monitor check box and click Up or Down.
You cannot change the position of the Exchange Monitor. If you use the SSO Client, make sure the SSO Client is the first entry. If you specify the SSO Client as the primary contact, but the SSO Client is not available, the SSO Agent contacts the Event Log Monitor next, but this can cause a delay. - Add, edit, or delete a contact domain for the Event Log Monitor as described in the next sections.
- Click OK.
Add a Contact Domain
After you have installed Event Log Monitor on the domains in your network, and enabled the SSO Agent to contact the Event Log Monitor for user login information, you can configure the SSO Agent with the IP addresses of each Event Log Monitor, so the SSO Agent can get user login information from each Event Log Monitor in your network.
If you specify more than one Event Log Monitor in the Contact Domains list, the SSO Agent contacts the first entry in the list for the user credentials and group information. If the first Event Log Monitor is not available, the SSO Agent contacts the next Event Log Monitor in the list. This process continues until the SSO Agent finds an available Event Log Monitor.
From the SSO Agent Contact Settings dialog box:
- Click Add.
The Domain Settings dialog box appears.
- For the Type option, select Event Log Monitor.
- In the Domain Name text box, type the name of the domain that you want the Event Log Monitor to contact for user credentials.
You must type the name in the format domain.com. - In the IP Addresses of Event Log Monitor text box, type the IPv4 addresses for the Event Log Monitor. In Fireware v12.3 or higher, you can type IPv6 addresses.
To specify more than one IP address for the Event Log Monitor, separate the IP addresses with a semicolon, without spaces. - Click OK.
The domain information you specified appears in the Contact Domains list.
Edit a Contact Domain
From the SSO Agent Contact Settings dialog box:
- From the Contact Domains list, select the domain to change.
- Click Edit.
The Domain Settings dialog box appears. - Update the settings for the domain.
- Click OK.
Delete a Domain
From the SSO Agent Contact Settings dialog box:
- From the Contact Domains list, select the domain to delete.
- Click Delete.
The domain is removed from the list. - Click OK.
Test the SSO Port Connection
To verify that the SSO Agent can contact the Event Log Monitor, you can use the SSO Port Tester tool. For more information, go to Troubleshoot SSO.
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works
Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor