Example Network Configurations for Active Directory SSO

There are many ways that you can configure SSO on your network. This topic explains two example SSO configurations:

  • Network with a single domain
  • Network with two domains

For step-by-step configuration instructions, go to Quick Start — Set Up Active Directory Single Sign-On (SSO). For a video demonstration of the configuration process, go to the Getting Started with Single Sign-On video tutorial (9 minutes).

Single Domain

In this example, you configure SSO for a single domain and use this configuration:

  • SSO Agent and the Event Log Monitor are installed on the domain controller
  • Exchange Monitor is installed on a Microsoft Exchange server
  • SSO Client is installed on user computers on your network
  • Primary and backup SSO methods are specified

When a user on a network computer tries to connect to the Internet:

  1. The Firebox sends a request to the SSO Agent.
  2. The SSO Agent contacts the SSO component you specified as the primary SSO method.
  3. The SSO Agent contacts the SSO components you specified as backup SSO methods.
  4. The SSO Agent sends a response to the Firebox.
  5. If SSO authentication succeeds, the user connects to the Internet.

This diagram explains how this example SSO configuration works.

Diagram of a single domain configuration for SSO

For example, you can configure the SSO Agent to contact the SSO Client first for user credentials and group information. This means the SSO Client is the primary SSO method. You can configure the SSO Agent to contact Event Log Monitor and Exchange Monitor second and third, which means those components are backup SSO methods.

In this example, if the SSO Client is not available, the SSO Agent contacts Event Log Monitor. If the client computer is a Linux or mobile device, the SSO Agent contacts Exchange Monitor for the user logon and logoff information.

The SSO Agent and the Event Log Monitor do not have to be installed on the domain controller. You can install both the SSO Agent and the Event Log Monitor on another computer in the same domain, but they both must run as a user account in the Domain Users security group. The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. To configure the correct permissions and settings, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

In Fireware v12.2 or higher, to add redundancy, you can specify up to four SSO Agents in the Firebox SSO configuration. Only one SSO Agent is active at a time. If the active agent becomes unavailable, failover occurs to the next SSO Agent specified in the Firebox configuration.

Two Domains

In this example, you configure SSO for two domains and use this configuration:

  • SSO Agent is installed on only one domain controller in your network
  • SSO Client is installed on each client computer
  • Event Log Monitor is installed on a Windows member server in each domain in your network
  • Exchange Monitor is installed on your Microsoft Exchange Server

Domain A

  1. A user on a network computer joined to Domain A tries to connect to the Internet.
  2. The Firebox sends a request to the SSO Agent.
  3. The SSO Agent contacts the SSO component on Domain A that you specified as the primary SSO method.
  4. If Step 3 fails, the SSO Agent contacts the SSO components on Domain A you specified as backup SSO methods.
  5. The SSO Agent sends a response to the Firebox.
  6. If SSO authentication succeeds, the user can connect to the Internet.

Domain B

  1. A user on a network computer joined to Domain B tries to connect to the Internet.
  2. The Firebox sends a request to the SSO Agent.
  3. The SSO Agent contacts the SSO component on Domain  B you specified as the primary SSO method.
  4. If Step 3 fails, the SSO Agent contacts the SSO components on Domain  B you specified as backup SSO methods.
  5. The SSO Agent sends a response to the Firebox.
  6. If SSO authentication succeeds, the user can connect to the Internet.

This diagram explains how this example SSO configuration works.

Diagram of a multiple domain configuration for SSO

For example, you can configure the SSO Agent to contact the SSO Client first for user credentials and group information. This means the SSO Client is the primary SSO method. You can configure the SSO Agent to contact Event Log Monitor and Exchange Monitor second and third, which means those components are backup SSO methods.

In this example, if the SSO Client is not available, the SSO Agent contacts Event Log Monitor that is in the same domain as the client computer. If the client computer is a Linux or mobile device, the SSO Agent contacts Exchange Monitor for the user logon and logoff information.

In Fireware v12.2 or higher, to add redundancy, you can specify up to four SSO Agents in the Firebox SSO configuration. Only one SSO Agent is active at a time. If the active agent becomes unavailable, failover occurs to the next SSO Agent specified in the Firebox configuration.

Related Topics

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Choose Your Active Directory SSO Components

Quick Start — Set Up Active Directory Single Sign-On (SSO)

Troubleshoot Active Directory SSO