Enable Active Directory SSO for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

This help topic describes how to enable Active Directory Single Sign-On (SSO) for cloud-managed Fireboxes. To learn how to configure and enable Active Directory SSO for locally-managed Fireboxes, see Enable Active Directory SSO on the Firebox.

When you configure WatchGuard Active Directory Single Sign-On (SSO), users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox.

SSO Components:

SSO Agent

You must install the SSO Agent on your network to collect user login information and provide that information to the Firebox. The SSO Agent can collect user login information from the SSO Client, Event Log Monitor, and Exchange Monitor.

SSO Client

You can install the SSO Client on Windows and macOS computers on your network. The SSO Client runs in the background to collect user credentials, domain information, and group information to provide to the SSO Agent.

Event Log Monitor (ELM)

You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSO Client installed.

Before You Start

Before you enable Active Directory SSO, we recommend that you:

  1. Configure your Active Directory server.
  2. Add your domain to WatchGuard Cloud as an authentication domain.
  3. Add the WatchGuard Cloud authentication domain to your Firebox.
  4. Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.
  5. (Optional) Install the WatchGuard Active Directory SSO Client.
  6. (Optional) Install the WatchGuard Active Directory SSO Exchange Monitor.

Enable and Configure SSO

When you enable and configure the settings for SSO on your Firebox, you must specify the IP address of the SSO Agent. In WatchGuard Cloud, you can specify up to four SSO Agents. Only one SSO Agent is active at a time. If the active SSO Agent becomes unavailable, the Firebox automatically fails over to the next SSO Agent in your configuration.

To enable and configure SSO, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. From the Authentication tile, click Settings.
  5. Select Single Sign-On.
  6. Enable Single Sign-On with Active Directory.
  7. Click Add Agent.
    The Add Agent window opens.
  8. From the Type drop-down list, select an option to use the host IPv4 or IPv6 IP address.
  9. In the Host IPv4 or Host IPv6 text box, enter the IP address of the server on which the SSO Agent is installed.
  10. Click Add.
  11. (Optional) To add additional SSO Agents, repeat Steps 7–9. You can add a maximum of four SSO Agents.
  12. (Optional) To add IP addresses or ranges to exclude from SSO queries, click Add Exception. For more information about SSO exceptions, see the Define SSO Exceptions section.
  13. Click Save.

When you save configuration changes for a cloud-managed Firebox, the configuration settings are stored in WatchGuard Cloud. Your changes do not take effect until you deploy your configuration.

To schedule a deployment for your saved changes, see Manage Device Configuration Deployment.

Define SSO Exceptions

You can add IP addresses (or ranges) to the SSO Exceptions list to exclude them from SSO queries. We recommend that you add SSO exceptions in these scenarios:

  • Your network includes devices with IP addresses that do not require authentication, such as network servers, switches and routers, print servers, or computers that are not part of the domain
  • You have users on your internal network who must manually authenticate to the Authentication Portal
  • You have terminal servers for the Terminal Services Agent

Each time a connection attempt occurs from an IP address that is not in the SSO Exceptions list, the Firebox contacts the SSO Agent to try to associate the IP address with a user name. This takes about 10 seconds. You can use the SSO Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and enable users to authenticate and connect to your network without delay.

When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network IP address, or a host range.

To add an entry to the SSO Exceptions list, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. From the Authentication tile, click Settings.
  5. Select Single Sign-On.
  6. Click Add Exception.
    The Add Exception window opens.
  7. From the Type drop-down list, select the type of entry to add to the SSO Exceptions list:
    • Host IPv4
    • Network IPv4
    • Host Range IPv4
    • Host IPv6
    • Network IPv6
    • Host Range IPv6
  8. Enter the IP address, network address, or host range.
  9. In the Description text box, enter a description of the host for which you want to create an exception from SSO.
  10. Click Add.
  11. Click Save.

You can also edit or remove entries from the SSO Exceptions list.

To edit an entry in the SSO Exceptions list:

  1. From the SSO Exceptions list, select an entry.
    The Update Exception window opens.
  2. Change the settings for the SSO exception.
  3. Click Update.
    The updated entry appears in the SSO Exceptions list.
  4. Click Save.

To remove an entry from the SSO Exceptions list:

  1. From the SSO Exceptions list, next to the exception, click .
  2. Click Save.

See Also

Enable RADIUS SSO for a Cloud-Managed Firebox

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Enable Active Directory SSO on the Firebox

Install the WatchGuard Active Directory SSO Client