About Single Sign-On (SSO)

When users log on to the computers in your network, they must give a user name and password. If you use Active Directory authentication on your Firebox or XTM device to restrict outgoing network traffic to specified users or groups, your users must also complete an additional step: they must manually log in again to authenticate to the Firebox or XTM device and get access to network resources or the Internet. To simplify the log in process for your users, you can use the WatchGuard Single Sign-On (SSO) solution. With SSO, your users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox or XTM device.

The WatchGuard SSO Solution

The WatchGuard SSO solution includes these components: SSO Agent, the SSO Client, the Event Log Monitor, and the Exchange Monitor.

A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, see Install and Configure the Terminal Services Agent.

About the SSO Agent

To use SSO, you install the SSO Agent on a server in your network. This server can be the domain controller computer for your domain, or another domain member server in your network. When you install the SSO Agent on the domain controller, it enables the SSO Agent to run as a domain user account with Domain Admin privileges. With these privileges, when users try to authenticate to your domain, the SSO Agent can query the SSO Client on the client computer, the Event Log Monitor, or the Exchange Monitor for the correct user credentials, and provide those user credentials to your Firebox or XTM device. When you install the SSO Agent, make sure that it runs as a user account that is a member of either the Domain Admin or Domain Users security group. If you select a user account that is a member of the Domain Users security group, make sure the security permissions for the user account are configured correctly.

For more information, see Install the WatchGuard Single Sign-On (SSO) Agent.

About the SSO Client

When you install the SSO Client software on your Windows or Mac OS X client computers, the SSO Client receives the call from the SSO Agent and returns the user name, security group membership information, and domain name for the user who is currently logged in to the computer. You can only use SSO with an RDP (remote desktop) session if you use the SSO Client.

About the Event Log Monitor

If you do not want to install the SSO Client on each client computer, you can instead install the Event Log Monitor on a server in each domain in your network. This can be the domain controller or another domain member server. You then configure the SSO Agent to get user login information from the Event Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor collects user login information from the Windows security event log files on each client computer. The Event Log Monitor uses the login information to get the security group membership information for each user from the domain controller. It then stores the user credentials and user group information for each user. When you install the Event Log Monitor, make sure that it runs as a user account that is a member of either the Domain Users or Domain Admins security group.

When the SSO Agent contacts the Event Log Monitor for user credentials, the Event Log Monitor contacts the client computer over TCP port 445 to get the user logon credentials, retrieves the stored user security group membership information from the domain controller, and provides this information to the SSO Agent. When the user credentials are successfully retrieved, and the user is authenticated, the Event Log Monitor continues to poll the client computer every five seconds to monitor logon and logoff events, and connection abort issues. Any connection errors are recorded in the eventlogmonitor.log file in the WatchGuard > Authentication Gateway directory on the server where the Event Log Monitor is installed. If the Event Log Monitor cannot retrieve the logon credentials for a user, it notifies the SSO Agent, and the user is not authenticated.

Diagram of the Event Log Monitor clientless SSO process

If you have one domain that you use for SSO, you can install the Event Log Monitor on the same server or domain controller where you install the SSO Agent. If you have more than one domain, you must install one instance of the Event Log Monitor in each domain, but you only install one instance of the SSO Agent for your entire network. The Event Log Monitor does not have to be installed on the domain controller computer; it can be installed on any domain member server in that domain. The Event Log Monitor must run as a user account that is a member of either the Domain Users or Domain Admins security group.

To retrieve the user credentials, the SSO Agent sends a reverse DNS resolution lookup to the DNS server to find the host name associated with the IP address for the user. When the host name is confirmed, the SSO Agent uses the domain information from the host name (the fully-qualified domain name, or FQDN) to contact an Event Log Monitor configured for that domain, and retrieve the user credentials to use for authentication. For the SSO Agent to successfully retrieve the domain information, you must make sure that the DNS server includes PTR records, which are the DNS records for an IP address to a fully-qualified domain name (FQDN) for all domain client computers.

Whether you have only one domain, or many domains in your network, you can install more than one instance of the Event Log Monitor in each domain to use for load balancing and failover. When you install more than one Event Log Monitor in a domain, all of the instances of the Event Log Monitor work in parallel to collect user login information for the users in that domain. This allows for faster authentication. Multiple Event Log Monitors also allow for successful failover; if one of the Event Log Monitors cannot complete the authentication request, another Event Log Monitor can instead return the user credentials to the SSO Agent.

When you have more than one Event Log Monitor installed in a single domain, and you have added each Event Log Monitor to the SSO Agent configuration, the SSO Agent randomly chooses an Event Log Monitor in the list and contacts it for the user credentials and login information. If the selected Event Log Monitor cannot authenticate the user, the SSO Agent contacts the next Event Log Monitor in the list. The SSO Agent continues to contact the subsequent Event Log Monitors in the list until it either retrieves the user credentials or authentication has failed for all of the subsequent Event Log Monitors in the list. The SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

If you have many domains in your network, and more than one Event Log Monitor installed in each domain, the SSO Agent can also use the Event Log Monitors from other domains in your network for load balancing and failover. In this case, the SSO Agent chooses an Event Log Monitor from the local domain of the SSO Agent and contacts that Event Log Monitor for the user credentials. If that Event Log Monitor cannot authenticate the user, the SSO Agent randomly chooses an Event Log Monitor included in the SSO Agent configuration from another domain and contacts it for the user credentials. If that Event Log Monitor also cannot authenticate the user, the SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

For more information about how to specify domains and Event Log Monitors for the SSO Agent, see Configure the SSO Agent.

About the Exchange Monitor

For your users with computers that run Windows or Mac OS X, or your users with mobile devices that run iOS, Android, or Windows mobile operating systems, you can use the Exchange Monitor to get user credentials and login information for SSO. To use the Exchange Monitor to get user login information, you must install the Exchange Monitor on the same server where your Microsoft Exchange Server is installed. This Exchange Server must generate IIS and RPC client access log messages. Because Microsoft Exchange is integrated with your Active Directory server, it can easily get the user credentials from the IIS and RPC client access log messages in your user store. Then, when a user successfully connects to the Exchange Server to download email, the Exchange Monitor records the logon and logoff events for the user, and gives the event information to the SSO Agent.

When a client computer connects to a Microsoft Exchange server, the IIS service on the Exchange server records a log entry of the user logon event. To get the credentials for your users for SSO, the Exchange Monitor verifies the logon and logoff events with the IIS service and keeps a list of all currently active users. The Exchange Monitor queries the IIS service every three seconds to make sure user information is current. When the SSO Agent contacts the Exchange Monitor, it sends the user information to the SSO Agent. If the user is listed as logged in to the Exchange server, the SSO Agent notifies the Firebox or XTM device that the user is currently logged in, and the user is authenticated. If the user is not included in the list of logged in users, the SSO Agent notifies the Firebox or XTM device that the user is not found in the list of active users, and the user is not authenticated.

Diagram of the Exchange Monitor clientless SSO process

The SSO Exchange Monitor is supported for use with only Microsoft Exchange 2003, 2007, or 2010.

For more information about how to configure the SSO Agent to use the Event Log Monitor and the Exchange Monitor, see Configure the SSO Agent.

How SSO Works

For SSO to work, you must install the SSO Agent software. The SSO Client software is optional and is installed on each client computer. The Event Log Monitor is optional, and is installed on a member server or domain controller in each of your domains. The Exchange Monitor is also optional, and is installed on the computer where your Microsoft Exchange Server is installed. When the SSO Client, the Event Log Monitor, or the Exchange Monitor software is installed, and the SSO Agent contacts an SSO component for user credentials, either the SSO Client, Event Log Monitor, or Exchange Monitor sends the correct user credentials and security group membership information to the SSO Agent. When you configure the settings for the SSO Agent, you can specify which SSO component (SSO Client, Event Log Monitor, or Exchange Monitor) the SSO Agent queries first. For SSO to work correctly, you must either install the SSO Client on all your client computers, or use either the Event Log Monitor or Exchange Monitor to get correct user information.

If the SSO Client, the Event Log Monitor, and the Exchange Monitor are not available, to get the user credentials, the SSO Agent makes a NetWkstaUserEnum call to the client computer over TCP port 445. It then uses the information it gets to authenticate the user for Single Sign-On. The SSO Agent uses only the first answer it gets from the computer. It reports that user to the Firebox or XTM device as the user that is logged on. The Firebox or XTM device checks the user information against all the defined policies for that user and/or user group at one time. The SSO Agent caches this data for about 10 minutes by default, so that a query does not have to be generated for every connection.

For examples of how the SSO Agent can contact the other SSO components for user information, see the Example Network Configurations for SSO section.

SSO Component Compatibility

The components of the WatchGuard SSO solution offer configuration flexibility to enable all of your Windows, Mac OS X, and mobile users to have a seamless authentication experience. The options for the SSO components that you can use with your computers or mobile device platforms include:

SSO Component Windows Mac OS X iOS Android
SSO Agent 1

SSO Client 2

Event Log Monitor

Exchange Monitor 3

1 Though the SSO Agent can be used with all supported platforms, it must be installed only on a Windows server or your domain controller.
2 The SSO Client is available in two versions: Windows and Mac OS X.
3 Though you can use Exchange Monitor for your users with Windows computers, we recommend that Exchange Monitor only be used for users with Mac OS X or mobile devices.

Example Network Configurations for SSO

This first diagram shows one possible configuration for a network with a single domain. The SSO Agent and the Event Log Monitor are installed on the domain controller, the Exchange Monitor is installed on the Microsoft Exchange server, and the SSO Client is installed on the client computer. With this configuration, you can specify whether the SSO Agent contacts the SSO Client, the Event Log Monitor, or Exchange Monitor first.

For example, if you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor second, and the Exchange Monitor third, and the SSO Client is not available, the SSO Agent next contacts the Event Log Monitor for the user credentials and group information. If the client computer is a Mac OS X or mobile device, the SSO Agent contacts the Exchange Monitor for the user login and logoff information.

The SSO Agent and the Event Log Monitor do not have to be installed on the domain controller. You can also install both the SSO Agent and the Event Log Monitor on another computer on the same domain, as long as they both run as a user account in the Domain Users or Domain Admins security group.

Diagram of a single domain configuration for SSO

The second diagram shows one possible configuration of a network with two domains. The SSO Agent is installed on only one domain controller in your network, the SSO Client is installed on each client computer, the Event Log Monitor is installed on a Windows member server in each domain in your network, and the Exchange Monitor is installed on your Microsoft Exchange Server. With this configuration, you can specify whether the SSO Agent contacts the SSO Clients, the Event Log Monitors, or the Exchange Monitor first.

For example, if you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor second, and the Exchange Monitor third, and the SSO Client is not available, the SSO Agent contacts the Event Log Monitor that is in the same domain as the client computer and gets the user credentials and security group information. If the client computer is a Mac OS X or mobile device, the SSO Agent contacts the Exchange Monitor for the user login and logoff information.

Diagram of a multiple domain configuration for SSO

In your network environment, if more than one person uses the same computer, we recommend that you either install the SSO Client software on each client computer, install one or more instances of the Event Log Monitor in each domain, or install the Exchange Monitor on your Exchange server. Because there are access control limitations if you do not use the SSO Client, Event Log Monitor, or Exchange Monitor, we recommend that you do not use SSO without the SSO Client, the Event Log Monitor, or the Exchange Monitor.

For example, if you configure SSO without the SSO Client, the Event Log Monitor, or the Exchange Monitor, for services installed on a client computer (such as a centrally administered antivirus client) that have been deployed so that users can log on with domain account credentials, the Firebox or XTM device gives all users access rights as defined by the first user that is logged on (and the groups of which that user is a member), and not the credentials of the individual users that log on interactively. Also, all log messages generated from user activity show the user name of the service account, and not the individual user.

If you do not install the SSO Client, the Event Log Monitor, or the Exchange Monitor, we recommend you do not use SSO for environments where users log on to computers with service or batch logons. When more than one user is associated with an IP address, network permissions might not operate correctly. This can be a security risk.

If you configure multiple Active Directory domains, you can choose to use either the SSO Client, the Event Log Monitor, or the Exchange Monitor. For more information about how to configure the SSO Client when you have multiple Active Directory domains, see Configure Active Directory Authentication and Install the WatchGuard Single Sign-On (SSO) Client.

If you enable Single Sign-On, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, see Firewall Authentication.

The WatchGuard SSO solution is not supported for terminal sessions, or for remote desktop sessions with clientless SSO.

Choose Your SSO Components

Because the WatchGuard SSO solution is so flexible, you have many choices available to you for your various network access configurations. If, after you have reviewed the previous SSO Component Compatibility section, you are unsure which components to use for your network, WatchGuard recommends these guidelines:

For more information about how to set the contact priority for your SSO components, see the Configure Clientless SSO section in Configure the SSO Agent.

Before You Begin

Before you configure SSO for your network, verify that your network configuration meets these prerequisites:

If the server where you want to install the Exchange Monitor runs Windows Server 2012 or higher and Microsoft Exchange 2013 and higher, before you install the Exchange Monitor, you must make sure that Microsoft .NET Framework v3.5 is installed.

Set Up SSO

To use SSO, you must install the SSO Agent software. We recommend that you also use either the Event Log Monitor, Exchange Monitor, or the SSO Client. Though you can use SSO with only the SSO Agent, you increase your security and access control when you also use the SSO Client, the Event Log Monitor, or the Exchange Monitor.

To set up SSO, follow these steps:

  1. Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (ELM is optional).
  2. Install the WatchGuard Single Sign-On (SSO) Client (optional, but recommended).
  3. Install the WatchGuard SSO Exchange Monitor (optional).
  4. Enable Single Sign-On (SSO).

See Also

About User Authentication

Set Global Firewall Authentication Values

Configure Active Directory Authentication

Install and Configure the Terminal Services Agent

Use Telnet to Debug the SSO Agent

About SSO Log Files

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base