Related Topics
Choose Your Single Sign-On (SSO) Components
This topic explains operating system compatibility, the benefits and limitations of each component, and best practices so you can choose the SSO components that work best for your network.
For SSO to work, you must install the SSO Agent software.
We recommend that you also install one or more of these components:
- SSO Client — Windows and Mac OS X
- Event Log Monitor (Clientless SSO) — Windows
- Exchange Monitor (Clientless SSO) — Windows, Mac OS X, Linux, and mobile clients
If you only install the SSO Agent, your SSO deployment uses Active Directory (AD) Mode to get user information. AD mode is not intended to be used as the primary SSO method because it has access control limitations that can result in failed SSO attempts and security risks. For more information about AD Mode, see About SSO.
SSO Component Compatibility
For information about which operating system and Microsoft Exchange Server versions are compatible with your SSO components, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.
SSO Component Compatibility List
SSO Component | Windows | Mac OS X | Linux | iOS | Android | Windows Mobile |
---|---|---|---|---|---|---|
SSO Agent 1 |
|
|||||
SSO Client 2 |
|
|
||||
Event Log Monitor 3 |
|
|||||
Exchange Monitor 4 |
SSO Component Comparison
SSO components have different deployment methods, operating system compatibility, and levels of accuracy and performance. You can use this list to compare the benefits and limitations of each SSO component.
SSO Component | Benefits | Limitations | OS Support |
---|---|---|---|
SSO Client |
|
|
Windows, Mac |
Event Log Monitor |
|
|
Windows |
Exchange Monitor |
|
|
Any OS |
Best Practices
For the most reliable SSO deployment, we recommend:
For a network with only Windows computers
- Install the SSO Client on each Windows computer
- Specify the SSO Client as the primary contact for the SSO Agent
- Specify the Event Log Monitor as a secondary contact for the SSO Agent
For a network with Windows, Mac OS X, and Linux computers, and devices with mobile operating systems
- Install the SSO Client on each Windows and Mac OS X computer
- Specify the SSO Client as the primary contact for the SSO Agent
- Specify the Exchange Monitor as a secondary contact for the SSO Agent
In your network environment, if more than one person uses the same computer, we recommend you choose one of these component configurations:
- Install the SSO Client software on each client computer
- Install one or more instances of the Event Log Monitor in each domain
- Install the Exchange Monitor on your Exchange server
If you configure more than one Active Directory domain, you can use the SSO Client, Event Log Monitor, or Exchange Monitor. For more information about how to configure the SSO Client when you have more than one Active Directory domain, see Configure Active Directory Authentication and Install the WatchGuard Single Sign-On (SSO) Client.
If you enable SSO, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, see Firewall Authentication.
A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, see Install and Configure the Terminal Services Agent.
See Also
Example Network Configurations for SSO
Troubleshoot Single Sign-On (SSO)
Set Global Firewall Authentication Values
Configure Active Directory Authentication
Install and Configure the Terminal Services Agent