Contents

Related Topics

Enable Active Directory Single Sign-On (SSO)

This procedure describes how to enable Active Directory Single Sign-On. For information about how to enable RADIUS Single Sign-On, see Enable RADIUS Single Sign-On.

Before you can enable Active Directory SSO, you must:

If your device runs Fireware v11.0–v11.3.x, the Authentication Settings for Terminal Services are not available.

Enable and Configure SSO

When you enable and configure the settings for SSO on your Firebox, you must specify the IP address of the SSO Agent. You can also change the amount of time the SSO Agent caches data from an Active Directory server, specify the IP addresses (or ranges) to exclude from SSO queries, and enable SSO through the branch office VPN tunnels on your Firebox.

When you enable SSO through your BOVPN tunnels, SSO connections through the tunnel to your domain workstations can increase the bandwidth consumption of the tunnel.

To enable and configure SSO, from Fireware Web UI:Closed
  1. Select Authentication > Single Sign-On.
    The Single Sign-On page appears.
  2. Select the Enable Single Sign-On (SSO) with Active Directory check box.

Screen shot of the Authentication Single Sign-On page with SSO enabled

  1. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
  2. If you use AD Mode for SSO, in the Cache data for text box, specify the amount of time the SSO Agent caches data from an Active Directory server.
    For more information about AD Mode, see About SSO.
  3. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO queries.

    4. For more information about SSO exceptions, see the Define SSO Exceptions section.

  4. To enable users who connect to your network through a BOVPN tunnel to use SSO, select the Enable Single Sign-On (SSO) through BOVPN tunnels check box.
  5. Click Save to save your changes.
To enable and configure SSO, from Policy Manager:Closed
  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box appears.
  2. Select the Single Sign-On tab.
  3. Select the Enable Single Sign-On (SSO) with Active Directory check box.

Screen shot of the Authentication Settings dialog box, SSO tab with SSO Enabled

  1. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
  2. If you use AD Mode for SSO, in the Cache data for text box, specify the amount of time the SSO Agent caches data from an Active Directory server.
    For more information about AD Mode, see About SSO.
  3. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO queries.

    4. For more information about SSO exceptions, see the Define SSO Exceptions section.

  4. To enable users who connect to your network through a BOVPN tunnel to use SSO, select the Enable Single Sign-On (SSO) through BOVPN tunnels check box.
  5. Click OK to save your changes.

Define SSO Exceptions

If your network includes devices with IP addresses that do not require authentication, such as network servers, print servers, or computers that are not part of the domain, if you have users on your internal network who must manually authenticate to the Authentication Portal, or if you have terminal servers for the Terminal Services Agent, we recommend that you add their IP addresses to the SSO Exceptions list.

Each time a connection attempt occurs from an IP address that is not in the SSO Exceptions list, the Firebox contacts the SSO Agent to try to associate the IP address with a user name. This takes about 10 seconds. You can use the SSO Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and enable users to authenticate and connect to your network without delay.

When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network IP address, subnet, host DNS name (from Policy Manager only), or a host range.

To add an entry to the SSO Exceptions list, from Fireware Web UI:Closed
  1. Click Add.
    The Add IP Addresses dialog box appears.
  2. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions list:
    • Host IP
    • Network IP
    • Host Range
      The text boxes that appear change based on the type you select.
  3. Type the IP address for the type you selected.
    If you selected the type Host Range, in the From and To text boxes, type the start and end IP addresses for the range.
  4. (Optional) In the Description text box, type a description to include with this exception in the SSO Exceptions list.
  5. Click OK.
    The IP address or range appears in the SSO Exceptions list.
  6. Click Save.
To add an entry to the SSO Exceptions list, from Policy Manager:Closed
  1. Below the SSO Exceptions list, click Add.
    The Add SSO Exception dialog box appears.

Screen shot of the Add SSO Exception dialog box

  1. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions list:
    • Host IPv4
    • Network IPv4
    • Host Range IPv4
    • Host Name (DNS lookup)

Screen shot of the Add SSO Exception dialog box with the Choose Type options

  1. In the Value text box, type the IP address for the type you selected.

If you selected the type Host Range, in the Value text box, type the IP address at the start of the range.
In the To text box, type the IP address at the end of the range.

  1. (Optional) In the Description text box, type a description to include with this exception in the SSO Exceptions list.
    The Comment text box does not appear for the Host Name type.
  2. Click OK.
    The IP address or range appears in the SSO Exceptions list.

Screen shot of the Single Sign-On section of the Authentication Settings dialog box, with example SSO Exceptions

You can also edit or remove entries from the SSO Exceptions list.

To modify an entry in the SSO Exceptions list, from Policy  Manager:Closed
  1. From the SSO Exceptions list, select an entry.
  2. Click Edit.
    The Edit SSO exception IP dialog box appears.
  3. Change the settings for the SSO exception.
  4. Click OK.
    The updated entry appears in the SSO Exceptions list.

Screen shot of the Edit SSO Exception IP Address dialog box

  1. Click OK.
To remove an entry from the SSO Exceptions list, from Fireware Web UI:Closed
  1. From the SSO Exceptions list, select an entry.
  2. Click Remove.
    The selected entry is removed from the SSO Exceptions list.
  3. Click Save.
To remove an entry from the SSO Exceptions list, from Policy Manager:Closed
  1. From the SSO Exceptions list, select an entry.
  2. Click Remove.
    The selected entry is removed from the SSO Exceptions list.
  3. Click OK.

See Also

About Active Directory Single Sign-On (SSO)

Choose Your Single Sign-On (SSO) Components

Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor

Install the WatchGuard Single Sign-On (SSO) Client

Install the WatchGuard Single Sign-On (SSO) Exchange Monitor

Troubleshoot Single Sign-On (SSO)

About User Authentication

Use Authentication to Restrict Incoming Connections

Set Global Firewall Authentication Values

Configure Terminal Services Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.