Contents

Related Topics

Quick Start — Set Up Active Directory Single Sign-On (SSO)

When you use the WatchGuard Active Directory Single Sign-On (SSO) solution, users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox. This topic summarizes how to set up WatchGuard Single Sign-On with the three most commonly used components of the WatchGuard SSO solution:

  • SSO Agent — You must install the SSO Agent on your network to collect user login information and provide that information to the Firebox. The SSO Agent can collect user login information from the SSO Client, Event Log Monitor, and Exchange Monitor.
  • SSO Client — You can install the SSO Client on Windows and Mac OS X computers on your network. The SSO Client runs in the background to collect user credentials, domain information, and group information to provide to the SSO Agent.
  • Event Log Monitor (ELM) — You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSO Client installed.

It is not necessary for the SSO component versions to match each other or to match the version of Fireware OS on your Firebox. We recommend that you install the latest available version of the SSO Agent, even if your Firebox runs an older version of Fireware OS.

For a complete description of all WatchGuard SSO components, configuration options, and functionality, see About Active Directory Single Sign-On (SSO).

This Quick Start procedure focuses on how to deploy SSO components for SSO from computers that use the SSO Client. It also describes how to set up the Event Log Monitor as a secondary method to enable SSO for Windows computers that do not have the SSO Client installed. Even if you install the Event Log Monitor, we recommend that you install the SSO Client on all Windows computers for the most reliable SSO deployment.

Step 1 — Verify PrerequisitesClosed

Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.

Active Directory

  • You must have an Active Directory server configured on your local network.
  • Your Firebox must be configured to use Active Directory authentication.
  • Each user must have a user account on the Active Directory server.
  • Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
  • The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users or Domain Admins security group. Tip!We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
    If the user account is in the Domain Users security group, it must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information.
  • All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.
  • Mac OS X computers must join the Active Directory domain before the SSO Client can be installed.
  • The Exchange Monitor must run as a user account in the Domain Admins security group.

Ports

  • TCP port 445 (port for SMB) must be open on the client computers.
  • TCP port 4116 must be open on the client computers where you install the SSO Client.
  • TCP port 4114 must be open on the server where you install the SSO Agent.
  • TCP port 4135 must be open on the server where you install the Event Log Monitor.
  • TCP port 4136 must be open on the server where you install the Exchange Monitor.

To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.

Event Logs

  • For the Event Log Monitor to operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
  • If your Windows network is configured for Fast User Switching, you must:
    • Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
      This enables Event Log Monitor to operate correctly.
    • Install Event Log Monitor v11.10 or higher.
      The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
  • For Remote Desktop Protocol (RDP) users to use clientless SSO:
    • Event Log Monitor v11.10 or higher must be installed.
    • Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.

Microsoft .NET Requirements

  • Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the SSO Agent.
  • For Microsoft Exchange Server 2010 and earlier, Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
  • For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NET Framework 3.5 or higher must be installed on the server where you install the Exchange Monitor.
Step 2 — Install the WatchGuard SSO Agent and Event Log MonitorClosed

You must install the WatchGuard SSO Agent. The Event Log Monitor component is optional, but is recommended as a backup method for the SSO Agent to collect user login information. To minimize the potential for connectivity issues between the SSO components, we recommend that you install both the SSO Agent and Event Log Monitor on the Active Directory domain controller. You can install them on any server in your network domain.

  1. Download the WatchGuard Single Sign-On Agent software from the Software Downloads page for your Firebox on the WatchGuard Software Downloads Center.
    The software you download, the WatchGuard Authentication Gateway Installer, includes the Single Sign-On Agent and Event Log Monitor components.
  2. On the AD domain controller, run the WatchGuard Authentication Gateway Installer.
  3. Select the check boxes to install both the Single Sign-On Agent, and the Event Log Monitor components.
  4. Specify the domain user credentials that you want the WatchGuard Authentication Gateway service to use. The account must be a member of the Domain Users or Domain Admins security group, and must have the privileges described in Step 1.

After the installer finishes, you can see two new services started on the server:

  • WatchGuard Authentication Gateway (SSO Agent)
  • WatchGuard Authentication Event Log Monitor

For more detailed information about other installation options, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

Step 3 — Configure the WatchGuard SSO AgentClosed

In the SSO Agent Configuration Tool, you configure:

  • SSO Agent contacts settings
  • Active Directory domains for SSO

To configure the SSO Agent contacts settings:

  1. From the Windows start menu programs, select WatchGuard > Authentication Gateway > WatchGuard SSO Agent Configuration Tool.
  2. Log in with the default admin account credentials for the SSO Agent Configuration Tool:
    User Nameadmin
    Passwordreadwrite.
  3. In the SSO Agent Configuration Tool, select Edit > SSO Agent Contacts Settings.
  4. Adjacent to the SSO Client, select the Enabled check box to enable the SSO Agent to contact the SSO Client.
  5. Select the SSO Client in the list, and click  Up to move it to the top of the list.
  6. Make sure Event Log Monitor is enabled as priority 2.
  7. In the Contact Domains list, specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for user login information. The domain name is case sensitive. For each domain, specify the IP address(es) for the server that run the ELM or EM components.

Next, add a domain with settings for a user account that the SSO Agent can use to search your Active Directory server. We recommend that you create a specific user account on your Active Directory server with permissions to search the directory and with a password that never expires.

From SSO Agent Configuration Tools:

  1. Select Edit > Add Domain.
  2. In the Domain Name text box, type the name of the domain.
    The domain name is case sensitive. Make sure you type the domain name exactly at it appears on the Active Directory tab in the Authentication Server Settings on your Firebox.
    For example, type my-example.com.
  3. In the NetBIOS Domain Name text box, type the NetBIOS domain name.
    The NetBIOS domain name is the Domain Name (pre-Windows 2000) setting in the properties for the domain on the Active Directory server.
  4. In the IP Address of Domain Controller text box, type the IP address of the Active Directory server for this domain.
    If the SSO Agent is installed on the Active Directory server, you can use the loopback address, 127.0.0.1.
  5. In the Port text box, type the port to use to connect to this server.
    The default port is 389.
  6. In the Searching User section, select an option for how to specify the user name.
  7. In the text box for the option you chose, type the user information.
    Make sure to specify a user who has permissions to query audit/directory information for any other Active Directory users. This can be the same user you specified to run the SSO Agent and Event Log Monitor, with a password that never expires.
  8. Type and confirm the password of the searching user.
  9. To add another domain, click OK & Add Next. Repeat Steps 1–8.

For more information about SSO Agent configuration options, see Configure the SSO Agent.

Step 4 — Install the SSO ClientClosed

The Single Sign-On Client is optional, but recommended for the most reliable SSO implementation. The SSO Client runs as a local system service on each user computer to collect the user login information for the user currently logged in to that computer. It requires no interaction from the user. For the most reliable SSO implementation, WatchGuard highly recommends that you use the SSO Client on computers that support it.

You can download the Single Sign-On Clients for Windows and Mac OS X from the WatchGuard Software Downloads Center.

  • Because the SSO Client installer for Windows is an MSI file, you can use an Active Directory Group Policy to automatically install it when users log on to your domain from a Windows computer. For more information about software installation deployment for Active Directory group policy objects, see the documentation for your operating system.
  • If your Firebox is configured with multiple Active Directory domains, your users must install the SSO Client.
  • For a users with Mac OS X to use the SSO Client, their computers must have joined the Active Directory server.

For details about how to install the SSO Client, see Install the WatchGuard Single Sign-On (SSO) Client.

Step 5 — Enable and Configure Single Sign-On on the FireboxClosed

After all the other components are in place, you can enable Single Sign-On on the Firebox.

To enable Single Sign-On, from Fireware Web UI:

  1. Select Authentication > Single Sign-On.
    The Single Sign-On page appears.
  2. Select the Enable Single Sign-On (SSO) with Active Directory check box.
  3. In the SSO Agent IP Address text box, type the IP address of the server where you installed the SSO Agent.

To enable Single Sign-On, from Policy Manager:

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box appears.
  2. Select the Single Sign-On tab.
  3. Select the Enable Single Sign-On (SSO) with Active Directory check box.

After you enable Single Sign-On, you can add SSO exceptions. We recommend that you add SSO exceptions for all network devices that might try to sent traffic to the Internet and are not in the domain. These include network devices, such as:

  • Network servers
  • Print servers
  • Managed switches and routers
  • Networks or computers that are not part of the domain, such as guest networks
  • Users on your internal network who must manually authenticate to the Authentication Portal

For more information about how to enable SSO and configure SSO exceptions, see Enable Active Directory Single Sign-On (SSO).

WatchGuard SSO Exchange Monitor is an optional component you can install to enable SSO for network clients that use Linux, or mobile devices that run iOS, Android, or Windows Mobile. Exchange Monitor is used primarily for mobile client authentication, but you can also use it as a backup SSO connection for computers that are not shared by multiple users.

For more information, see Install the WatchGuard Single Sign-On (SSO) Exchange Monitor.

To troubleshoot SSO, review the list of requirements and verify your network servers and SSO components are configured correctly.

See Also

About Active Directory Single Sign-On (SSO)

About User Authentication

Getting Started with Single Sign-On video tutorial (9 minutes)

Troubleshoot SSO

Choose Your Single Sign-On (SSO) Components

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.