Configure the SSO Exchange Monitor
After you install the Exchange Monitor, you must configure the SSO Agent to use the Exchange Monitor.
For a detailed explanation of how the Exchange Monitor works, go to How Active Directory SSO Works. For information about how to install the Exchange Monitor, go to Install the WatchGuard SSO Exchange Monitor.
Best Practices
For the most reliable SSO deployment, we recommend that you use the SSO Client as the primary SSO method for Windows and macOS computers. You can use the Exchange Monitor as a backup SSO method for Windows and macOS computers that are not shared by many users. You can also configure the Exchange Monitor as the primary SSO method for Linux computers, and mobile devices with Android, iOS, and Windows.
Configuration Requirements
To use the Exchange Monitor for SSO:
- You must enable the Exchange Monitor option in the SSO Agent
- You must add a contact domain in the SSO Agent (the domain name and IP address for the Exchange Monitor), if you have:
- One domain and the SSO Agent is not installed on your domain controller
- More than one domain, and the Exchange Monitor and SSO Agents are installed on different domains
- When you add a domain for the Exchange Monitor, you must specify the IP addresses and the session check interval for the Microsoft Exchange server. The session check interval specifies the amount of time before the Exchange Monitor logs off a user that does not appear in the IIS log messages on your Exchange Server as active. The default setting is 40 minutes. You must specify an interval of at least 5 minutes.
- Users must launch a mail client on their computers before they can access the Internet. This generates the IIS log messages on your Exchange Server that the Exchange Monitor requires for SSO.
If you include more than one Exchange Monitor in the Contact Domains list, the SSO Agent queries the first entry in the list for the user credentials and group information. If the first Exchange Monitor is not available, the SSO Agent contacts the next monitor in the list. This process continues until the SSO Agent finds an available Exchange Monitor
Configure the SSO Agent
To configure the SSO to use the Exchange Monitor:
- Log in to the SSO Agent Configuration Tool.
- Select Edit > SSO Agent Contacts Settings.
The SSO Agent Contacts Settings dialog box appears. - Click Add.
The Domain Settings dialog box appears. - For the Type option, select Exchange Monitor.
- In the Domain Name text box, type the name of the domain that you want the Exchange Monitor to contact for user credentials.
You must type the name in the format domain.com. - In the IP Addresses of Microsoft Exchange Server text box, type the IP addresses for the domain.
To specify more than one IP address for the Exchange Server, separate the IP addresses with a semicolon, without spaces. - To change the Session Check Interval setting from the default setting of 40 minutes, type or select a new interval.
- Click OK.
The domain information you specified appears in the Contact Domains list.
Test the SSO Port Connection
To verify that the SSO Agent can contact the Exchange Monitor, you can use the SSO Port Tester tool. For more information, go to Troubleshoot Single Sign-On (SSO).
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works
Install the WatchGuard Active Directory SSO Exchange Monitor