Quick Start — Set Up Active Directory Single Sign-On (SSO)
When you use the WatchGuard Active Directory Single Sign-On (SSO) solution, users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox. This topic summarizes how to set up WatchGuard Single Sign-On with the three most commonly used components of the WatchGuard SSO solution:
- SSO Agent — You must install the SSO Agent on your network to collect user login information and provide that information to the Firebox. The SSO Agent can collect user login information from the SSO Client, Event Log Monitor, and Exchange Monitor.
- SSO Client — You can install the SSO Client on Windows and macOS computers on your network. The SSO Client runs in the background to collect user credentials, domain information, and group information to provide to the SSO Agent.
- Event Log Monitor (ELM) — You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSO Client installed.
It is not necessary for the SSO component versions to match each other or to match the version of Fireware OS on your Firebox unless otherwise specified. The exceptions are that the SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only, and you cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4.
We recommend that you install the latest available version of the SSO Agent, even if your Firebox runs an older version of Fireware.
For a complete description of all WatchGuard SSO components, configuration options, and functionality, go to How Active Directory SSO Works.
This Quick Start procedure focuses on how to deploy SSO components for SSO from computers that use the SSO Client. It also describes how to set up the Event Log Monitor as a secondary method to enable SSO for Windows computers that do not have the SSO Client installed. Even if you install the Event Log Monitor, we recommend that you install the SSO Client on all Windows computers for the most reliable SSO deployment.
Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.
Active Directory
- You must have an Active Directory server configured on your local network.
- Your Firebox must be configured to use Active Directory authentication.
- Each user must have a user account on the Active Directory server.
- Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
- The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users security group. Tip!
The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. To configure the correct permissions and settings, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor. We recommend that you do not select an account in the Domain Admins security group. - All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.
To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.
- macOS computers must join the Active Directory domain before the SSO Client can be installed.
- The Exchange Monitor must run as a user account in the Domain Admins security group.
Ports
- TCP port 445 (port for SMB) must be open on the client computers.
- TCP port 4116 must be open on the client computers where you install the SSO Client.
- TCP port 4114 must be open on the server where you install the SSO Agent.
- TCP port 4135 must be open on the server where you install the Event Log Monitor.
- TCP port 4136 must be open on the server where you install the Exchange Monitor.
To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.
Event Logs
- For the Event Log Monitor to operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
- If your Windows network is configured for Fast User Switching, you must:
- Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
This enables Event Log Monitor to operate correctly. - Install Event Log Monitor v11.10 or higher.
The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
- Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
- For Remote Desktop Protocol (RDP) users to use clientless SSO:
- Event Log Monitor v11.10 or higher must be installed.
- Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.
Microsoft .NET Requirements
- For v12.3 or higher of the SSO Agent, Microsoft .NET Framework v4.0 or higher must be installed on the server where you install the SSO Agent.
- For SSO Agent versions lower than v12.3, Microsoft .NET Framework v2.0–4.5 must be installed on the server where you install the SSO Agent.
- For Microsoft Exchange Server 2010 and earlier, Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
- For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NET Framework 3.5 or higher must be installed on the server where you install the Exchange Monitor.
You must install the WatchGuard SSO Agent. The Event Log Monitor component is optional, but is recommended as a backup method for the SSO Agent to collect user login information. To minimize the potential for connectivity issues between the SSO components, we recommend that you install both the SSO Agent and Event Log Monitor on the Active Directory domain controller. You can install them on any server in your network domain.
Fireware v12.2 or higher supports up to four SSO Agents for redundancy. In this Quick Start example, we install just one SSO Agent.
To install the SSO Agent and Event Log Monitor:
- Download the Authentication Gateway software from the Software Downloads page for your Firebox on the WatchGuard Software Downloads Center.
The software you download, the WatchGuard Authentication Gateway Installer, includes the Single Sign-On Agent and Event Log Monitor components. - On the AD domain controller, run the WatchGuard Authentication Gateway Installer.
- Select the check boxes to install both the Single Sign-On Agent, and the Event Log Monitor components.
- Specify the domain user credentials that you want the WatchGuard Authentication Gateway service to use. The account must be a member of the Domain Users security group, and must have the privileges described in the Step 1 — Verify Prerequisites section of this topic.
After the installer finishes, you can see two new services started on the server:
- WatchGuard Authentication Gateway (SSO Agent)
- WatchGuard Authentication Event Log Monitor
For more detailed information about other installation options, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.
In the SSO Agent Configuration Tool, you configure:
- SSO Agent contacts settings
- Active Directory domains for SSO
To configure the SSO Agent contacts settings:
- From the Windows start menu programs, select WatchGuard > Authentication Gateway > WatchGuard SSO Agent Configuration Tool.
- Log in with the default admin account credentials for the SSO Agent Configuration Tool:
User Name — admin
Password — readwrite. - In the SSO Agent Configuration Tool, select Edit > SSO Agent Contacts Settings.
- Adjacent to the SSO Client, select the Enabled check box to enable the SSO Agent to contact the SSO Client.
- Select the SSO Client in the list, and click Up to move it to the top of the list.
- Make sure Event Log Monitor is enabled as priority 2.
- In the Contact Domains list, specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for user login information. The domain name is case sensitive. For each domain, specify the IP address(es) for the server that run the ELM or EM components.
Next, add a domain with settings for a user account that the SSO Agent can use to search your Active Directory server. We recommend that you create a specific user account on your Active Directory server with permissions to search the directory and with a password that never expires.
From SSO Agent Configuration Tools:
- Select Edit > Add Domain.
- In the Domain Name text box, type the name of the domain.
The domain name is case sensitive. Make sure you type the domain name exactly at it appears on the Active Directory tab in the Authentication Server Settings on your Firebox.
For example, type my-example.com. - In the NetBIOS Domain Name text box, type the NetBIOS domain name.
The NetBIOS domain name is the Domain Name (pre-Windows 2000) setting in the properties for the domain on the Active Directory server. - In the IP Address of Domain Controller text box, type the IP address of the Active Directory server for this domain.
If the SSO Agent is installed on the Active Directory server, you can use the loopback address, 127.0.0.1. - In the Port text box, type the port to use to connect to this server.
The default port is 389. - In the Searching User section, select an option for how to specify the user name.
- In the text box for the option you chose, type the user information.
Make sure to specify a user who has permissions to query audit/directory information for any other Active Directory users. This can be the same user you specified to run the SSO Agent and Event Log Monitor, with a password that never expires. - Type and confirm the password of the searching user.
- To add another domain, click OK & Add Next. Repeat Steps 1–8.
For more information about SSO Agent configuration options, go to Configure the Active Directory SSO Agent.
The Single Sign-On Client is optional, but recommended for the most reliable SSO implementation. The SSO Client runs as a local system service on each user computer to collect the user login information for the user currently logged in to that computer. It requires no interaction from the user. For the most reliable SSO implementation, WatchGuard highly recommends that you use the SSO Client on computers that support it.
You can download the Single Sign-On Clients for Windows and macOS from the WatchGuard Software Downloads Center.
- Because the SSO Client installer for Windows is an MSI file, you can use an Active Directory Group Policy to automatically install it when users log on to your domain from a Windows computer. For more information about software installation deployment for Active Directory group policy objects, see the documentation for your operating system.
- If your Firebox is configured with multiple Active Directory domains, your users must install the SSO Client.
- For a users with macOS to use the SSO Client, their computers must have joined the Active Directory server.
For details about how to install the SSO Client, go to Install the WatchGuard Active Directory SSO Client.
After all the other components are in place, you can enable Single Sign-On on the Firebox.
To enable Single Sign-On, from Fireware Web UI:
- Select Authentication > Single Sign-On.
The Single Sign-On page appears. - Select the Enable Single Sign-On (SSO) with Active Directory check box.
- In the SSO Agent IP Address text box, type the IP address of the server where you installed the SSO Agent.
To enable Single Sign-On, from Policy Manager:
- Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears. - Select the Single Sign-On tab.
- Select the Enable Single Sign-On (SSO) with Active Directory check box.
After you enable Single Sign-On, you can add SSO exceptions. We recommend that you add SSO exceptions for all network devices that might try to sent traffic to the Internet and are not in the domain. These include network devices, such as:
- Network servers
- Print servers
- Managed switches and routers
- Networks or computers that are not part of the domain, such as guest networks
- Users on your internal network who must manually authenticate to the Authentication Portal
For more information about how to enable SSO and configure SSO exceptions, go to Enable Active Directory SSO on the Firebox.
WatchGuard SSO Exchange Monitor is an optional component you can install to enable SSO for network clients that use Linux, or mobile devices that run iOS, Android, or Windows Mobile. Exchange Monitor is used primarily for mobile client authentication, but you can also use it as a backup SSO connection for computers that are not shared by multiple users.
For more information, go to Install the WatchGuard Active Directory SSO Exchange Monitor.
To troubleshoot SSO, review the list of requirements and verify your network servers and SSO components are configured correctly.
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works
Getting Started with Single Sign-On video tutorial (9 minutes)