Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500
201202203204205206207208209210
User Guide 193
User and Group Management
To use SSO, you must install the WatchGuard Authentication Gateway software, also known as the SSO agent
software, on a domain computer in your network. When a user logs on to a computer, the SSO agent gathers
all the information from the user and sends it to the Firebox. The Firebox can then check the user information
against all the defined policies for that user and/or user group at one time. The SSO agent caches this data for
about 10 minutes by default so that a query does not have to be generated for every packet. For more
information about installing the SSO agent, see Install the WatchGuard SSO Agent
.
Before You Begin
You must have an Active Directory server configured on your trusted or optional network. Additionally,
DHCP and DNS servers must be configured on the same domain as the Active Directory server.
Your Firebox must be set to use Active Directory authentication.
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If users log
on to an account that exists only on their local computer, their credentials are not checked and the
Firebox does not recognize that they are logged in.
If you use third-party firewall software on your network computers, make sure that TCP port 445
(Samba/ Windows Networking) is open on each client.
Make sure that printing and file sharing is enabled on every computer from which users authenticate
using SSO.
Make sure that NetBIOS and SMB ports are not blocked on every computer from which users
authenticate using SSO. NetBIOS uses TCP/UDP ports 137, 138, 139 and SMB uses TCP port 445.
Make sure that all computers from which users authenticate using SSO are members of the domain
with unbroken trust relationships.
Define SSO exceptions If your network includes devices with IP addresses that do not require authentication,
such as network or print servers, it is a good idea to add them to the SSO Exception list in the SSO
configuration. Each time a connection from one of these devices occurs and the IP address for the device is
not in the exceptions list, the Firebox contacts the SSO agent to try to associate the IP address with a user
name. This takes about 10 seconds. Use the exceptions list to prevent the additional 10-second processing
time for each connection and reduce unnecessary network traffic.