When you use the WatchGuard Active Directory Single Sign-On (SSO) solution, users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox. This topic summarizes how to set up WatchGuard Single Sign-On with the three most commonly used components of the WatchGuard SSOsolution:
- SSOAgent — You must install the SSOAgent on your network to collect user login information and provide that information to the Firebox. The SSOAgent can collect user login information from the SSOClient, Event Log Monitor, and Exchange Monitor.
- SSO Client — You can install the SSOClient on Windows and macOS computers on your network. The SSOClient runs in the background to collect user credentials, domain information, and group information to provide to the SSOAgent.
- Event Log Monitor (ELM) — You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSOClient installed.
It is not necessary for the SSO component versions to match each other or to match the version of Fireware OS on your Firebox unless otherwise specified. The exceptions are that the SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only, and you cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4.
We recommend that you install the latest available version of the SSO Agent, even if your Firebox runs an older version of Fireware.
For a complete description of all WatchGuard SSOcomponents, configuration options, and functionality, go to How Active Directory SSO Works.
This Quick Start procedure focuses on how to deploy SSOcomponents for SSO from computers that use the SSOClient. It also describes how to set up the Event Log Monitor as a secondary method to enable SSOfor Windows computers that do not have the SSOClient installed. Even if you install the Event Log Monitor, we recommend that you install the SSOClient on all Windows computers for the most reliable SSOdeployment.
Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.
Active Directory
- You must have an Active Directory server configured on your local network.
- Your Firebox must be configured to use Active Directory authentication.
- Each user must have a user account on the Active Directory server.
- Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
- The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users security group. Tip! We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. To configure the correct permissions and settings, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor. We recommend that you do not select an account in the Domain Admins security group. - All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.
To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.
- macOScomputers must join the Active Directory domain before the SSO Client can be installed.
- The Exchange Monitor must run as a user account in the Domain Admins security group.
Ports
- TCP port 445 (port for SMB) must be open on the client computers.
- TCP port 4116 must be open on the client computers where you install the SSO Client.
- TCP port 4114 must be open on the server where you install the SSO Agent.
- TCP port 4135 must be open on the server where you install the Event Log Monitor.
- TCPport 4136 must be open on the server where you install the Exchange Monitor.
To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.
Event Logs
- For the Event Log Monitorto operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
- If your Windows network is configured for Fast User Switching, you must:
- Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
This enables Event Log Monitor to operate correctly. - Install Event Log Monitor v11.10 or higher.
The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
- Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
- For Remote Desktop Protocol (RDP) users to use clientless SSO:
- Event Log Monitor v11.10 or higher must be installed.
- Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.
Microsoft .NET Requirements
- For v12.3 or higher of the SSO Agent, Microsoft .NETFramework v4.0 or higher must be installed on the server where you install the SSO Agent.
- For SSO Agent versions lower than v12.3, Microsoft .NETFramework v2.0–4.5 must be installed on the server where you install the SSO Agent.
- For Microsoft Exchange Server 2010 and earlier, Microsoft .NETFramework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
- For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NETFramework 3.5 or higher must be installed on the server where you install the Exchange Monitor.
Step 2 — Install the WatchGuard SSOAgent and Event Log Monitor
You must install the WatchGuard SSOAgent. The Event Log Monitor component is optional, but is recommended as a backup method for the SSOAgent to collect user login information. To minimize the potential for connectivity issues between the SSO components, we recommend that you install both the SSOAgent and Event Log Monitor on the Active Directory domain controller. You can install them on any server in your network domain.
Fireware v12.2 or higher supports up to four SSOAgents for redundancy. In this Quick Start example, we install just one SSO Agent.
To install the SSO Agent and Event Log Monitor:
- Download the Authentication Gateway software from the Software Downloads page for your Firebox on the WatchGuard Software Downloads Center.
The software you download, the WatchGuard Authentication Gateway Installer, includes the Single Sign-On Agent and Event Log Monitor components. - On the ADdomain controller, run the WatchGuard Authentication Gateway Installer.
- Select the check boxes to install both the Single Sign-On Agent, and the Event Log Monitor components.
- Specify the domain user credentials that you want the WatchGuard Authentication Gateway service to use. The account must be a member of the Domain Users security group, and must have the privileges described in the Step 1 — Verify Prerequisites section of this topic.
After the installer finishes, you can see two new services started on the server:
- WatchGuard Authentication Gateway (SSOAgent)
- WatchGuard Authentication Event Log Monitor
For more detailed information about other installation options, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.
Step 3 — Configure the WatchGuard SSOAgent
In the SSOAgent Configuration Tool, you configure:
- SSOAgent contacts settings
- Active Directory domains for SSO
To configure the SSOAgent contacts settings:
- From the Windows start menu programs, select WatchGuard > Authentication Gateway > WatchGuard SSOAgent Configuration Tool.
- Log in with the default admin account credentials for the SSOAgent Configuration Tool:
User Name — admin
Password — readwrite. - In the SSOAgent Configuration Tool, select Edit > SSOAgent Contacts Settings.
- Adjacent to the SSOClient, select the Enabled check box to enable the SSOAgent to contact the SSOClient.
- Select the SSOClient in the list, and click Up to move it to the top of the list.
- Make sure Event Log Monitor is enabled as priority 2.
- In the Contact Domains list, specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for user login information. The domain name is case sensitive. For each domain, specify the IP address(es) for the server that run the ELMor EMcomponents.
Next, add a domain with settings for a user account that the SSO Agent can use to search your Active Directory server. We recommend that you create a specific user account on your Active Directory server with permissions to search the directory and with a password that never expires.
From SSOAgent Configuration Tools:
- Select Edit > Add Domain.
- In the Domain Name text box, type the name of the domain.
The domain name is case sensitive. Make sure you type the domain name exactly at it appears on the Active Directory tab in the Authentication Server Settings on your Firebox.
For example, type my-example.com. - In the NetBIOSDomain Name text box, type the NetBIOS domain name.
The NetBIOSdomain name is the Domain Name (pre-Windows 2000) setting in the properties for the domain on the Active Directory server. - In the IPAddress of Domain Controller text box, type the IP address of the Active Directory server for this domain.
If the SSOAgent is installed on the Active Directory server, you can use the loopback address, 127.0.0.1. - In the Port text box, type the port to use to connect to this server.
The default port is 389. - In the Searching User section, select an option for how to specify the user name.
- In the text box for the option you chose, type the user information.
Make sure to specify a user who has permissions to query audit/directory information for any other Active Directory users. This can be the same user you specified to run the SSOAgent and Event Log Monitor, with a password that never expires. - Type and confirm the password of the searching user.
- To add another domain, click OK&Add Next. Repeat Steps 1–8.
For more information about SSOAgent configuration options, go to Configure the Active Directory SSO Agent.
Step 4 — Install the SSOClient
The Single Sign-On Client is optional, but recommended for the most reliable SSO implementation. The SSOClient runs as a local system service on each user computer to collect the user login information for the user currently logged in to that computer. It requires no interaction from the user. For the most reliable SSO implementation, WatchGuard highly recommends that you use the SSO Client on computers that support it.
You can download the Single Sign-OnClients for Windows and macOS from the WatchGuard Software Downloads Center.
- Because the SSO Client installer for Windows is an MSI file, you can use an Active Directory Group Policy to automatically install it when users log on to your domain from a Windows computer. For more information about software installation deployment for Active Directory group policy objects, see the documentation for your operating system.
- If your Firebox is configured with multiple Active Directory domains, your users must install the SSO Client.
- For a users with macOS to use the SSO Client, their computers must have joined the Active Directory server.
For details about how to install the SSOClient, go to Install the WatchGuard Active Directory SSO Client.
Step 5 — Enable and Configure Single Sign-On on the Firebox
After all the other components are in place, you can enable Single Sign-On on the Firebox.
To enable Single Sign-On, from Fireware Web UI:
- Select Authentication > Single Sign-On.
The Single Sign-On page appears. - Select the Enable Single Sign-On (SSO) with Active Directory check box.
- In the SSOAgent IPAddress text box, type the IPaddress of the server where you installed the SSOAgent.
To enable Single Sign-On, from Policy Manager:
- Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears. - Select the Single Sign-On tab.
- Select the Enable Single Sign-On (SSO) with Active Directory check box.
After you enable Single Sign-On, you can add SSO exceptions. We recommend that you add SSOexceptions for all network devices that might try to sent traffic to the Internet and are not in the domain. These include network devices, such as:
- Network servers
- Print servers
- Managed switches and routers
- Networks or computers that are not part of the domain, such as guest networks
- Users on your internal network who must manually authenticate to the Authentication Portal
For more information about how to enable SSO and configure SSOexceptions, go to Enable Active Directory SSO on the Firebox.
WatchGuard SSO Exchange Monitor is an optional component you can install to enable SSOfor network clients that use Linux, or mobile devices that run iOS, Android, or Windows Mobile. Exchange Monitor is used primarily for mobile client authentication, but you can also use it as a backup SSOconnection for computers that are not shared by multiple users.
For more information, go to Install the WatchGuard Active Directory SSO Exchange Monitor.
To troubleshoot SSO, review the list of requirements and verify your network servers and SSOcomponents are configured correctly.
Related Topics
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works
Getting Started with Single Sign-On video tutorial (9 minutes)
Example Network Configurations for Active Directory SSO
Troubleshoot Active Directory SSO
Give Us Feedback● Get Support● All Product Documentation● Technical Search
© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.
