Before You Begin - Watchguard Firebox X15 User Manual

User and Group Management
About Single Sign-On (SSO)
When users log on to a computer using Active Directory authentication, they must enter a user ID and
password. If you use your Firebox to restrict outgoing network traffic to specified users or groups, users must
log on again to access network resources such as the Internet. You can use Single Sign-On (SSO) so that users
on the trusted or optional networks are automatically authenticated with the Firebox when they log on to
their computer.
SSO is not recommended for environments where multiple users share a single computer or
IP address, or where users log in using Mobile VPN. When more than one user is associated with an
IP address, network permissions may not operate correctly. This can be a security risk.
To use SSO, you must install the WatchGuard Authentication Gateway software, also known as the SSO agent
software, on a domain computer in your network. When a user logs on to a computer, the SSO agent gathers
all the information from the user and sends it to the Firebox. The Firebox can then check the user information
against all the defined policies for that user and/or user group at one time. The SSO agent caches this data for
about 10 minutes by default so that a query does not have to be generated for every packet. For more
information about installing the SSO agent, see

Before You Begin

You must have an Active Directory server configured on your trusted or optional network. Additionally,
DHCP and DNS servers must be configured on the same domain as the Active Directory server.
Your Firebox must be set to use Active Directory authentication. For more information, see
LDAP/Active Directory
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If users log
on to an account that exists only on their local computer, their credentials are not checked and the
Firebox does not recognize that they are logged in.
If you use third-party firewall software on your network computers, make sure that TCP port 445
(Samba/ Windows Networking) is open on each client.
Make sure that printing and file sharing is enabled on every computer from which users authenticate
using SSO.
Make sure that NetBIOS and SMB ports are not blocked on every computer from which users
authenticate using SSO. NetBIOS uses TCP/UDP ports 137, 138, 139 and SMB uses TCP port 445.
Make sure that all computers from which users authenticate using SSO are members of the domain
with unbroken trust relationships.
Enable and configure SSO
To enable SSO on your Firebox, see
About SSO exceptions
If your network includes devices with IP addresses that do not require authentication, such as network or print
servers, it is a good idea to add them to the SSO Exception list in the SSO configuration. Each time a connection
from one of these devices occurs and the IP address for the device is not in the exceptions list, the Firebox
contacts the SSO agent to try to associate the IP address with a user name. This takes about 10 seconds. Use
the exceptions list to prevent the additional 10 second processing time for each connection and reduce
unnecessary network traffic.
For more information about adding SSO exceptions, see
200
Install the WatchGuard SSO
Authentication.
Enable Single Sign-On.
Agent.
Enable Single Sign-On.
About
Firebox X Edge e-Series