Benefits and Requirements of SSO

03/26/2020 72 11390

DESCRIPTION:
Benefits and Requirements of SSO

RESOLUTION:

Benefits of SonicWall SSO:

SonicWall SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWall SSO is transparent to end users and requires minimal administrator configuration.

By automatically determining when users have logged in or out based on workstation IP address traffic, or, for Terminal Services or Citrix, traffic from a particular user at the server IP address, SonicWallSSO is secure and hands-free. SSO authentication is designed to operate with any external agent that can return the identity of a user at a workstation or Terminal Services/Citrix server IP address using a SonicWall ADConnector-compatible protocol.

SonicWall SSO works for any service on the SonicWall security appliances that uses user-level authentication, including Content Filtering Service (CFS), Firewall Access Rules, group membership and inheritance, and security services (Application Control, IPS, GAV and SPY) inclusion/exclusion lists.

Other benefits of SonicWall SSO include:

  Ease of use   Users only need to sign in once to gain automatic access to multiple resources.

  Improved user experience   Windows domain credentials can be used to authenticate a user for any traffic type without logging into the appliance using a Web browser.

  Transparency to users   Users are not required to re-enter user name and password for authentication.

  Secure communication  Shared key encryption for data transmission protection.

 SonicWallSSO Agent can be installed on any Windows server on the LAN, and TSA can be installed on any terminal server.

  Multiple SSO Agents   Up to 8 agents are supported to provide capacity for large installations

  Multiple TSAs   Multiple terminal services agents (one per terminal server) are supported. The number depends on the SonicWallnetwork security appliance model and ranges from 4 to 256.

  Login mechanism works with any protocol, not just HTTP.

  Browser NTLM authentication   SonicWallSSO can authenticate users sending HTTP traffic without using the SSO Agent.

  Mac and Linux support   With Samba 3.5 and higher, SonicWallSSO is supported for Mac and Linux users.

  Per-zone enforcement   SonicWallSSO can be triggered for traffic from any zone even when not automatically initiated by firewall access rules or security services policies, providing user identification in event logging or App Flow Monitoring.

Platforms and Supported Standards:

1) SonicWallSSO is available on SonicWall NSA Series appliances running SonicOS Enhanced 5.0 or higher. The SonicWall SSO Agent is compatible with all versions of SonicOS Enhanced that support SonicWall SSO. The SonicWall TSA is supported on SonicOS Enhanced 5.6 and higher, running on SonicWall NSA Series and TZ 210 Series appliances.

2) The SonicWall SSO feature supports LDAP and local database protocols. SonicWall SSO supports SonicWall Directory Connector. SonicWall SSO can also interwork with ADConnector in an installation that includes a SonicWall CSM, but Directory Connector is recommended. For all features of SonicWall SSO to work properly, SonicOS Enhanced 5.5 should be used with Directory Connector 3.1.7 or higher.

3) To use SonicWall SSO with Windows Terminal Services or Citrix, SonicOS Enhanced 5.6 or higher is required, and SonicWall TSA must be installed on the server.

4) To use SonicWall SSO with Browser NTLM authentication, SonicOS Enhanced 5.8 or higher is required. The SonicWall SSO Agent is not required for browser NTLM authentication.

5) SonicWall SSO on SonicOS Enhanced 5.5 and higher is compatible with SonicWall NDConnector for interoperability with Novell users. NDConnector is also available as part of Directory Connector.

6) Except when using only browser NTLM authentication, using SonicWall SSO requires that the SonicWall SSO Agent be installed on a server within your Windows domain that can reach clients and can be reached from the appliance, either directly or through a VPN path, and/or SonicWall TSA be installed on any terminal servers in the domain.

7) The SonicOS SSO feature is capable of working in Virtual Machine environments, but is not officially supported. This is due to the variety of potential resource consuming environments of VM deployments, making it not practicable to effectively test and verify all possible permutations.

Requirements for SSO Agent:

The following requirements must be met in order to run the SSO Agent:

  UDP port 2258 (by default) must be open; the firewall uses UDP port 2258 by default to communicate with SonicWall SSO Agent; if a custom port is configured instead of 2258, then this requirement applies to the custom port

  Windows Server, with latest service pack

  .NET Framework 2.0

  Net API or WMI