Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

FAQ on deploying Multiple SSO Agents with Multiple Domain Controllers

03/26/2020 20 People found this article helpful 198,399 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    FAQ on deploying Multiple SSO Agents with Multiple Domain Controllers

    Resolution

    FAQ on deploying Multiple SSO Agents with Multiple Domain Controllers

    Do I have to add all Read-only Domain Controllers (RODC) and Windows Domain Controllers (WDC) to each SSO agent domain controller list to ensure that the SSO agent will see all security logins?

    It is not recommended. Having multiple SSO agents reading from the same DC or set of DCs simply increases the load on it, with each agent building an identical database of the users logged into all of them. Having two agents configured with same DCs gives redundancy should an agent go down, so it is a good idea having multiple agents, but more than two is not a good idea. It is better to spread the load across the agents by having them read from different DCs. So, for example, if you have 8 DCs and 6 agents I would set it up so that:
    • Agents 1 & 2 read from DCs A, B and C.
    • Agents 3 & 4 read from DCs D, E and F.
    • Agents 5 & 6 read from DCs G and H.
    So it’s recommended that you pair the agents to read the same sets of domain controllers.  You should not mix the agents to do overlapping coverage as this will increase the amount of redundant work with no added benefits.

    The “1-2-1” group scheme is better than the “different pairing” schemes. The reason is that the appliance creates its groups of agents based on agents that are configured for the same DCs, so in case 1 there are two groups: DCs A,B and C,D, but in case 2 there are 4 groups DCs AD, AC, BD and BC. So in case 1 the appliance will cover all DCs in just two requests, but in case 2 it will take 3 requests if a user is on DC B, and the list of users on DC A will have been checked through twice before it gets to there.

    “1-2-1 Group” – Both agents talk to same group of DC
    • Agent 1 talks to DC A, B
    • Agent 2 talks to DC A, B
    • Agent 3 talks to DC C, D
    • Agent 4 talks to DC C, D
    “Different Pairing” – Agents do not share the same DC group.
    • Agent 1 talks to DC A, D
    • Agent 2 talks to DC A, C
    • Agent 3 talks to DC B, D
    • Agent 4 talks to DC B, C
    What kind of delays will we see if a user being handled by an SSO agent has to traverse a list of 12 domain controllers before discovering that the logon event is on the 12th domain controller?

    Extremely small. Because the agent has built an internal database of logged in users, it simply looks up the user in that and replies to the appliance immediately. So no delays are involved while the agent queries anything. But it is precisely because this delay is very small that it is better to have the appliance run down a list of agent groups than to try to have one agent read all the users from all the DCs.

    Can we control the order in which the SSO agent accesses the domain controllers listed on the SSO agent.

    The appliance treats the domain controllers as groups, each DC group being those DCs that are read by one agent or one set of agents. The domain controller groups are actually built dynamically in the appliance since it isn’t configured with any information to tell it about them - it gets that information from the agents and creates the groupings as they return it. The DC groups will then be accessed in the same order that the appliance creates them on hearing back from the agents at startup. All things being equal that would tend to be the same order that the agents are configured, but it’s likely to be affected by network delays, distance to each agent, speeds of the agent PCs, etc. so that is not guaranteed.

    The agent groupings are shown in the Single Sign On section of the TSR, and they will be accessed in the order as shown, e.g. in this example DC 192.168.168.4 will be tried first, then DC 192.168.168.3, and then if those fail to identify the user then finally NetAPI will be tried:

    Agent 1 @ 192.168.168.3, state = up, protocol version = 4 (supported = 4)
      - User ID mechanisms: NetAPI
    Agent 2 @ 192.168.168.92, state = up, protocol version = 4 (supported = 4)
      - User ID mechanisms: DC Logs
    Agent 3 @ 192.168.168.94, state = up, protocol version = 4 (supported = 4)
      - User ID mechanisms: DC Logs + NetAPI
    Agent group 1:
      - domain controllers: 192.168.168.4
      - agents:             192.168.168.94
    Agent group 2:
      - domain controllers: 192.168.168.3
      - agents:             192.168.168.92
    Agent group 3 (default):
      - domain controllers: none
      - agents:             192.168.168.3

    If all agents that talk to a particular group of DCs are disabled then that DC group will be deleted on the appliance, and if they are then subsequently re-enabled the DC group will be re-created and will now be the last one accessed, so this does give a way to control that ordering. If I disable and then re-enable agent 192.168.168.92, the above order changes to:

    Agent group 1:
      - domain controllers: 192.168.168.3
      - agents:             192.168.168.92
    Agent group 2:
      - domain controllers: 192.168.168.4
      - agents:             192.168.168.94
    Agent group 3 (default):
      - domain controllers: none
      - agents:             192.168.168.3

    So now DC 192.168.168.4 will be tried after DC 192.168.168.3.

    Note that if agents go down (due to becoming unresponsive) the DC groups don’t change. So, if you set them up as you want them, they will stay that way. If the appliance is rebooted or an HA pair fails over, however, then it will be necessary to perform that again to restore the ordering.

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top