• Novell eDirectory Support Polling and Notifications The Single Sign-On (SSO) Agent works both passively and actively. In passive mode, the firewall sends requests that contain an IP address to the SSO Agent. The SSO Agent tries to identify the username of the IP address and then sends the result back to the firewall. In active mode, the SSO agent tries to detect user log in and log out
events and sends notifications to the firewall. For the default configuration, both methods are used. Client Probing
Includes both Windows Management Instrumentation (WMI) and NetAPI probing methods. WMI is the infrastructure for management data and operations on Windows-based operating systems. NetAPI is another interface based on Windows DCE-RPC service. The NetAPI method is much faster than the WMI method. Because the Windows API does not provide an interface to set the timeout for both probing methods, the default timeout is set to three seconds when the IP address is not accessible or when the connection is dropped by the Windows firewall. Domain Controller Querying
Domain Controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, and so on), within the Windows Server domain. Two methods are supported that identify users who log on to the Windows domain. They are the DC security log and server session methods – detailed in the paragraphs that follow. DC Security Logs
In Microsoft Windows, the security Log contains records of log in and log out activity or other security-related events specified by the system's audit policy. When a domain user tries to log in to the domain network, the domain controller logs a message in the security log. Event messages are monitored by Event IDs. Server Sessions
Any connection to a file or print service creates a “session” in the server’s session table. In the normal operation of an AD domain, users on Windows systems connect to the sysvol share on the domain controller to check for new Group Policy Objects every one to two hours. The user appears in the session table for about five minutes each time. Log out messages are sent to the firewall when the SSO Agent cannot find the user after two hours.
Usually server sessions are a more efficient method of comparing DC Security logs. Sometimes, server sessions are not accurate. In multiple domain environments, incorrect domain names might be reported. If the user switches between two logged on usernames, the SSO agent cannot detect it. Non-Admin Accounts to Access the DC Security Logs for SSO
SSO Agent service users do not have to be domain administrators. You can also be a normal domain user with some additional permissions granted, for access. NetBIOS Name Support
Windows 2000 provides support for applications that use the NetBIOS networking APIs and the flat NetBIOS names. This allows identification of Windows 2000 domains for computers that are running Windows NT 4.0 and earlier, or those that are running Windows 95 or Windows 98. A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone.
Both the NetBIOS name and the FQDN domain name can be found through an LDAP search. The SSO Agent connects to the DC using these service credentials and completes the LDAP search.
The SSO Agent remembers these names and sends the correct domain name to the firewall according to the admin configuration of the SSO Agent. By default, it sends the NetBIOS name. Exchange Server Support
When a user logs on to a computer that is not in the domain, the DC server cannot get its user and IP information. Typically, this is handled by the client probing method. But, you can use the Exchange Server to more efficiently identify the user.
Suppose the user opens Outlook to send or receive mail using a domain user name and credentials. Both the DC and Exchange Server are logging messages for this activity. On the DC, Event ID 4768 is established for this action, but the IP address given is not the real source though it points to the Exchange Server. On the Exchange server, Event ID 4624 is a security log entry that contains both the user name and the source IP address. Each time Outlook receives email; there is also a 4624 event on the Exchange server. So the SSO agent simply monitors this event on the Exchange security log.
This works only as a supplement to the domain security log method. Although it works for machines not joining a domain, it assumes users always use Outlook after logging in. File Share Supported
When you are connected to a file server, such as a user-mapped drive to a shared folder on a server, Windows domain members connect to a DC sysvol shared folder to check for new Group Policy Objects. The SSO Agent repeatedly queries the connections using the NetSessionEnum Windows API.
The default query interval is 15 seconds. The NetSessionEnum API can return the user and IP, but it does not return the domain. In this case, the domain name for the server configured by the user is assumed. Novell eDirectory Support Novell eDirectory (formerly known as Novell Directory Services (NDS), sometimes referred to as NetWare Directory Services) is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object oriented database used to represent certain assets in an organization in a logical tree, including organizations, organizational units, people, positions, servers, volumes, workstations, applications, printers, services, and groups to name just a few. ?