Recommended tips for SonicWall SSO

08/03/2020 38 9560

DESCRIPTION:

Here are some tips for success when implementing SSO. Not all networks are the same so there cannot be a best practice for every network but these changes may go a long way in improving your network performance. 

RESOLUTION:

1.SonicWall recommends installing SSO agent on a dedicated server within the user domain aside from the domain controller. This will reduce CPU and memory utilization on the domain controller and improve SSO performance along with username identification. SonicWall recommends running the service on a dedicated SSO server host. Although SSO will run on Windows 7 or 10, SonicWall recommends running this program on its own dedicated server in enterprise environments. Some of this information has also been included in the release notes for your reference. 

2. Ensure the domain controllers audit login policy is configured correctly so that the SSO agent can monitor login/logoffs. See this KB for more information: 

https://www.sonicwall.com/support/knowledge-base/dc-security-logs-with-advanced-auditing/170504290914487/

2. When upgrading SSO or moving SSO to a new host you can copy the configuration from the config.xml file and paste it into the new agents config. The config.xml file path is located at C:\Program Files\SonicWall\SSOAgent\config.xml or C:\Program Data\sonicwall\SSO Agent on newer versions

3. SSO probing is not necessary to resolve usernames from within SonicOS, the SSO agent is doing the work. However, if you do have the probing option enabled in SonicOS it should match the probe settings in the SSO agent itself. The TSR can be analyzed to determine probe failures and make a decision on whether or not it's worthwhile having SonicOS probing enabled. 

4. Clean up hosts or servers that can not be identified by SSO or are not required to be authenticated by SSO. This can be done by excluding hosts that are not domain joined  from SSO in SonicOS e.g. credit card machines, timeclocks.

5. Static entries can also be created in the SSO agent so you can assign specific device names  to hosts that cannot be identified. This will help keep sso from wasting time trying to identify hosts that will never be identified and also help you keep track of what's going on inside your network. Note SSO doesn't work at layer 2 so you cannot create static assignments based on mac address. 

https://www.sonicwall.com/support/knowledge-base/creating-sonicwall-sso-static-entries/191122160125487/