Support on SonicWall Products, Services and Solutions
Browse Knowledgebase by Category
Users Incorrectly Getting CFS Blocked Page When Using SSO
03/26/2020 
38 
12516
DESCRIPTION:
Utilizing CFS with SSO may cause random blocked web pages, even though the user should have access to the webpage. This is caused by a drop in connectivity between the SSO Agent and the Client. The following steps describe various causes as well as methods of resolving this issue:
RESOLUTION:
- Set the DC Security Log + NetAPI + WMI option in your TSA Clients settings.
NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003, Windows XP, Windows Me, and Windows 2000. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services.
See the following article for more details regarding NETAPI vs WMI Performance How to Configure the SonicWall SSO Agent Software. - Aggressive Polling times may be causing the SonicWall to drop users too quickly, as well as creating unnecessary network traffic. Usually the default should be left as is unless issues occur. If this is increased to too high a number it will cause load on the SonicWall with unnecessary user connections being left active. The Polling Rates are configured under Manage | Users | Settings | Configure SSO | Users tab | Polling rate (minutes):
- Create a address object for all the terminal service agents that you have and group them together, then:
- Navigate to Users | Configure for the SSO | Enforcement | SSO Bypass | Bypass the Single Sign On process for traffic from and then select the group that we have just created for the TSA Agent.
- Navigate to Users | Configure for the SSO | Enforcement | SSO Bypass | Bypass the Single Sign On process for traffic from and then select the group that we have just created for the TSA Agent.
- Install the SSO Agent on a non-DC server local to the hosts as ping times for the Agents to successfully communicate with the SonicWall must be less than 40 MS, otherwise the connection between the Agent and the SonicWall will drop, causing the Agent not to contact the SonicWall and causing CFS to block all user traffic while it waits to setup the next successful connection.
- To negate the issue of the Agents losing connectivity temporarily and being blocked by CFS, try going to the Manage | Users | Settings | Configure SSO | SSO Agents | General Settings and selecting “Don’t block user traffic while waiting for SSO”:
See also:
