- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Users Incorrectly Getting CFS Blocked Page When Using SSO
03/26/2020 
40 People found this article helpful
33,444 Views
Description
Utilizing CFS with SSO may cause random blocked web pages, even though the user should have access to the webpage. This is caused by a drop in connectivity between the SSO Agent and the Client. The following steps describe various causes as well as methods of resolving this issue:
Resolution
- Set the DC Security Log + NetAPI + WMI option in your TSA Clients settings.
NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003, Windows XP, Windows Me, and Windows 2000. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services.
See the following article for more details regarding NETAPI vs WMI Performance How to Configure the SonicWall SSO Agent Software. - Aggressive Polling times may be causing the SonicWall to drop users too quickly, as well as creating unnecessary network traffic. Usually the default should be left as is unless issues occur. If this is increased to too high a number it will cause load on the SonicWall with unnecessary user connections being left active. The Polling Rates are configured under Manage | Users | Settings | Configure SSO | Users tab | Polling rate (minutes):
- Create a address object for all the terminal service agents that you have and group them together, then:
- Navigate to Users | Configure for the SSO | Enforcement | SSO Bypass | Bypass the Single Sign On process for traffic from and then select the group that we have just created for the TSA Agent.
- Navigate to Users | Configure for the SSO | Enforcement | SSO Bypass | Bypass the Single Sign On process for traffic from and then select the group that we have just created for the TSA Agent.
- Install the SSO Agent on a non-DC server local to the hosts as ping times for the Agents to successfully communicate with the SonicWall must be less than 40 MS, otherwise the connection between the Agent and the SonicWall will drop, causing the Agent not to contact the SonicWall and causing CFS to block all user traffic while it waits to setup the next successful connection.
- To negate the issue of the Agents losing connectivity temporarily and being blocked by CFS, try going to the Manage | Users | Settings | Configure SSO | SSO Agents | General Settings and selecting “Don’t block user traffic while waiting for SSO”:
See also:
- How to setup CFS policies with LDAP and SSO to restrict Internet access on CFS 3.0
- Tips on SSO Agent with Novell eDirectory
Related Articles
- How to enable and configure NTP?
- Cannot edit App Control Signatures, "Error: property 'value' can't be empty value"
- SSL-VPN 2FA: How to unbind TOTP for a single user or multiple users
Categories
- Firewalls > TZ Series > User Login
- Firewalls > NSa Series > User Login
- Firewalls > NSv Series > User Login
YES
NO