Go in the Users > Authentication menu to configure the SSO Agent method.
- Click on Add a method.
- Select SSO Agent in the drop-down menu.
Enter the information about the main SSO Agent:
- Domain name: from the drop-down list, select the Active Directory domain associated with the SSO agent.
- IP address: from the drop-down menu, select the network object that corresponds to the host on which the SSO agent has been installed.
- Port: the port "agent_ad" is selected by default, corresponding to port 1301. The protocol used is TCP.
- Pre-shared key (password): enter the pre-shared key defined during the installation of the SSO agent (see the section Selecting the SSL encryption key).
This key is used for encrypting in SSL exchanges between the SSO agent and the firewall. The strength of the pre-shared key indicates this password’s level of security. You are strongly advised to use uppercase letters and special characters.
You can also enter the information about a backup SSO Agent (optional).
You need to add all the controllers that control the domain. These must be saved beforehand in the firewall’s Objects database.
If several AD controllers manage the domain, the account that the SSO agent uses has to be a dedicated account belonging to the domain, with the privileges described in the section Active Directory user account. These privileges must apply to all controllers, so that all events occurring on the domain can be relayed.
- Maximum authentication duration: define a maximum duration of an authenticated user’s session. After this duration has been exceeded, the firewall will delete the user associated with this IP address from its table of authenticated users, logging the user out of the firewall.
This limit is to be defined in seconds or minutes and is set by default to 36000 sec. (or 10 hours).
- Refresh user groups updates:
for each AD configured on the firewall (Directory configuration), the firewall will check for possible changes to the LDAP directory groups.The firewall will update its directory configuration, and then send back this information to the SSO agent.
This duration defined in seconds, minutes or hours, is set by default to 3600 sec. (1 h).
- Disconnection detection: enabling the disconnection method allows deleting authenticated users when logging out a machine or shutting down a session. This test of machines connected to the firewall is conducted either by pinging or by the registry database.
If this method is not enabled, the user will be unauthenticated only after the set authentication period, even when the session has been shut down.
Machines on the domain must allow responses to ping tests (parameters of the Windows firewall on the machines).
On the other hand, if the SSO passes through a firewall in order to access machines on the domain, rules have to be created to allow the SSO agent to test the workstations in the firewall’s filter policy.
- Detection method:
- Ping: the SSO agent tests the accessibility of all the machines authenticated on the firewall every 60 seconds by default. If it gets a host unreachable response or no response is received from an IP address after the period defined hereafter, the SSO agent will send a logoff request to the firewall. The firewall will then will delete the user associated with this IP address from its table of authenticated users, logging the user out of the firewall.
- Registry: this method allows detecting, for example, a session that has been shut down on a machine that is still running. The Registry database (RD) is a database used by the Windows operating system to store the configuration information of the system and the installed software.
If a positive response to a ping is received, the SSO agent will log on remotely to the machine and check the list of users with an open session on a machine in the registry database. This allows updating the table of authenticated users.
For this method, the account associated with the SSO agent must have administration privileges on all machines authenticated on the firewall; this account must belong to the group Administrator of the Active Directory server or be defined as a local administrator on monitored machines (see the section Active Directory user account).
On the other hand, the Remote registry service has to be enabled on these machines. To do so, go to Services in Windows, select the service Remote registry then click on Start. The status of this service also has to be changed from Manual to Automatic.
Lastly, ports 139 and 445 (Windows ports) & ICMP have to be open. Follow the path Control panel > System and security > System > Windowsfirewall and click on Allow programs to communicate through Windows firewall, then select File and printer sharing.
On the other hand, this method requires the configuration of the opposite zone of the domain on the DNS server in order to detect changes in IP addresses (in the event of a DHCP address renewal, for example). For further information, please refer to the section Specific cases, Changing an IP address.
- Consider as disconnected after: if a machine does not respond to a ping after this duration, it will be considered offline. The firewall will then delete the user associated with the machine from its table of authenticated users. This duration is defined in seconds, minutes or hours and is set by default to 5 minutes.
Ignored administration accounts
In the firewall’s factory configuration, there is a list of users for whom authentication is ignored. These accounts list the usual logins dedicated to the administrator (Administrator and Administrateur by default).
This mechanism has been set up as the domain controller considers the execution of a service or an application (Run as administrator feature, for example) an authentication. As the SSO Agent restricts authentication by IP address, this type of authentication may potentially replace the authentication of the user with an open Windows session. The pre-set list of “Ignored Administrator accounts” allows the SSO agent to not take into account their authentication.
This list of administration accounts can be modified from the Advanced properties menu in the SSO Agent authentication method.
To make this list, refer also to the section Specific cases, paragraph Other accounts on the domain.
Rules allowing traffic dedicated to the SSO agent method have to be defined:
- Click on New rule.
- Select Standard rule in order to launch the rule creation wizard.
- User > User or group: select the user or group concerned or leave the default value as Any_user@selected_domain.
- Source menu: click Add an object in order to target the source of the traffic to which the rule applies. This may be the object corresponding to these internal networks (e.g.: network_internals).
The Stormshield Network SSO Agent authentication method is based on authentication events collected by Windows domain controllers. Since these events do not indicate the source of the traffic, interfaces cannot be specified in the authentication policy.
Authentication methods menu: click on Authorize a method and select from the drop-down list the authentication methods to be applied to the traffic to which the rule applies.
The Default method selected corresponds to the method chosen in the tab Available methods. Authentication methods are evaluated in the order in the list and from top to bottom. As the SSO Agent method is transparent, it is by definition always applied as a priority.
- Click on OK, then on Apply.
The SSO Agent method does not support multi-user objects (several authenticated users on the same IP address). However, such objects can be contained on a network, a range or a group defined as the source of a rule using the SSO Agent method.
To avoid having multiple logs on the denial of authentication via the SSO agent, you are advised to add two rules dedicated to these objects in front of the rules that use the SSO Agent method:
- the first rule specifies the method used by the multi-user object
- followed by a second rule that will “block” the authentication of this object in order to block any other authentication attempts.
In the example below, the TSE machine has been declared as a multi-user object and belongs to the internal network (network_internals):