Overview:
Single-Sign-On (SSO) feature enables the Active Directory users who are successfully authenticated from Active Directory to be logged in to UTM automatically. Whenever an AD user logs on to the computer successfully, then the same user is enabled as ‘Logged In ‘ in UTM and will be able to access the internet and other services of Seqrite UTM.
When the AD user signs out from the computer then the same user gets signed out from UTM. Also when a new user is created in Active Directory, then the same user is synchronized and added in UTM as well.
Applicable version: UTMv2.6 and above
How Single Sign-On (SSO) feature works in Seqrite UTM
Setup Prerequisites
The Windows client computers must be added to the domain. The UTM appliance must be configured as the gateway for the Active Directory Server and the Windows client computers. Configure the Active Directory server as the primary DNS for the Windows Client computers. Active Directory should use Kerberos Authentication protocol for authenticating users. NTLM Authentication protocol is not supported by the Single Sign On feature.
Note: The Single Sign ON features Login and Logout will work only if the Client computer syncs with Active Directory for Domain logon/logoff.
The Active Directory agent which is installed on AD server will send the events for user login, user logout, New User creation to the UTM SSO Service. UTM SSO Service will capture the events and initiate user login/logout/create actions for the AD Users already present in UTM.
Pre-requisites needed for enabling Single Sign On on the UTM appliance.
1. At least one Authentication Server (Active Directory) must be added to UTM and selected.
2. Users from Active Directory must be imported to UTM.
3. Custom Firewall rule must be added in UTM. [UTM to LAN for Port 389]
4. At least one valid entry must be added to all the sections in the Single-Sign-On page.
5. Enable the Single Sign On service on UTM after saving the following configurations.
Settings on UTM
You need to carry out the following settings on UTM on the SSO page in the following order.
1. Add the Active Directory (Authentication Server) settings.
2. Configure the SSO Service settings.
3. Configure the Active Directory agent settings on UTM.
4. After configuring all the above settings, enable Single-Sign-ON toggle button and then click Save to start the SSO service.
Adding the Active Directory (Authentication Server) settings
1. Logon to Seqrite UTM.
2. Navigate to User Management > Single Sign-on.
3. In the Authentication Server list area, click + on the right side.
4. Enter a name for the Authentication Server, select the authentication type whether Active Directory or LDAP.
5. Enter the IP address and the port.
6. Enter the Base DN, and Bind DN.
7. Enter the Bind DN password.
8. In the List of imported groups section, click + and add the User/groups as required.
9. Click Save.
10. You can test the connection to the AD server by clicking Test Settings.
A message “Settings valid “ is displayed If the connection between UTM and AD server is successful.
Configuring the SSO service settings
1. Logon to Seqrite UTM.
2. Navigate to User Management > Single Sign-on.
3. In the Service Settings area, click + on the right side.
4. Select the appropriate LAN Interface for the network on which the AD Server is connected and select the port number from the existing definitions by clicking the + sign. The service should be listening to this port and it must be a non-reserved Port. If required, click Create Definition add a new definition as explained above to the existing definitions.
Note: You must add this port in the firewall rules of AD server to allow inbound and outbound traffic.
5. Click OK.
6. Ensure that at least one setting is added and then click Save on the Add Service Setting dialog.
Configuring the Active Directory Agent
1. Logon to Seqrite UTM.
2. Navigate to User Management > Single Sign-on.
3. In the Active Directory Agent area, click + on the right side.
4. On the Active Directory Agent dialog, enter the IP address of the Active Directory server.
5. Click Save.
Configurations required on Active Directory server
Ensure the following tasks are carried out in the given sequence.
Enabling Windows event logging on Windows AD Server
For this example, let us assume that DEV-AD-001 is the server on which Active Directory services are running.
1. Launch the Web Console, the list of AD servers is displayed, select DEV-AD-001.
2. Navigate to Windows Administrative Tools >> Group Policy Management.
3. Group Policy Management window opens with “dev.local” Forest created (seen on the left pane)
4. Under Forest: dev.local>>Domains>>dev.local>> Right-click on Default Domain Policy, click on edit , Group Policy Management Editor opens.
5. Next, under Computer Configuration >> Policies >>Windows Settings >> Security Settings >> Local Policies >> Audit Policy, set “Audit logon events” policy to Success.
6. Similarly, Under Computer Configuration >> Policies >>Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Audit Policies, set “Account Logon”policies and “Logon/Logoff“ policies as shown in figure.
7. Similarly under Forest: dev.local>>Domain Controllers >> Default Domain Controllers Policy. Right-click on Default Domain Controllers Policy , click on edit , Group Policy Management Editor opens.
8. Under Computer Configuration >> Policies >>Windows Settings >> Security Settings >> Local Policies >> Audit Policy : set the policies as shown.
9. Similarly, Under Computer Configuration >> Policies >>Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Audit Policies, set “Account Logon”policies and “Logon/Logoff“ policies as shown in following figure:
10. Similarly, Under Computer Configuration >> Policies >>Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Audit Policies, set “Account Management” properties as shown:
Subcategories: Audit Computer Account Management, Audit Security Group Management, Audit User Account Management as shown
11. Run ‘cmd’ to open command prompt in administrator mode and run gpupdate /force” to apply the settings.
AD group policy settings are completed,
12. Now try to login/logout a computer (for ex: DEV-WIN1064-001) which is under dev.local domain; corresponding login/logout events can be seen on Windows Event Viewer.
Adding the Firewall rules on Windows Server [Active Directory]
Microsoft, Active Directory, and any Microsoft trademarks, logos are registered trademarks or trademarks of Microsoft Corporation and/or its affiliates in the United States and other countries.
These steps indicated below are only for configuring Active Directory for use with Seqrite UTM, for more information on Active Directory, refer to the relevant documentation for Active Directory at https://docs.microsoft.com/en-us/
Firewall rules on Active Directory must be modified to allow inbound and outbound traffic to the UTM, this can be done as follows:
1. Open Windows Firewall and enter the UTM ports in Inbound/Outbound rules section as shown. Enter the port number used in the Service Settings [Single-Sign-On page of UTM]
Seqrite SSO AD Agent installation on Active Directory server
Prerequisites on AD server
Supported Windows server versions are 2008, 2019, 2016, 2012.
Before installation, the active directory server should have the following redistributables installed:
· Visual C++ Redistributables
· Visual C++ Redistributable 2008 (32-bit)
· Visual C++ Redistributable 2008 (64-bit)
· Visual C++ Redistributable 2015 (64-bit)
Installation must be carried out in the following sequence.
1. Install the SSO agent on the AD server.
2. Configure the SSO AD agent, save the configuration and start the SSO service.
Installing the SSO agent on the AD server
1. Logon to Seqrite UTM.
2. Navigate to User Management > Single Sign-on.
3. Click Download SSO Agent to download the SSO agent on your computer. The setup file SetupSSO.msi is downloaded on your computer.
4. If you have downloaded this file on another computer, you need to copy this SSO agent file (SetupSSO.msi) to the AD server and double-click the file to start the installation process.
You will require administrative credentials to run the setup process.
5. Follow the instructions as given and complete the installation.
Configuring the AD agent on Active Directory and starting SSO service
1. After you have installed the SSO agent on Active Directory server, double click the Seqrite-SSO-Agent-UI icon. The Agent UI is displayed.
2. Enter the domain name of the Active Directory server in the Monitored Domains textbox and click Add.
3. Enter the LAN network subnets for UTM in the Monitored Subnets textbox and click Add.
4. In the UTM appliance section, click Edit list. The UTM appliances IP:Port dialog is displayed.
5. Enter the SSO UTM service port, for e.g. 192.168.57.1:12121 and then click Add, and then click OK. The appliance and port are added to the list.
6. In the UTM appliance list, select the UTM appliance from the drop-down list.
7. Click Save.
8. Click Start in the Agent Status section to start the SSO agent service on the Active Directory server.
o The connection status and Last synced status will be updated only after you close the Single Sign on Agent application UI and open it again.
o You will need to restart the AD agent manually if the computer restarts.
9. Close the Single Sign on Agent application UI and open it again. If the connection Status shows as “Connected”, the Single Sign On setup is ready.
Note:
DNS Filtering will apply only to UTM users and users imported from the Active Directory.
DNS filtering will not work for those users who use the Single Sign ON to logon since the primary DNS for those user computers is Active Directory Server.
To apply DNS filtering policy for all SSO users, create an IP-wise user for Active Directory and then apply policy on that user.
Please contact Seqrite Technical Support for more assistance