Single Sign on (SSO) watchGuard M400

I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify

and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?

much appreciated!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I have not used SSO yet so I can't speak to any experience. There are three methods for SSO: a client installed on the computer, the event log monitor, and the Exchange monitor. You can use one or more methods. The highest priority will be tried first and any additional methods will be tried in their respective order, falling back to the authentication page as a last resort.

If you have a current LiveSecurity subscription then you have access to the training guide available from Watchguard. The one that addresses SSO is located here:
(requires a logon)
It has an overview of the SSO components and walks you through setting up Clientless SSO and Client SSO.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jim joeCommented:
Hello Sir,
WatchGuard SSO is a great tool and works well in many of my environments. Lets get started
If your network is made up of more than 100 end users, WatchGuard recommends the installation of a SSO Client in each user workstation to ensure stability in SSO. In the other hand if you have way less than 100 user you can simply install the SSO agent on your domain controller and let the firebox scan the event log monitor to Authenticate users. I usually use both methods where SSO client is primary and Event log monitor method is the fail safe. Both methods has certain requirements.
Lets say you decided to use the SSO client and you have more than 100 users. That's not a problem, you can create GPO in active directory to push out the client to your 100 plus users.
If you need further instructions or information reply here and I will get back to you.
badabing1Author Commented:
Thanks Jim, that's a good start for me, let me install the event log monitor first to test on my user account only, once I've got it to block internet how I am planning it to be, I will then go ahead and install the client as well.

we do have around 400 machines. Just out of internet there are no additional licencing requirement for this to work?
badabing1Author Commented:
Ok I got the SSO configured,

I now need to configure a policy to block internet traffic for users who are not member of "domain users". Please can someone advise steps and also taking into account that I do not block servers such as exchange for emails?

we have quite a few policies on watchguard so where would I put/order this new policy?

also is there anything I need to be aware of for mobile device users etc.?

badabing1Author Commented:
any updates?
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Have you already added the Domain Users group to the config?
2017-10-12_1523.pngYou can then setup the policy to allow based on the group. If you have the default Outgoing policy, you'll then also need to add a block rule for everything else. If you've removed the default Outgoing policy then the block rule may be unnecessary.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Info provided.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.