Filter
Top Products
User Management
1007
SonicOS 5.8.1 Administrator Guide
SonicWALL SSO Authentication Using the Terminal Services Agent
For users logged in from a Terminal Services or Citrix server, the SonicWALL TSA takes the
place of the SSO Agent in the authentication process. The process is different in several ways:
• The TSA runs on the same server that the user is logged into, and includes the user name
and domain along with the server IP address in the initial notification to the SonicWALL
appliance.
• Users are identified by a user number as well as the IP address (for non-Terminal Services
users, there is only one user at any IP address and so no user number is used). A non-zero
user number is displayed in the SonicOS management interface using the format "x.x.x.x
user n", where x.x.x.x is the server IP address and n is the user number.
• The TSA sends a close notification to the SonicWALL appliance when the user logs out, so
no polling occurs.
Once a user has been identified, the SonicWALL security appliance
queries LDAP or a local
database (based on administrator configuration) to find user group memberships, match the
memberships against policy, and grant or restrict access to the user accordingly. Upon
successful completion of the login sequence, the saved packets are sent on. If packets are
received from the same source address before the sequence is completed, only the most recent
packet will be saved.
User names are returned from the authorization agent running the SSO Agent in the format
<domain>/<user-name>. For locally configured user groups, the user name can be configured
to be the full name returned from the authorization agent running the SSO Agent (configuring
the names in the SonicWALL security appliance local user database to match) or a simple user
name with the domain component stripped off (default).
For the LDAP protocol, the <domain>/<user-name> format is converted to an LDAP
distinguished name by creating an LDAP search for an object of class “domain” with a “dc”
(domain component) attribute that matches the domain name. If one is found, then its
distinguished name will be used as the directory sub-tree to search for the user’s object. For
example, if the user name is returned as “SV/bob” then a search for an object with
“objectClass=domain” and “dc=SV” will be performed. If that returns an object with
distinguished name “dc=sv,dc=us,dc=sonicwall,dc=com,” then a search under that directory
sub-tree will be created for (in the Active Directory case) an object with “objectClass=user” and
“sAMAccountName=bob”. If no domain object is found, then the search for the user object will
be made from the top of the directory tree.
Once a domain object has been found, the information is saved to avoid searching for the same
object. If an attempt to locate a user in a saved domain fails, the saved domain information will
be deleted and another search for the domain object will be made.
User logout is handled slightly differently by SonicWALL SSO using the SSO Agent as
compared to SSO with the TSA. The SonicWALL security appliance polls the authorization
agent running the SSO Agent at a configurable rate to determine when a user has logged out.
Upon user logout, the authentication agent running the SSO Agent sends a User Logged Out
response to the SonicWALL security appliance, confirming that the user has been logged out
and terminating the SSO session. Rather than being polled by the SonicWALL appliance, the
TSA itself monitors the Terminal Services / Citrix server for logout events and notifies the
SonicWALL appliance as they occur, terminating the SSO session. For both agents,
configurable inactivity timers can be set, and for the SSO Agent the user name request polling
rate can be configured (set a short poll time for quick detection of logouts, or a longer polling
time for less overhead on the system).