Filter
Top Products
User Management
1100
SonicOS 5.8.1 Administrator Guide
Tuning Single Sign-On Advanced Settings
This section provides detailed information to help you tune the advanced SSO settings on your
SonicWALL appliance. See the following sections:
• “Overview” on page 1100
• “About the Advanced Settings” on page 1100
• “Viewing SSO Mouseover Statistics and Tooltips” on page 1101
• “Using the Single Sign-On Statistics in the TSR” on page 1103
• “Examining the Agent” on page 1104
• “Remedies” on page 1104
Overview
When a user first tries to send traffic through a SonicWALL that is using SSO, the appliance
sends a “who is this” request to SonicWALL SSO Agent. The agent queries the user’s PC via
Windows networking, and returns the user name to the SonicWALL appliance. If the user name
matches any criteria set in the policies, then the user is considered as “logged on” by the
SonicWALL. When users are logged into the SonicWALL using SSO, the SSO feature also
provides detection of logouts. To detect logouts, the appliance repeatedly polls the agent to
check if each user is still logged in. This polling, along with the initial identification requests,
could potentially result in a large loading on the SonicWALL SSO Agent application and the PC
on which it is running, especially when very large numbers of users are connecting.
The SonicWALL SSO feature utilizes a rate-limiting mechanism to prevent the appliance from
swamping the agent with these user requests. Both automatic calculations and a configurable
setting on the appliance govern how this rate-limiting operates. The SonicWALL SSO feature
automatically calculates the maximum number of user requests contained in each message to
the agent that can be processed in the poll period, based on recent polling response times.
Also, the timeout on a multi-user request is automatically set to be long enough to reduce the
likelihood of an occasional long timeout during polling. The configurable setting controls the
number of requests to send to the agent at a time, and can be tuned to optimize SSO
performance and prevent potential problems. This section provides a guide to choosing suitable
settings.
The potential for problems resulting from overloading the agent can be reduced by running the
agent on a dedicated high-performance PC, and possibly also by using multiple agents on
separate PCs, in which case the load will be shared between them. The latter option also
provides redundancy in case one of the agent PCs fails. The agent should run on a Windows
Server PC (some older workstations could be used but changes in later Windows 2000/XP/
Vista workstation releases and in service packs for the older versions added a TCP connection
rate limiting feature that interferes with operation of the SSO agent).
About the Advanced Settings
The Maximum requests to send at a time setting is available on the Advanced tab of the SSO
agent configuration.
This setting controls the maximum number of requests that can be sent from the appliance to
the agent at the same time. The agent processes multiple requests concurrently, spawning a
separate thread in the PC to handle each. Sending too many requests at a time can overload
the PC on which the agent is running. If the number of requests to send exceeds the maximum,
then some are placed on an internal “ring buffer” queue (see “Using the Single Sign-On