Filter
Top Products
User Management
1105
SonicOS 5.8.1 Administrator Guide
Configuring Firewall Access Rules
Enabling SonicWALL SSO affects policies on the Firewall > Access Rules page of the
SonicOS Enhanced management interface. Rules set under Firewall > Access Rules are
checked against the user group memberships returned from a SSO LDAP query, and are
applied automatically.
See the following sections for more information:
• “Automatically Generated Rules for SonicWALL SSO” on page 1105
• “Accommodating Mac and Linux Users” on page 1105
• “White Listing IP Addresses to Bypass SSO and Authentication” on page 1108
• “Forcing Users to Log In When SSO Fails with CFS, IPS, App Control” on page 1108
• “Allowing ICMP and DNS Pings from a Terminal Server” on page 1109
• “About Firewall Access Rules” on page 1110
Automatically Generated Rules for SonicWALL SSO
When a SonicWALL SSO agent or TSA is configured in the SonicOS Enhanced management
interface, a Firewall access rule and corresponding NAT policy are created to allow the replies
from the agent into the LAN. These rules use either a SonicWALL SSO Agents or SonicWALL
Terminal Services Agents address group object, which has a member address object for each
configured agent. The member address objects are automatically added to and deleted from
the group object as agents are added or deleted. The member address objects are also updated
automatically as an agent’s IP address changes, including when an IP address is resolved via
DNS (where an agent is given by DNS name).
If SonicWALL SSO agents or TSAs are configured in different zones, the Firewall access rule
and NAT policy are added to each applicable zone. The same SonicWALL SSO Agents or
SonicWALL Terminal Services Agents address group is used in each zone.
Note Do not enable Guest Services in the same zone where SonicWALL SSO is being used.
Enabling Guest Services will disable SSO in that zone, causing users who have
authenticated via SSO to lose access. Create a separate zone for Guest Services.
Accommodating Mac and Linux Users
Mac and Linux systems do not support the Windows networking requests that are used by the
SonicWALL SSO agent, and hence require Samba 3.5 or newer to work with SonicWALL SSO.
Using SSO on Mac and Linux With Samba
For Windows users, SonicWALL SSO is used by a SonicWALL appliance to automatically
authenticate users in a Windows domain. It allows the users to get access through the
appliance with correct filtering and policy compliance without the need to identify themselves
via any additional login process after their Windows domain login.
Samba is a software package used by Linux/Unix or Mac machines to give their users access
to resources in a Windows domain (via Samba’s smbclient utility) and/or to give Windows
domain users access to resources on the Linux or Mac machine (via a Samba server).
A user working on a Linux PC or Mac with Samba in a Windows domain can be identified by
SonicWALL SSO, but it requires proper configuration of the Linux/Mac machine, the SSO
Agent, and possibly some reconfiguration of the appliance. For example, the following
configuration is necessary: