Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

TSA and SSO

FabrizPellFabrizPell SonicWall Employee
in Mid Range Firewalls

TSA agent is authenticated by SSO, if you login with RDP, open a browser and access Internet everything is working. The user is authenticated by SSO.

Problems occur when you try to use another protocol, like ping of ftp not necessarily to WAN but also on DMZ.

While Internet Access is working if you start a continuous ping to 8.8.8.8 the first packet is dropped by "Enforced firewall rule" then the other packets are received and at the 11th packet ping starts to work.

Same behavior if you try to ping 1.1.1.1

This delay is caused by SSO trying to authenticate the session because if you exclude the ICMP with a "full sso bypass" there is no delay at all.

Looks like the SSO is working only for HTTPS and "per sessions" for other protocols.

The only way to avoid this problem is to bypass SSO for other protocols. 

Of course the option "Don't block user traffic while waiting for SSO including for All access rules" is enabled.

Is this the excepted behavior?

Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • shiprasahu93shiprasahu93 Moderator

    Hello @FabrizPell,

    Welcome to SonicWall community.

    Since the users connecting to the Terminal Service will all use the same IP address of the TS to connect to the internet, it is not a good idea to have SSO agent determine the user logged in to the server.

    I would suggest bypassing or excluding the Terminal Server IP from the SSO agent. Please take a look at the KB below for the same.

    https://www.sonicwall.com/support/knowledge-base/how-to-bypass-the-single-sign-on-sso-process/170503907401864/

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • FabrizPellFabrizPell SonicWall Employee

    I understand, but if I exclude the TSA from SSO all the user's policies (like CFS) don't work anymore.

  • shiprasahu93shiprasahu93 Moderator

    @FabrizPell,

    The SSO agent just informs which user is logged in to a specific machine and does not apply the CFS policy itself. It is done by the CFS engine. If the Terminal server is excluded from SSO, it instructs the firewall to not perform those queries to figure out which user is logged in to the Terminal server.

    The TSA itself informs the firewall when a new user logs in to it and based on the username, the CFS policy gets applied.

    So, in short excluding TS from SSO should still enforce user based CFS policies to individual user that logs in to the same terminal server.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.