SSO problem with multiple domains
Ok I'm trying to wrap my head around SSO with multiple domains. I've read the FAQ/doc on the subject but still not quite sure.
I'm using an M370.
Basically I have two completely separate networks. Each is on its own VLAN with its own separate addressing and own domain controllers. The only place the two networks meet is at the Watchguard, each connected to a separate interface, so they can share Internet connections.
The first network is the one that's been there for ages. SSO is set up and works, with the agent and event log monitor on a DC and the SSO client installed on all client machines. I now need to get SSO working for users on the other network and domain.
The FAQ says I should keep a single SSO Agent on the existing DC. One the second network's DC I should install just the event log monitor.
I presume I should add the second network's domain details to the existing SSO Agent, which would then contact the second network?
This is where I get confused.
For the SSO Agent to contact the event log monitor on the second domain DC, I'd need to add rules to the Watchguard to allow certain traffic to flow between the two domain controllers on the two networks? If so what ports are required exactly? This is really confusing.
Secondly, if I understand the SSO client correctly, the agent would contact the SSO client installed on the machine making the original attempt/request to retrieve credentials? This is a total non-starter in my configuration as it would require allowing, via firewall rules, the first network DC to communicate with ANY machine on the second network. I'm not doing that.
So, if the above assumptions are correct, I'd have to ditch the SSO client and rely solely on the event log monitor, allowing the necessary traffic only between the two networks' DCs? How robust would this be without the SSO client?
If anyone can offer any advice or tips or anything I may have missed, I'd appreciate it.
I can't help feeling that the Watchguard should really allow me to set up multiple SSO Agents on different networks/interfaces, so requests from each of my networks routes to an SSO agent on a DC for that network. This seems totally obvious and by far the simplest and most secure system. Why is this not supported?!