Simple SSO improvement for multiple networks/domains

As per a discussion I'm having elsewhere, could you PLEASE add a small tweak to the SSO Agent configuration in Fireware.

I have two totally separate networks/domains connected to different interfaces and simply want totally separate SSO on each, none of this Agent on one network talking to ELM on the other nonsense as it's not secure!

You don't even need to change the interface, as it already allows multiple SSO Agents to be configured, albeit it only for failover.

Just change it so that it uses the SSO Agent on the same network as the original request. Then I can install an Agent on each network's DC and keep it simple and secure.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Toby,

    Thanks for the suggestion, I'll certainly pass that along to the development team.

    For a bit of background -- the firewall itself doesn't know whom is whom -- it's relying on the SSO agent to sort that out. There needs to be some sort of logic to tell it what to do if it's not sending traffic to just one agent.

    Would it work for your use case to be albe to direct traffic from a specific subnet or network interface to a specific SSO agent?

    -James Carson
    WatchGuard Customer Support

  • Options

    Hi James,

    Thanks for the reply, apologies in not getting back until now.

    Yes that solution would work perfectly although my suggestion was even simpler - if there are multiple SSO Agents configured, use the one on the same subnet/interface as the incoming request.

    Basically I have two totally separate networks with their own domains, servers, DNS, DHCP etc. They only meet at the Watchguard, on separate interfaces, as they use common Internet connections.

    I just want to set up the SSO Agent and ELM software on the domain controllers of each network independently. Whenever an unknown IP attempts access, the Watchguard would then just use the SSO Agent on the same subnet/Interface which is the correct one for that network.

    As it stands, it appears I have to get a single SSO Agent on the domain controller of the first network to communicate with an ELM install on the domain controller of the second. Not only is this a bit messy but it's actually less secure as I have to allow some traffic to flow between the two domain controllers which isn't best practice really.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @TobyG
    I've created feature request FBX-20876 for you. If you'd like to follow this feature request, please create a support case and mention FBX-20876 somewhere in it. The technician that is assigned the case can set it up to follow that request for you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.