SSO Agent exceptions and IPv6

cmc

In this SSO Agent config tutorial video, the engineer stresses the importance of configuring SSO exceptions (at 8:25) so as to not generate unnecessary traffic to devices that aren't AD joined.
https://www.watchguard.com/help/video-tutorials/SSO/index.html

This is based on an IPv4 environment though, where it's relatively easy to specify addresses or address ranges to exclude. Is there any guidance on how to handle exceptions in an IPv6 environment? With the way IPv6 works, where devices can have multiple temporary GUAs, there doesn't seem to be a feasible way to manage exceptions. Is it really that big of a deal if exceptions aren't used?

james.carson

@cmc
It depends entirely on how big the network is and how much traffic it's sending.

-Using the SSO client will generally reduce the CPU load over using the event log monitor. Event log monitor is usually the process that will use the most CPU on a busy network.

-The firewall will only attempt to identify traffic that hits the firewall via SSO. This means devices like a local printer that doesn't send much traffic would be less of a deal than a VoIP phone that's connected to a cloud based VoIP provider.

-Excepting large ranges like an entire VoIP VLAN would likely be easiest. If you're looking to except specific IPs on a large flat network, this would be more of a challenge.

Under most circumstances, most of the devices that will cause trouble will prefer IPv4, so I'd suggest seeing if it works with IPv6 enabled. If it's not, make exceptions for the busy devices and see if it improves.