SSO & Device Provisioning

Hi All,

Is there a document or guide relating SSO user numbers to WatchGuard Model? I know the basic comparison tool has an ideal for user count which I tend to wilfully ignore when seeking the correct box to suit the customers environment as the performance/VPN/VLANs etc are more important generally at the pre-sales stage.

I seen but can no longer locate an article (could have been a release note resolved issue, I just cant recall it) whereby it referenced a limitation to SSO.

Is there a sizing reference indicating the likely Firewall model mapped to SSO user count? Is there limitations to just how much SSO a model can handle? I have a customer running a small previous gen T series seeking SSO for 200+ users and thought I'd check its well within that devices abilities to do and or what sort of load is that going to put on it.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @R_Devlin

    The firebox(es) don't really have a maximum performant number of SSO users. The number of users is limited by license, which is by model, but that's total number of logged in users (via SSO, RADIUS SSO, or authentication portal.)

    Some previous models and the NV5 have a hard authentication limit - as in the number of users the firewall will keep track of. (NV5 is 200 users.) You'll see that in your firebox's feature key as "Feature: AUTHENTICATED_USER#0" (0 denotes unlimited.)

    Performance issues generally come down to how exactly the users are authenticating via SSO.
    -SSO via the SSO Client is the most performant way, but requires a program be installed on your PC/MAC. The program requires no configuration beyond installing it, and users don't interact with it.

    -SSO via Event Log Monitor. This method requires no software be installed on customer PCs, but is much more resource intensive on the server it runs on. We generally do not recommend sites with 200+ users use this as their primary means of authentication.

    -SSO via Exchange Monitor. This is the most resource intensive method, and has the most limitations. Users are only updated every 15 minutes. This method is usually used for devices that can't/won't connect to AD and can't run the SSO Client (such as a mobile phone, or a PC running an alternative OS.)

    If you are planning a SSO deployment, for best performance I would suggest setting it up to use SSO Client as the primary means of authentication, and the Event Log Monitor as a backup. Ensure you make SSO exceptions for any devices that do not need to authenticate (such as printers, access control devices, cameras, etc.)

    SSO via RADIUS behaves similarly to clients that connect via the SSO Client - limitations around this service are generally limited to the RADIUS audit logging that is sent from each device (usually APs)

    If you're looking for a way to take users into account, I'd suggest using the appliance sizing tool here:

    -James Carson
    WatchGuard Customer Support

  • Options

    Perfect thankyou James, I think this customer is good to go

Sign In to comment.