Sangfor Internet Access Gateway (IAG) V13.0.80 Domain Single Sign-On (SSO) Configuration Guide

Version 01 (Mar.24, 2021) Confidentiality: Public in Company 1

Sangfor Internet Access Gateway (IAG)

Domain Single Sign-On (SSO) Configuration Guide

Product Version	13.0.80
Document Version	01
Released on	April. 22, 2024

Introduction

A customer uses a Microsoft AD server to manage intranet users who are on Windows systems. The customer wants to control the intranet users' online behavior and traffic information while also performing identity verification for these users. Among the several ways of combining Microsoft AD domain authentication, the script SSO has the highest success rate. However, the customer does not allow scripts to be delivered through the Microsoft AD domain. Here, we can choose the domain SSO method.

Configuration Steps

The configuration steps are as shown in the figure below. It should be noted that to make everyone familiar with the AD domain faster, we added the AD domain configuration method, which is the part marked as not necessary. You may focus on configuring IAG if the AD domain has already been deployed.

Configure Active Directory Server

Install MS AD Function

1. Open Server Manager in Windows Server 2019.

2. On the Dashboard, click Add roles and features to open the Add Roles and Features Wizard.

3. On the Before You Begin tab, click Next.

4. On the Installation Type tab, select Role-based or feature-based installation. Then click Next.

5. On the Server Selection tab, choose Select a server from the server pool, and then click Next.

6. On the Server Roles tab, select the functions that need to be installed, such as Active Directory Domain Services and DNS Server, then click Next.

7. On the Features tab, select Group Policy Management, and click Next.

8. On the AD DS tab, click Next to proceed.

9. On the DNS Server tab, click Next to continue.

10. On the Confirmation tab, check the Restart the destination server automatically if required checkbox. Then click Install.

11. Wait for the installation to complete. You can view the installation progress on the Results tab.

12. Click Close after the installation is complete.

Configure the Domain Controller

1. Open Server Manager. On the Dashboard, click Promote this server to a domain controller.

2. After entering the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration tab, select Add a new forest and specify the Root domain name for the AD domain, such as sangfor.com.

3. On the Domain Controller Options tab, set a password.

4. On the DNS Options tab, click Next to proceed.

5. On the Additional Options tab, set The NetBIOS domain name. You can use the default NetBIOS name SANGFOR.

6. On the Paths tab, click Next to proceed.

7. On the Prerequisites Check tab, select Install to start the installation.

8. Wait for the equipment to install and deploy related functions.

9. After the installation is complete, the Windows Server will automatically restart.

10. After the Windows Server restarts, you can see on the login page that the default local administrator, who logs in to the operating system, has become the administrator in the domain, and the login password is the same as the password of the local administrator account.

Create Usernames and Passwords for Other Users on the Domain

Open Active Directory Users and Computers.

2. To facilitate the management of users according to the company's organizational structure, navigate to the domain name sangfor.com and expand it. Right-click and select New > Organizational Unit to create a logical container to represent a department. For example, create a department named Sangfor Tech.

3. Right-click the container, and select New > User to create a user in the container. For example, sangfortest.

4. Set a login password for this user.

5. Click Finish to complete the settings for creating the user.

Join the PC to the Domain

1. Configure the PC's network card, and set the DNS to the IP address of the domain control server: 192.168.1.4.

2. Join the PC to the domain.

3. During the process of joining the domain, you need to verify your identity. You can use the sangfortest user account created on the AD domain controller 192.168.1.4 for testing.

4. After successfully joining the domain, you need to restart the PC.

5. After restarting, you will see the login page of the PC. Choose to use the domain account sangfortest to log in.

Enable the AD Server Log Audit Function

1. Open Run.

2. Enter gpmc.msc in the Run dialog box to open the Group Policy Management console.

3. Right-click the Default Domain Controllers Policy and select Edit to open the Group Policy Management Editor.

4. Right-click Audit account logon events and Audit logon events, then select

Success and Failure.

5. Run the gpupdate /force command in CMD to forcibly refresh the group policy.

Configuration in IAG

Add LDAP Server

1. On the IAG web console, navigate to Access Mgt > Authentication > Web Authentication > Auth Server. Click Add > LDAP Server to add a Microsoft AD server on IAG.

2. Pay attention to the username that needs to be entered with the complete domain name in the Admin DN field. You can use the newly created sangfortest@sangfor.com, but it is usually recommended to use the administrator account to avoid the lack of permissions that cause IAG to fail to interact with the Microsoft AD server. You can choose sangfor for the BaseDN.

3. If IAG and AD Server can interact normally, navigate to Access Mgt > User Management > Local Users. You can see that IAG has obtained the domain user information of the AD server, including the user sangfortest that we created earlier.

Configure Domain SSO Authentication

1. Navigate to Acess Mgt > Authentication > Web Authentication > Single Sign-On(SSO) > MS AD Domain. Select Enable Domain SSO and Domain SSO. Then, click Add to add a domain controller. Configure the parameters according to the preset Microsoft AD server.

Configure Authentication Policy on IAG

1. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy to configure the authentication policy. Click Add to enter the Auth Policy dialog box. On the Objects tab, specify the scope of the authentication policy in the IP/MAC Address field, where the IP address should match the authentication policy.

2. On the Auth Method tab, select Single sign-on (SSO) for the Auth Method.

3. Restart the user’s PC and log in with a domain account. You can see that the user is online in IAG and the authentication method is SSO on the Status > Users > Online Users list.

Precautions

1. The strict security mechanisms or firewall of Windows Server may prevent other devices from obtaining relevant data from the AD Server. Adjust the security policy if necessary.

2. It is recommended to use the domain account with administrator privileges to avoid insufficient permissions when the IAG obtains the security logs for SSO authentication purposes.

3. Ensure that the users’ inbound and outbound traffic passes through the IAG. IAG will identify the user traffic before marking the user on the online user list.

Sangfor Internet Access Gateway (IAG) V13.0.80 Domain Single Sign-On (SSO) Configuration Guide

Version 01 (April.22, 2024) 32