Clients disconnections with dual SSO agents

Rafff
Rafff Posts: 15  Freshman Member
First Comment Third Anniversary
edited April 2021 in Security
Hello to the Forum
I have one USG310 in AD environment with 2 DCs on Win2012 and Win2016.
Web authentication works well.
I have installed SSO Agent 2.0.0 on both DCs and configured USG310 accordingly. Also opened port 2158 on both  DCs.
When users log into their client, a new entry is correcly added to the Login Users list of USG3100 monitor section.
After some time (cannot identify a recurrent duration) some users are randomly removed from the list, even if they are still working on their PC and, of course, can no more access internet.

Here is my configuration:
USG310 FW 4.62
SSO Agents 2.0.0
DCs: Win2012 and Win2016
Clients: Win10

Thank you for reading

All Replies

  • Rafff
    Rafff Posts: 15  Freshman Member
    First Comment Third Anniversary
    I have verified from logs that SSO users constantly log out and relog in every exactly 30 minutes, even if they are still sitting and working at their client station.
    Here is a log example:
    I have tried to change the User Logoin Check interval parameter to various values but the logon/off time seems not to be affected.
  • Rafff
    Rafff Posts: 15  Freshman Member
    First Comment Third Anniversary
    After 4 days of bad service my customer has decided to go back to our custom authentication client that uses the web interface.
    The SSO Agent is still a big delusion. We really hoped that it could be used now that it supports Win2016 but this is still not possible.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Rafff,

     

    That setup doesn’t fit in your environment.

      

    In your case you need to add one Workstation into your environment and install SSO Agent for it.

    So Workstation can authenticate using SSO Agent.

     

    Please find following KB article as reference;

     

    https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018112&lang=EN
  • Rafff
    Rafff Posts: 15  Freshman Member
    First Comment Third Anniversary
    Thank you Zyxel_Can

    For our installation we followed this official guide:

    Currently we do not have a workstation in our datacenter and we'd prefer not to have it. Moreover the setup described in the KB you linked will introduce a new single point of failure, and this is something we try to get to the minimum, as much as we can.
    Our custom login client works yet good and is a simple application that still fills our needs mode than the official SSO Agent. Even if we'd prefer to have a more structured solution like SSO Agent is, the current implementation is not yet what we expected it to be.

    Out of curiosity: what the "Secondary Agent (Optional)" parameter is intedend to be used for?

    Just one more question: could Zyxel release to community the specifications of the SSO Agent communication protocol (the one that flows on port 2158)?

    Thank you
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Rafff,

     

    Secondary Agent is a backup agent that is in the same domain.

     

    You can read more from the following link;

    http://webhelp.zyxel.com/search.action?model=USG%20FLEX%20700&majVer=V5.00&minVer=&fwID=ABWD&lang=EN&hash=context/Help/WebAuth_SSO&help_version=2

     

    Regarding to SSO agent’s communication protocol(That performs at 2158 port for SSO Agent), it’s a proprietary TCP protocol that was designed by Zyxel.

    We apologize but the specs of that protocol is not publicly available. 

Security Highlight