dell™ sonicwall™ directory services connector...

Dell™ SonicWALL™ Directory Services Connector 4.0Administration Guide

© 2016 Dell Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Dell Inc.Attn: LEGAL Dept.5 Polaris WayAliso Viejo, CA 92656

Refer to our website (software.dell.com) for regional and international office information.

Patents

For more information, go to http://software.dell.com/legal/patents.aspx.

Trademarks

Dell, the Dell logo, SonicWALL, and all other SonicWALL product and service names are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.

Dell SonicWALL Directory Services Connector Administration GuideUpdated - December 2016Software Version - 4.0232-002911-00 Rev. C

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

http://software.dell.com/

http://software.dell.com/legal/patents.aspx

Contents

Part 1. Introduction

Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Organization of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Directory Services Connector Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About Directory Services Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7About Polling and Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8About Single Sign-On and the SSO Agent with Active Directory . . . . . . . . . . . . . . . . 8

About User Identification Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About Client Probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10About Domain Controller Querying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10About Exchange Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11About Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11About Using Samba on Linux/UNIX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12About NetBIOS Name Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Platform Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13SonicWALL Appliance/Firmware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . .13Virtual Environment Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14eDirectory Server Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Exchange Server Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Domain Controller Server Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14SSO Agent Platform Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Client Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Citrix or Terminal Services Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Part 2. Installation and Configuration

Installing and Configuring the SSO Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Installing the SSO Agent with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Installing the SSO Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Installed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Configuring Dell SonicWALL Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Configuring SSO Agent Communication Properties . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Configuring Domain Controller Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Configuring Exchange Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Configuring Novell eDirectory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Configuring Remote SSO Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Using the Configuration Tool Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Using the File Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Using the View Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Using the Action Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Using the Help Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Dell SonicWALL Directory Services Connector 4.0Administration Guide

3

Part 3. Appendices

Warranty and Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

GNU General Public License (GPL) Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Limited Hardware Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

End User Licensing Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56


4


Part 1

5

Introduction

• Using This Guide

• Directory Services Connector Overview


1

6

Using This Guide

About This GuideThe Dell™ SonicWALL™ Directory Services Connector Administration Guide provides information about installing and configuring the Dell SonicWALL Single Sign-On Agent and other elements of Directory Services Connector (DSC).

Always check https://support.sonicwall.com/ for the latest version of this manual as well as other Dell SonicWALL products and services documentation.

Organization of This GuideThe Dell SonicWALL Directory Services Connector Administration Guide is structured into the following parts:

Chapter 1 Using this Guide

This chapter provides helpful information for using this guide. It includes conventions used in this guide, information on how to obtain additional product information, and a summary of the chapters in the guide.

Chapter 2 Directory Services Connector Overview

This chapter provides an overview of Directory Services Connector. It includes an introduction to DSC, information about user identification methods, and platform compatibility information.

Chapter 3 Installing and Configuring the SSO Agent

This chapter provides installation and configuration procedures for the various components of the SSO Agent and DSC Configuration Tool.

Appendix A Support Information

This appendix provides the Limited Hardware Warranty, End User Licensing Agreement, and Dell SonicWALL Support contact information.

https://support.sonicwall.com/

2

Directory Services Connector Overview

This section provides an overview of the Dell SonicWALL Directory Services Connector (DSC). It includes an introduction to DSC and the SSO Agent, along with the supported user identification methods and platform compatibility.

Topics:

• About Directory Services Connector on page 7

• About User Identification Methods on page 9

• Platform Compatibility on page 13

About Directory Services ConnectorDell SonicWALL Directory Services Connector includes the Dell SonicWALL Single Sign-On Agent (SSO Agent) as well as certain configuration functions. The SSO Agent provides centralized user identification to Dell SonicWALL network security appliances, interacting with the SonicOS Single Sign-On feature.

Directory Services Connector provides integration with both Active Directory and Novell eDirectory. Specifically, these are supported as follows:

1 Dell SonicWALL SuperMassive series, E-Class NSA series, NSA series, and TZ 600/500/400/300/215/210/205/200/105/100 series appliances to achieve transparent, automated Single-Sign-On integration with both Active Directory and Novell eDirectory.

2 SonicWALL PRO and TZ 190/180 series appliances to achieve Single-Sign-On integration with Active Directory.

The Dell SonicWALL appliance can use Active Directory or Novell eDirectory to authenticate users and determine the filtering policies to assign to each user or user group. The SSO Agent identifies users by IP address and automatically determines when a user has logged out to prevent unauthorized access.

Along with the username information, the SSO Agent sends the following information to the appliance:

• The Domain Controller on which information about logged in users is found.

• The User Detection mechanism used by the Agent to find logged in users.

Topics:

• About Polling and Notification on page 8

• About Single Sign-On and the SSO Agent with Active Directory on page 8

NOTE: It is normal for the system running Dell SonicWALL Directory Services Connector to have high CPU activity for the first 24 hours after installation, while the software creates a database of the user network.


7

About Polling and NotificationThe SSO Agent can work both passively and actively. In the default configuration, both methods are used.

In passive mode, SonicOS on the Dell SonicWALL network security appliance sends a request that contains an IP address to the SSO Agent. The SSO Agent identifies the username associated with the IP address and then sends the result back to SonicOS.

In active mode, the SSO Agent attempts to detect user logon and logoff events and sends notifications to SonicOS.

About Single Sign-On and the SSO Agent with Active DirectorySingle Sign-On (SSO) is a transparent user-authentication mechanism that provides privileged access to multiple network resources with a single workstation login. Dell SonicWALL security appliances provide SSO functionality using the Dell SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on workstation IP address.

SSO is configured in the Users > Settings page of the SonicOS management interface. SSO is separate from the authentication method for login settings that can be used at the same time for authentication of VPN/L2TP client users or administrative users.

The Dell SonicWALL SSO Agent identifies users by polling/monitoring security log in Active Directory server and sends user login/logout notification to the appliance when it detects user login/logout. See Figure 1. Based on data from the SSO Agent, the Dell SonicWALL security appliance queries LDAP or the local database to determine group membership. Memberships are optionally checked by firewall policies to control who is given access, and can be used in selecting policies for Content Filtering and Application Firewall to control what they are allowed to access.


8

Figure 1. Identifying users

User names learned through SSO are reported in the Dell SonicWALL appliance logs of traffic and events from the users. The configured inactivity timer applies with SSO, but the session limit does not, though users who are logged out are automatically and transparently logged back in when they send further traffic.

Users logged into a workstation directly, but not logged into the domain, cannot be authenticated. For users that are not logged into the domain, an Authentication Required screen displays, indicating that a manual login is required for further authentication. If the workstation joins the Windows domain, the logged on user can be detected by WMI/NetAPI. The returned user name includes a Local: prefix. For example, Local:user01.

Users that are identified, but lack the group memberships required by the configured policy rules, are redirected to an Access Barred page.

About User Identification MethodsThe SSO Agent supports the user identification methods described in the following sections:

• About Client Probing on page 10

• About Domain Controller Querying on page 10

• About Exchange Servers on page 11

Note to Step 6: The appliance polls users if the identify mechanism is WMI/NetAPI. If the identify mechanism is DC Security log mode, the SSO Agent sends log off notifications to the firewall.


9

• About Novell eDirectory on page 11

• About Using Samba on Linux/UNIX Clients on page 12

• About NetBIOS Name Support on page 12

About Client ProbingClient Probing includes both Windows Management Instrumentation (WMI) and NetAPI probing methods.

WMI is the infrastructure for management data and operations on Windows-based operating systems. The SSO Agent sends a WMI request to the client, and then determines the username and domain name by examining certain processes on the client machine.

NetAPI is another interface based on Windows DCE-RPC service. In this case, the SSO Agent sends a request that lists the users logged into the client workstation. This list includes interactive, service and batch log ons. The SSO Agent then determines the correct user name in this list. The NetAPI method is much faster than the WMI method, but might not always yield a correct username.

Windows Firewall might block both methods by default. To enable:

• WMI methods in the Windows Firewall, you can select Windows Management Instrumentation in the Control Panel > All Control Panel Items > Windows Firewall > Allowed Programs.

• The NetAPI method in Windows Firewall, you can select File and Printer Sharing.

Because the Windows API does not provide an interface to set the timeout for both probing methods, the default timeout is set to three seconds when the IP address is not accessible or when the connection is dropped by the Windows Firewall. The SSO Agent first creates a TCP connection to the target machine to check the connectivity. For WMI, the port is 445. For NetAPI, the port is 135. The default timeout is 3 seconds for both methods.

If a user logs onto a machine using a local account instead of a Windows domain account, the SSO Agent can only identify this user through a Client Probing method. This is because the other methods all involve Active Directory. When the administrator enables the WMI/NetAPI Scanner option in Directory Services Connector, the SSO Agent will repeatedly probe these IP addresses using Client Probing methods. The SSO Agent can detect when the user has logged off, and it sends a log off notification to SonicOS.

About Domain Controller QueryingThe Domain Controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, and so on), within the Windows Server domain. Two methods are supported that identify users who log on to the Windows domain. They are the DC Security Log and Server Session methods.

Topics:

• About DC Security Logs on page 10

• About Server Sessions on page 11

• About Enabling Audit Logs in DC Policy on page 11

• About Using Non-Admin Accounts to Access the DC Security Logs for SSO on page 11

About DC Security LogsIn Microsoft Windows, the Security Log contains records of log in and log out activity or other security-related events specified by the system's audit policy. When a domain user tries to log in to the domain network, the domain controller logs a message in the security log. The SSO Agent monitors event messages with specific Event IDs, and notifies SonicOS of the user information and logoff status.


10

About Server SessionsAny connection to a file or print service creates a “session” in the server’s session table. In the normal operation of an AD domain, users on Windows systems connect to the sysvol share on the domain controller to check for new Group Policy Objects every one to two hours. The user appears in the session table for about five minutes each time. Log out messages are sent to the firewall when the SSO Agent cannot find the user after two hours.

Usually, Server Sessions is a more efficient method than DC Security logs, but sometimes, Server Sessions is not as accurate. In multiple domain environments, incorrect domain names might be reported. If the user switches between two logged on usernames, the SSO Agent cannot detect it.

About Enabling Audit Logs in DC PolicyAudit Logon is disabled by default in Windows Server. Steps to enable Audit Logon are provided in the following sections:

• Setting Group Policy to Enable Audit Logon on Windows Server 2008 on page 34


About Using Non-Admin Accounts to Access the DC Security Logs for SSOSSO Agent service users do not have to be domain administrators. You can also use a normal domain user with some additional permissions granted, for access. For more information, refer to the Configuring a Non-Admin Domain Account for SSO Agent to Read Domain Security Logs Configuration Guide.

About Exchange ServersWhen a user logs on to a computer that is not in the domain, the DC server does not have the user and IP address information. Typically, this is handled by the Client Probing method. You can also use the Exchange Server to identify the user.

This works only as a supplement to the Domain Security Log method. Although it works for machines not joined to a domain, it only works if users use Microsoft Outlook after logging in.

If the user opens Outlook to send or receive mail using a domain user name and credentials, both the DC and Exchange Server log events for this activity. On the DC, the event is logged, but the IP address given is not the real source. Instead, it points to the Exchange Server. On the Exchange server, a security log entry is made that contains both the user name and the source IP address. Each time Outlook receives email; there is also an event recorded by the Exchange server. The SSO Agent can monitor these events in the Exchange security log.

About Novell eDirectoryNovell eDirectory (formerly known as Novell Directory Services (NDS), sometimes referred to as NetWare Directory Services) is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object oriented database used to represent certain assets in an organization in a logical tree, including organizations, organizational units, people, positions, servers, volumes, workstations, applications, printers, services, and groups.

When a user logs on to an eDirectory network, the user’s IP address is added to the networkAddress field in the user's record. If the user logs on to the eDirectory network multiple times from different machines, there will be multiple networkAddress fields. If the user logs off the eDirectory network properly, the corresponding networkAddress field is removed immediately. Otherwise the field is kept for some time before it is removed.


11

https://support.sonicwall.com/kb/sw9764

https://support.sonicwall.com/kb/sw9764

For this user identification method, the SSO Agent repeatedly queries the eDirectory using the LDAP protocol; see Figure 2.

Figure 2. User identification with eDirectory

The sequence of events shown in Figure 2 is:

1 The user logs into the network and authenticates with eDirectory.

2 The user initiates a request for an Internet resource (such as a Web page, an audio or video stream, or a chat program). The Dell SonicWALL network security appliance detects the request.

3 The Dell SonicWALL appliance queries the SSO Agent.

4 The SSO Agent queries the eDirectory server about the user.

The SSO Agent communicates the user’s content filtering policies to the Dell SonicWALL appliance, based on the user’s individually assigned policies and any policies inherited from groups and from organizational units. The Dell SonicWALL appliance allows, logs, or blocks the user’s request, based on the user’s content filtering policies.

About Using Samba on Linux/UNIX ClientsSamba 3.0 or newer can be installed on Linux/UNIX clients for use with Dell SonicWALL SSO. Samba is a software package used on Linux/UNIX machines to give them access to resources in a Windows domain (by way of Samba’s smbclient utility). A user working on a Linux PC with Samba in a Windows domain can be identified through the SSO, but it requires proper configuration of the Linux PC, and possibly some reconfiguration of the appliance, as described in the Using Single Sign-On with Samba technote.

Without Samba, Linux PCs do not support the Windows networking requests that are used by the Dell SonicWALL SSO Agent, and therefore, do not work with NetAPI or WMI client probing methods. Linux users can still get access, but they need to log in to do so. They can be redirected to the login prompt if policy rules are set to require authentication.

Without Samba, the DC Security Log method will work for using Single Sign-On with Linux clients.

About NetBIOS Name SupportWindows provides support for applications that use the NetBIOS networking APIs and the flat NetBIOS names. This allows identification of Windows domains for computers that are running Windows. A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its


12

https://support.sonicwall.com/search?k=Using+Single+Sign-On+with+Samba+tech+note

exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone.

Both the NetBIOS name and the FQDN domain name can be found through an LDAP search. The SSO Agent connects to the DC using these service credentials and completes the LDAP search.

The SSO Agent remembers these names and sends the correct domain name to the firewall according to the administrator’s configuration of the SSO Agent. By default, it sends the NetBIOS name.

Platform CompatibilityTo use Dell SonicWALL Single Sign-On, it is required that the SSO Agent be installed on a server that can communicate with the Active Directory or eDirectory server and with clients and the Dell SonicWALL security appliance directly using the IP address or using a path, such as VPN. The following requirements must be met in order to run the SSO Agent:

• Port 2258 must be open; the firewall uses UDP port 2258 by default to communicate with the SSO Agent; if a custom port is configured instead of 2258, then this requirement applies to the custom port

• Windows Server, with latest service pack

• .NET Framework 4.0 or above

• NetAPI or WMI (unless using DC Windows Security Log as the Client Probing Method)

• The SSO Agent must run under Domain Admin privileges

Dell SonicWALL Directory Services Connector and SSO Agent runs as either a 32-bit or 64-bit application. This improves the performance of 64-bit agent machines, especially in cases where the agent is set to use NetAPI or WMI as the Client Probing Method.

Topics:

• SonicWALL Appliance/Firmware Compatibility on page 13

• Virtual Environment Compatibility on page 14

• eDirectory Server Compatibility on page 14

• Exchange Server Compatibility on page 14

• Domain Controller Server Compatibility on page 14

• SSO Agent Platform Compatibility on page 15

• Client Compatibility on page 15

• Citrix or Terminal Services Compatibility on page 16

SonicWALL Appliance/Firmware CompatibilitySonicWALL Directory Services Connector is a supported release for use with the following SonicWALL platforms:

• SuperMassive 9200 / 9400 / 9600 running SonicOS 6.1 and above

• SuperMassive E10200 / E10400 / E10800 running SonicOS 6.0.x

• NSA 2600 / 3600 / 4600 / 5600 / 6600 running SonicOS 6.1 and above

• NSA E-Class E5500 / E6500 / E7500 / E8500 / E8510 running SonicOS 5.0 and above

• NSA 240 / 2400 / 3500 / 4500 / 5000 running SonicOS 5.0 and above

• NSA 220 / 220W / 250M / 250MW running SonicOS 5.8.1 and above

• SOHO running SonicOS 5.9.1.3 and above

• SOHO W running SonicOS 6.2.4.0 and above


13

• TZ600 / TZ500 / TZ400 / TZ300 running SonicOS 6.2.3.1 and above

• TZ500W / TZ400W / TZ300W running SonicOS 6.2.4.0 and above

• TZ 215 / 215W / 205 / 205W / 105 / 105W running SonicOS 5.8.1 and above

• TZ 210 / 210W / 200 / 200W / 100 / 100W running SonicOS 5.0 and above

• TZ 190 / 190W / 180 / 180W running SonicOS 4.0 and above

• PRO 2040 / 3060 / 4060 / 4100 / 5060 running SonicOS 4.0 and above

Virtual Environment CompatibilityRecommended Virtual Environments for Directory Services Connector include:

• VMware ESX 5.5

• VMware ESX 5.1

• VMware ESX 4.x

• Microsoft Hyper-V 2012 R2

• Microsoft Hyper-V 2008 R2

Virtual Machine host configuration requirements:

• OS - Windows Server 2008/2012 R2 32-bit/64-bit

• CPU – Intel Xenon (4 processors)

• Memory - 4GB

eDirectory Server CompatibilitySonicWALL Directory Services Connector is supported for use with the following eDirectory servers:

• Novell eDirectory 8.8.5

• Novell eDirectory 8.8.7

Exchange Server CompatibilitySonicWALL Directory Services Connector is supported for use with the following exchange servers:

• Exchange server 2010

• Exchange server 2013

Domain Controller Server CompatibilitySonicWALL Directory Services Connector is supported for use with Domain Controllers running the following operating systems:

• Windows Server 2012 – 64-bit

• Windows Server 2012 R2 – 64-bit

NOTE: SonicOS 5.5 or newer is required for Novell eDirectory Support.

NOTE: SSO Agent performance is sensitive to the round trip network time during frequent information exchanges with the network security appliance. The Agent machine should be as close as possible to the appliance for a recommended round-trip time of less than 1 ms.


14


• Windows Server 2008 – 32/64-bit

• Windows Server 2003 R2 – 32/64-bit

It is recommended to run the SSO Agent service using a domain administrator account. An account with fewer permissions, such as a domain user account, does have sufficient privileges for all service components to interact with the Domain Controller.

SSO Agent Platform Compatibility

SonicWALL Directory Services Connector and SSO Agent are supported for installation on 32-bit and 64-bit Windows systems running the following operating systems:

• Windows Server 2012 – 64-bit



• Windows Server 2008 – 32/64-bit

• Windows Server 2003 R2 – 32/64-bit

• Windows 8 – 32/64-bit


• Windows Vista – 32/64-bit

• Windows XP – 32/64-bit

On all Windows 32-bit and 64-bit servers, a .NET Framework must be installed. The following versions of.NET Framework are supported:

• .NET Framework 4.5

• .NET Framework 4.0

The following Microsoft Windows operating systems are not supported as servers:

• Windows 2000 – All versions

Limitations

The following limitations exist in Windows operating systems prior to Windows Server 2008 or Windows 7:

• Certain Windows API elements are not supported, including the Event Subscription API for communicating with the Domain Controller. This requires Directory Services Connector to use the WMI event subscription mechanism on older Windows versions, which is much slower than event subscription.

• The SMB2 protocol is not supported on older Windows versions.

• Single Sign-On related functions may operate at approximately half the performance on older Windows versions.

Client CompatibilityDirectory Services Connector is compatible with the following client operating systems for the purpose of determining the logged in username and other information necessary for user authentication:


NOTE: For best performance, SonicWALL recommends installing the SSO Agent on a dedicated system.

NOTE: Windows Server 2008 and higher or Windows 7 and higher are recommended.


15


• Windows Vista – 32/64-bit

• Windows XP – 32/64-bit

Citrix or Terminal Services CompatibilityThe Dell SonicWALL SSO Agent is not supported in a Citrix or Terminal Services Environment.

In these environments, you can use the Dell SonicWALL Terminal Services Agent (TSA) to communicate with the SonicOS Single Sign-On feature.

The TSA is not included as part of Dell SonicWALL Directory Services Connector. For more information about the TSA, see the latest Terminal Services Agent Release Notes and the latest SonicOS Administration Guide, available at: https://support.sonicwall.com/.


16



Part 2

17

Installation and Configuration

• Installing and Configuring the SSO Agent

3

Installing and Configuring the SSO Agent

This section provides information about installing and configuring the SSO Agent using the Directory Services Configuration Tool.

When using NetAPI or WMI, one SSO Agent can support up to approximately 2500 users, depending on the performance level of the hardware that it is running on, how it is configured on the firewall and other network-dependent factors. When configured to read from domain controller security logs, one SSO Agent can support a much larger number of users identified via that mechanism, potentially 50,000+ users depending on similar factors.

Topics

• Installing the SSO Agent with Active Directory on page 18

• Configuring Dell SonicWALL Devices on page 24

• Configuring SSO Agent Communication Properties on page 25

• Configuring Domain Controller Settings on page 32

• Configuring Exchange Server Settings on page 37

• Configuring Novell eDirectory Settings on page 38

• Configuring Remote SSO Agents on page 39

• Using the Configuration Tool Menus on page 40.

Installing the SSO Agent with Active DirectoryWhen using SSO with Windows, install the SonicWALL SSO Agent on a host on your network that has access to the Active Directory server, the Dell SonicWALL network security appliance, and all client workstations.

Topics:

• Installing the SSO Agent on page 19

• Installed Files on page 24

NOTE: For best performance, SonicWALL recommends installing the SSO Agent on a dedicated system.

IMPORTANT: For best performance, SonicWALL recommends installing the SSO Agent on a dedicated system.

IMPORTANT: To run the SSO agent, .NET Framework v4.0 must be installed. If it is not installed, an error message appears.


18

Installing the SSO Agent

To install the Dell SonicWALL SSO Agent for use with AD:

1 Download one of the following installers, depending on your computer:

• SonicWALL Directory Connector (32-bit) 4.0.24.exe

• SonicWALL Directory Connector (64-bit) 4.0.24.exe

You can find these on https://www.mysonicwall.com under Directory Services Connector. The installer is an MSI file signed by SonicWALL Inc.

2 To begin installation, double-click the installer.

The installer uninstalls the previous SSO Agent automatically if its version is equal to or greater than 4.0. You can have both SSO Agent 3.x and SSO Agent 4.x installed at the same time, although only one can be running because they use the common port.

3 In the Welcome screen, click Next to continue the installation.

The License Agreement screen displays.

4 Accept the terms of the license agreement, and then click Next.

TIP: To print a copy of this agreement, click Print.


19

https://www.mysonicwall.com

The Destination Folder screen displays.

5 Select the destination folder:

• To use the default folder, C:\Program Files\Dell SonicWALL\SSOAgent\, click Next.

• To specify a custom location, click Change, select the folder, and then click Next.

What displays next, depends on whether this is a new installation or an upgrade:

• For new installations, the Service User Configuration screen displays. Go to Step 7.

• If your system has an older version of DSC SSO, a Service Configuration screen displays asking if you want to use the existing configuration. The Check this check box if want to use old configuration checkbox is selected by default.

6 Do one of these:

• To use the old configuration, click Next. The Service User Configuration screen displays. Go to Step 7.

• To reconfigure the SSO product, uncheck Check this check box if want to use old configuration. and click Next.


20

7 Use the Service User Configuration screen to configure a common service account that the SSO Agent will use to log into a specified Windows domain.

a Enter the domain name of the account in the Domain Name field.

b Enter the username of an account with administrative privileges in the Username field.

c Enter the password for the account in the Password field.

d Click Next.

The Appliance Configuration screen displays.

8 Use the Appliance Configuration screen to configure the IP address and port used for communication with the firewall.

a Enter the IP address of your Dell SonicWALL security appliance in the Dell SonicWALL Appliance IP field.

b Type the port number for the same appliance into the Dell SonicWALL Appliance Port field. The default port number is 2258.

c Enter the hexadecimal representation (an even number of digits using only hexadecimal numbers) of the shared key in the Shared Key field.

TIP: This section can be configured at a later time. To skip this step and configure it later, click Skip. Go to Step 8.


21

d Click Next. The Install screen displays.

9 Click Install to begin the installation. A Installing progress screen displays.

10 Wait for the installation to complete. A warning screen requesting permission to install files may display; click OK.

The status bar displays while the SonicWALL SSO Agent installs.

Program and service files are installed, including the SSOAgentService. If the SSO Agent 3.x service is running, the installer stops that service and then starts the newly installed service.


22

A Completed screen displays.

11 When the installation is complete, optionally select the Launch Dell SonicWALL Directory Connector checkbox to launch the Dell SonicWALL Directory Connector Configuration Tool. This option is not selected by default.

12 Click Finish.

If you selected the Launch Dell SonicWALL Directory Connector checkbox, the Directory Connector Configuration Tool displays.

IMPORTANT: To run the SSO agent, .NET Framework v4.0 must be installed. If it is not installed, an error message appears:


23

Installed Files

Topics:

• Program Files on page 24

• Log Files on page 24

Program FilesThe installer places all the program files into C:\Program Files\Dell SonicWALL\SSOAgent by default:

• SSOAgentUI.exe is the configuration UI program.

• SSOAgentService.exe is the service program.

• Plugins\SSOAgent.dll is a part of the service program.

• Config.xml is the main configuration file.

The following additional files may also exist in that directory:

• static.csv is used for automation load testing.

• Users.xml is the user list that is saved during service restart.

The installer also creates short cuts in the Start menu and on the desktop.

Log FilesLog files and crash dump files are placed in C:\ProgramData\Dell SonicWALL\SSOAgent.

Configuring Dell SonicWALL DevicesTo display all the configured Dell SonicWALL network security appliances, click on Dell SonicWALL Appliances in the left panel of the DSC Configuration Tool.

The Friendly Name, Port, IP address, and Status of each appliance is displayed.

To add a Dell SonicWALL appliance to the SSO Agent:

1 Launch the Directory Services Connector Configuration Tool either from the Start menu or by double-clicking the desktop shortcut.


24

2 Right-click Dell SonicWALL Appliances, and then select Add.

3 In the Appliance IP field, type in the IP address of the firewall.

4 In the Appliance Port field, accept the default port of 2258 or type in a custom port. The appliance sends the SSO protocol packets to the Agent on this port.

5 In the Friendly Name field, type in a descriptive name for this appliance.

6 In the Shared Key field, do one of the following:

• Type in a hexadecimal number of up to 16 characters (use an even number of characters) to use as the key for encrypting messages between the Dell SonicWALL appliance and the SSO Agent. You must also enter the same key when configuring the SSO Agent to communicate with the appliance.

• Click the Generate Key button to let the computer generate a random shared key.

7 Select the Check to show Shared key as clear Text checkbox to view the key in clear text. This option is not selected by default.

8 Click OK to save the configuration.

Configuring SSO Agent Communication PropertiesThe Dell SonicWALL SSO Agent communicates with workstations using NetAPI or WMI, which both provide information about users logged into a workstation, including domain users, local users, and Windows services. Be sure that WMI or NetAPI is installed prior to configuring the SonicWALL SSO Agent.

NOTE: To modify the settings of an existing appliance, click on the appliance IP address in the left pane.

NOTE: When using Single Sign-on, SSO Agent tries to identify the logged in user by querying the workstations using the NetAPI or WMI protocols. NetAPI and WMI require File & print sharing enabled on the client workstations.


25

To configure the communication properties of the Dell SonicWALL SSO Agent:

1 Launch the Directory Services Connector Configuration Tool either from the Start menu or by double-clicking the desktop shortcut.

NOTE: The Configuration Tool communicates with the Windows service through JSON RPC. The RPC port is 127.0.0.1:12348. If the service is stopped, the Configuration Tool tries to start the service first.


26

2 In the left panel, right click SonicWALL SSO Agent, and then select Properties. Configuration settings display in the right panel.

3 For Host IP, select an IP address from the drop-down menu. The default IP address is 0.0.0.0.


27

The SSO Agent binds the UDP socket at this IP address and the port number specified in the Port field. The Agent receives the SSO protocol packets from the firewall on this socket.

4 In the Port field, accept the default port or type in a custom port. By default, the SSO Agent uses UDP port 2258 to receive the SSO protocol packets.

5 In the Sync Port field, accept the default port or type in a custom port. By default, the SSO Agent uses TCP port 2260 to receive the agent synchronize datagrams.

NOTE: If the Host IP address is 0.0.0.0, the SSO Agent accepts packets from any interface.


28

6 From the Logging Level the drop-down menu, select the level of events to be logged in the log file in the program data directory. The log file is useful for diagnostics and debugging. The default logging level is 2 - Warning.

7 In the Max Thread Count field, accept the default of 100 or type in a custom value within the indicated range.

The SSO Agent starts the configured number of threads at run time. Most of the threads are used for client probing. These threads periodically query the IP addresses that are present in the Scanner queue. After completing each query, the agent adds or updates the user or error information in its cache. The thread count adjusts the trade off between simultaneity and overall performance.

8 In the Cache Duration field, accept the default of 7200 seconds (2 hours) or type in a custom value within the indicated range.

If a user does not log off the computer properly, for example by pulling the power plug, the SSO Agent does not receive a log-off message for the user. In this case, the SSO Agent keeps the user information in its cache. After the cache duration time expires, the SSO Agent removes the user from the cache and sends a log-out notification to the firewall. The default time of 2 hours is based on the typical duration after which the log-in status is refreshed on the Domain Controller. Cache duration functions only apply to users whose session ID is not equal to zero.

Upon a user information request for any IP address from the appliance, the SSO Agent checks for the IP address in its cache. If the IP address is not present in the cache, the SSO Agent treats the request as the first request for that IP Address and adds the IP Address to its Scanner queue for further processing.

9 To save information about previously identified users when the SSO Agent service is restarted, select the Preserve Users During Restart checkbox. This option is not selected by default.

Because the SSO Agent must be restarted for Properties changes to take effect, this option allows the Agent to maintain current user information across these restarts. The SSO Agent saves the user information in an XML file that contains a timestamp. If the file is less than 15 minutes old when the SSO Agent restarts, it uses this file to fill its cache; otherwise, the SSO Agent ignores the file to avoid restoring outdated information.


29

10 The Scan Users checkbox is selected by default.

If Scan Users is enabled and a user is identified with a Client Probing method, the SSO Agent probes this user repeatedly until the user logs off the computer or the SSO Agent can identify this user using another method, such as DC Security Log or Server Session. When the SSO Agent detects that the user has logged off the computer, it sends a log-off notification to the firewall.

If the query returns an error for any IP address and the SSO Agent is not able to identify the user information, the agent treats the IP address as a Bad IP. This can occur for network devices such as printers, non-Windows computers, or other workstations that do not understand the query options. While processing requests in the Scanner queue, the agent skips any Bad IP addresses and adds the IP address to the back of the queue for the next fetch.

To ensure that the agent does not process any IP address that has not been polled from the appliance for a considerable amount of time, the agent maintains the session time and the time of the last request from the appliance for each IP address. This allows the agent to minimize the queue size, ensures that threads are not wasted, and prevents unnecessary traffic from the agent for IP addresses that are not polled from the appliance. The session time can be modified from Windows registry settings using the registry value, SESIONTIME.

11 In the Scan Interval field, accept the default of 60 seconds or type in a custom value within the indicated range.

12 For Client Probing Method, select one of the following options from the drop-down menu:

• Disabled

• Probe user using NetAPI

• Probe user using WMI

• Probe user using NetAPI first, then WMI (this is the default option)

• Probe user using WMI first, then NetAPI


30

When the SSO Agent receives an IP Address request from the firewall and the user is not found in its cache, it uses the selected Client Probing Method to identify the username.

The handling of non-responsive workstations to queries from WMI and NetAPI is optimized in Dell SonicWALL Directory Services Connector. The appliance repeatedly polls the SSO Agent with multi-user requests, and often sends more than one such request at a time. The number of concurrent requests increases when workstations do not respond to the requests, potentially overloading the Agent. To avoid this, a time-out mechanism is included in multi-user requests from the appliance. If the request does not complete within this time, the agent silently aborts it.

13 For Domain name type, select one of the following options from the drop-down menu:

• NetBIOS Domain Name

• FQDN Domain Name

SonicOS can handle both domain name types. The default option is NetBIOS Domain Name.

14 Click Apply.

15 Click OK.

NOTE: NetAPI provides faster, though possibly slightly less accurate, performance. With NetAPI, Windows reports the last login to the workstation whether or not the user is still logged in. This means that after a user logs out from his computer, the appliance still shows the user as logged in when NetAPI is used. If another user logs onto the same computer, then at that point the previous user is logged out from the Dell SonicWALL appliance.


31

Configuring Domain Controller SettingsThe Domain Controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, and so on) within the Windows domain. The SSO Agent supports two methods to identify users who logon to a Windows domain:

• DC Security Log

• Server Session

Using Microsoft Windows, the DC Security Log contains login and logout activity records or other security-related events specified by the Domain Controller’s audit policy.

By default, all of the DC Security Log options require a Domain Administrator account or a Local Administrator account on the Domain Controller to read the DC Security Log.

If an account with administrator privileges is not available, user identification through the DC Security Log can be configured for WMI with a non-administrator domain account. This account must have read access to the security log. For more information, refer to the Configuring a Non-Admin Domain Account for SSO Agent to Read Domain Security Logs configuration guide.

Topics:

• Configuring DC Settings in DSC on page 32



Configuring DC Settings in DSC

To configure the Domain Controller settings in Directory Services Connector:

1 In the Directory Connector Configuration Tool, expand SonicWALL SSO Agent in the left pane.

2 Right-click Domain Controllers, and then select one of the following:

• Refresh

This option refreshes the known Domain Controller information, and the right panel displays the Host Address, Friendly Name, Domain Name, NETBIOS Name, and Status of known DCs.

• Add

Select this option to manually add a Domain Controller to the SSO Agent configuration. Go to Step 3.


32

https://www.sonicwall.com/search/results/?q=configuring%20a%20non-admin%20domain%20account%20for%20sso%20agent

https://www.sonicwall.com/search/results/?q=configuring%20a%20non-admin%20domain%20account%20for%20sso%20agent

• Auto Discovery

Select this option to have the SSO Agent use DNS queries to find DCs to which the Agent host machine belongs. The right panel displays the Host Address, Friendly Name, Domain Name, NETBIOS Name, and Status of the discovered DCs

• Config All

Select this option to configure the settings for all known DCs in a pop-up window.

If you selected any option except Add, go to Step 7.

3 If you selected the Add option, the right panel displays the available settings. In the IP Address field, type the Domain Controller IP address.

4 In the Friendly Name field, enter a descriptive name for the Domain Controller.

5 For Server Monitoring Method, select one of the following:

• DC Security Log Subscription

You can select this method for getting DC event log updates if the Domain Controller and SSO Agent are installed on Windows machines that support the event subscription API. It is supported on Windows 7 and higher, and on Windows Server 2008 and higher.

• DC Security Log Polling

This option causes the SSO Agent to request the event log information from the DC at the time interval indicated in the Pull every field. Accept the default of 5 seconds or type in the desired interval. The minimum is 5 seconds and the maximum is 300 seconds.

• Server Session

This option causes the SSO Agent to request the server session information from the DC at the time interval indicated in the Pull every field. Accept the default of 10 seconds or type in the desired interval. The minimum is 5 seconds and the maximum is 300 seconds.

6 To test the connection to the Domain Controller using the configured IP address, click Test Connection.


33

If the IP address does not belong to a machine with a role of Domain Controller, the Configuration Tool displays an error message.

7 If no errors are displayed, click OK.

Setting Group Policy to Enable Audit Logon on Windows Server 2008Audit Logon may need to be enabled on the Windows Server machine.

To enable Audit Logon on Windows Server 2008:

1 Start the Group Policy Management Console.

2 Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where Domain Name is replaced with your domain.

3 Under Group Policy Objects, right-click on Default Domain Policy, and then select Edit.


34

The Group Policy Management Editor window displays.

4 Double-click on Audit account logon events, select Success, and then click OK.

5 Double-click on Audit logon events, select Success, and then click OK.

6 Double-click on Audit Directory Service Access, select Success, and then click OK.

7 Double-click on Audit Object Access, select Success, and then click OK.

8 Close the Group Policy window.

Setting Group Policy to Enable Audit Logon on Windows Server 2003By default, Audit Logon is disabled on Windows Server 2003.

To enable Audit Logon on Windows Server 2003:

1 Start the Group Policy Management Console.

2 Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where Domain Name is replaced with your domain.


35

3 Right-click on Group Policy Objects, and then select New.

4 Enter a policy name, and then click OK.

5 Expand the Group Policy Objects folder and find your new policy.

6 Right-click on the policy, and then select Edit...

7 Browse to the following location: Policy Name > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

8 Left-click on Audit Policy. The policy settings are displayed in the right pane.

9 Double-click on Audit account logon events, select Success, and then click OK.


36

10 Double-click on Audit logon events, select Success, and then click OK.

11 Double-click on Audit Directory Service Access, select Success, and then click OK.

12 Close the Group Policy window.

Configuring Exchange Server SettingsFor information about using an Exchange server to identify users, see About Exchange Servers on page 11.

To add an Exchange server for use by the SSO Agent:

1 Launch the Dell SonicWALL Directory Services Connector Configuration Tool.

2 Expand the SonicWALL Directory Connector and SonicWALL SSO Agent trees in the left column by clicking the + button.

3 Right-click Exchange Servers, and hen select Add.

4 In the Exchange Server IP field, type in the Exchange server IP address.

5 In the Friendly Name field, type in a descriptive name for the Exchange server.

6 For Server Monitoring Method, select one of the following methods for the SSO Agent to get the event logs from the server:

• Use Event Subscription

This method causes the SSO Agent to request that the Exchange server automatically send any relevant events to the Agent as they occur.

• Pull every <> seconds

This is the polling method. The SSO Agent requests information from the Exchange server at the configured interval.

NOTE: You can configure settings for all known Exchange servers at the same time by selecting Config All.


37

If Pull every <> seconds is selected, accept the default polling interval of 10 seconds or type in the desired interval in the provided field. The minimum is 1 second and the maximum is 60 seconds.

7 Click OK.

8 Click OK in the popup window indicating that the configuration is saved.

Configuring Novell eDirectory SettingsFor information about using Novell eDirectory to identify users, see About Novell eDirectory on page 11.

To configure Novell eDirectory settings:



3 Right click Novell eDirectory Servers and select Add.

4 In the IP Address field, type in the IP address of the Novell eDirectory server.

In the Port(1-65535) field, type in the port for the service. The default port is:

• 636 if the Security Connection checkbox is selected.

• 389 if the Security Connection checkbox is not selected.

5 In the User DN field, type in the service user’s domain name.

6 In the Password field, type in the password for the service user.

7 In the Base DN field, type in the base domain name.

The User DN and Base DN are case sensitive and should be entered in the following format:

• User DN: cn=xxx,o=xxx

For example: cn=admin, o=test


38

• Base DN: o=xxx

For example: o=test

8 In the Polling Interval(1-60 Sec) field, type in the number of seconds for the polling interval. The default value is 10 seconds, the minimum is 1 second, and the maximum is 60 seconds.

9 Click the Test Connection button to verify that the SSO Agent can connect with the eDirectory server.

10 Click OK.

11 Click OK in the popup dialog indicating that the configuration is saved.

Configuring Remote SSO AgentsA Single Sign-On deployment can contain up to eight SSO Agents on different servers. Each instance of the SSO Agent can exchange information with the other, remote Agents.

To configure remote SSO Agents in Directory Services Connecter:



3 Right click Remote SSO Agents and select Add.

4 In the Agent IP field, type in the IP address of the remote SSO Agent.

5 In the Sync Port field, accept the default of 2260 or type in the custom sync port.

By default, the SSO Agent uses TCP port 2260 to receive the Agent synchronize data. When an SSO Agent starts up, it sends a TCP Reset notification to all the configured remote Agents. When a remote Agent receives this reset notification, it sends its user cache to the requesting Agent. Thereafter, the remote Agent sends any incremental changes.

6 In the Friendly Name field, type in a descriptive name for the remote SSO Agent.

7 Click OK.

8 Click OK in the popup window indicating that the configuration is saved.


39

9 Click on Remote SSO Agents to display all the configured remote SSO Agents in the right panel. You can see the friendly name, IP address, port, and status of each remote Agent.

10 To modify the configuration of an existing remote SSO Agent, click on its IP address in the left panel, enter the desired values as in Step 4 through Step 8, and then click OK.

Using the Configuration Tool MenusThe Directory Services Connector Configuration Tool provides several menus at the top of the screen for configuring settings and viewing information.

Topics:

• Using the File Menu on page 40

• Using the View Menu on page 40

• Using the Action Menu on page 41

• Using the Help Menu on page 47

Using the File MenuThis File menu in the Directory Connector Configuration Tool provides the Exit option.

Click File > Exit to close the Directory Connector Configuration Tool.

Using the View MenuThe View menu in the Directory Connector Configuration Tool provides options for displaying or hiding the toolbar and status bar.

Click View > ToolBar to toggle the toolbar display. If it is currently hidden, it will be displayed. If currently displayed, it will be hidden.

Click View > StatusBar to toggle the status bar display. If it is currently hidden, it will be displayed. If currently displayed, it will be hidden.

The toolbar provides icon buttons near the top of the screen for the following:

• Adding servers to the SSO Agent configuration

• Removing servers from the SSO Agent configuration

• Starting the Windows service


40

• Stopping the Windows service

• Refreshing the items displayed in the Configuration Tool

• Viewing the SSO Agent properties

• Accessing the diagnostics tool

Each button is only active when a relevant item is selected in the left panel. Not all buttons are active at the same time.

The status bar displays the current SSO Agent status along the bottom of the screen. The installed version of the SSO Agent is also displayed there.

Using the Action MenuThe Action menu in the Directory Connector Configuration Tool provides options for viewing the properties, log entries, viewing users and hosts, using the diagnostic tool, and managing services and users. The option to set the Service Logon User is available in the Action drop-down menu. It also provides options for starting and stopping the SSO Agent Windows service.

All of the Action menu options are also available on the right-click menu for the SonicWALL SSO Agent from within the Configuration Tool.

Topics:

• Viewing the Logs on page 42

• Displaying Users and Hosts Statistics on page 42

• Using the Diagnostic Tool on page 44

• Viewing Windows Service Users on page 45

• Viewing and Configuring Service Logon User on page 47

• Starting and Stopping the Windows Service on page 47


41

Viewing the LogsThe Action > View Logs page of the DSC Configuration Tool causes Windows Explorer to open the program data folder that contains the SSO Agent log files.

The Agent keeps up to five logs at a time and stores them in C:\ProgramData\Dell SonicWALL\SSOAgent:

• SSOAgent.log - This is the main log file.

• SSOPacket.log - This is the packets log between the firewall and Agent.

• Rpc.log - This is the RPC log between the Config Tool and Agent service.

• SecurityEvent.log - This is the DC/Exchange security event log.

• SessionTable.log - This shows the results returned by the NetSessionEnum API.

More logs are created with higher logging levels. Debug is the highest level.

In the case of troubleshooting, all files in this folder should be sent for investigation by the Support team.

Displaying Users and Hosts StatisticsThe Action > Users and Hosts page of the DSC Configuration Tool displays the number of event log messages parsed and the replies sent to the appliance. It also displays the number of users in the SSO Agent cache, and the total number of users who logged on and logged off. The User Information table displays the IP address, user name, user login time, time of last refresh, and the method used to identify the user.

You can search and sort the users as well as manually removing a user from the cache.

NOTE: When the SSO Agent service crashes, the crash dumps are located at C:\ProgramData\Dell SonicWALL.


42

To display the Users and Hosts page, click Action and select Users and Hosts.


43

Using the Diagnostic ToolThe Action > Diagnostics Tool page of the DSC Configuration Tool provides a way to find logged in user information for remote workstations. You can manually identify IP addresses using the WMI or NetAPI method by entering multiple IP addresses separated by commas or an IP address range. The results can be exported to a CSV file.


44

Viewing Windows Service UsersThe Action > Windows Service Users page displays all the service users you configure. The users might be used by services on the end-user’s computer. The SSO Agent ignores all events whose usernames are in this list.


45

Adding a User

You can add a user to the service users list by clicking Add in the Add Local User section and adding the name in the Excluded user name pattern field. Local users can include a domain name.

TIP: You can also add Windows service users from SonicOS (see the SonicOS Administration Guide for details).


46

https://support.sonicwall.com/search?k=sonicos+administration+guide

Viewing and Configuring Service Logon UserThe Action > Service Logon User page displays the current service logon user and allows you to configure it. The WMI, NetAPI, and DC Security Log methods require domain administrator privileges. The service should be run with a domain administrator account. You can set up an account name and password on this page.

Starting and Stopping the Windows ServiceThe Action > Start Service and Action > Stop Service pages provide a way to start and stop the Windows service for the SSO Agent.

Using the Load Test file

The Load Test feature allows you to preload a static set of IP-to-username mappings and static user configuration in a user-defined test file.

The tester can create a file named static.csv in the program installation directory, which by default is C:\Program Files\Dell SonicWALL\SSOAgent. An example static.csv is shown below:

10.0.0.0,user0

10.0.0.1,user1

10.0.0.2,domain\user2

…

If this file exists, the SSO Agent loads it at service start time and checks and reloads this file every 5 seconds.

You can view the test users and IP addresses in the Action > Users and Hosts screen of the DSC Configuration Tool, in the User Information list.

Using the Help MenuThe Help menu in the Directory Connector Configuration Tool has two options:

• Send Feedback

Select Send Feedback to display a popup window in which you can enter feedback about Directory Services Connector and the SSO Agent and send it to the Support team. Fill in the Subject, Email ID (your email address), Name (your name), and Comment fields, and then click Submit.

• About

Select About to display a popup dialog with the installed version number of Directory Services Connector and the SSO Agent.


47


Part 3

48

Appendices

• Warranty and Licensing

• About Dell

A

Warranty and Licensing

Topics:

• GNU General Public License (GPL) Source Code on page 49

• Limited Hardware Warranty on page 49

• End User Licensing Agreement on page 50

GNU General Public License (GPL) Source CodeDell SonicWALL provides a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or money order in the amount of US $25.00 payable to “Dell SonicWALL, Inc.” to:

General Public License Source Code Request Dell SonicWALL, Inc. Attn: Jennifer Anderson 2001 Logic Drive San Jose, CA 95124-3452

Limited Hardware WarrantyAll Dell SonicWALL appliances come with a 1-year Limited Hardware Warranty that provides delivery of critical replacement parts for defective parts under warranty. In addition, for 90 days from the warranty start date, Dell SonicWALL SRA 4600/1600 appliances are entitled to a Limited Software Warranty that provides bug fixes, updates and any maintenance releases that occur during the coverage term. Visit the Warranty Information page for details on your product’s warranty:

https://support.software.dell.com/essentials/SonicWALL-Support-Offerings#tab=warranty

Dell SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by Dell SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. Dell SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At Dell SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. Dell SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of Dell SonicWALL's then-current Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of Dell SonicWALL.

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE


49

https://support.software.dell.com/essentials/SonicWALL-Support-Offerings#tab=warranty

MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. DELL SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL DELL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF DELL SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall Dell SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

End User Licensing AgreementPLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SONICWALL PRODUCT. BY INSTALLING OR USING THE SONICWALL PRODUCT, YOU (AS THE CUSTOMER, OR IF NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) INDICATE ACCEPTANCE OF AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT FOR AND ON BEHALF OF THE CUSTOMER. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, THEN DO NOT USE THE PRODUCT AND RETURN IT TO THE PLACE OF PURCHASE WITH PROOF OF PURCHASE WITHIN THIRTY (30) DAYS OF PURCHASE FOR A REFUND. IF YOU DO PROCEED TO INSTALL OR USE THE SONICWALL PRODUCT, YOU WILL HAVE INDICATED ACCEPTANCE AND AGREEMENT WITH THE TERMS AND CONDITIONS HEREIN. NOTWITHSTANDING THE FOREGOING, THIS AGREEMENT SHALL NOT SUPERSEDE ANY OTHER SIGNED AGREEMENT BETWEEN YOU AND SONICWALL THAT EXPRESSLY GOVERNS THE SONICWALL PRODUCT.

“Product” means the SonicWALL labeled hardware and related documentation (“Hardware”) and/or proprietary SonicWALL labeled software, firmware and related documentation (“Software”) purchased by the end user of the product either directly from SonicWALL or a Reseller (“Customer”). “Services” means the Support Services described below and any other services provided with or for the Products directly by SonicWALL or its agents. “Reseller” shall mean those entities to which SonicWALL or SonicWALL’s authorized distributors distribute the Products for resale to end users. Except as otherwise agreed upon by the parties, this Agreement will also cover any updates and upgrades to the Products provided to Customer by SonicWALL directly or through a Reseller (except as may be otherwise indicated, such updates and upgrades shall be deemed Products).

1. LICENSE(S) AND RESTRICTIONS(a) Licenses. Subject to the terms and conditions of this Agreement, SonicWALL grants to Customer, and Customer accepts from SonicWALL, a nonexclusive, nontransferable (except as otherwise set forth herein) and nonsublicensable license (“License”) to:

1 (i) execute and use the Software on the Hardware with which the Software is provided (pre-installed) in accordance with the applicable Documentation; and,

2 (ii) for Software provided in standalone form (without Hardware), install, execute and use the Software on the Hardware or hardware device(s) on which it is intended to be used in accordance with the applicable Documentation and the License purchased. If Customer purchased multiple copies of standalone Software, Customer’s License to such standalone Software includes the right to install, use and execute up to the number of copies of Software Licenses purchased.

In addition, the License includes the right to (x) make a reasonable number of additional copies of the Software to be used solely for non-productive archival purposes, and (y) make and use copies of the end user


50

documentation for Hardware and/or Software provided with the Products (“Documentation”) as reasonably necessary to support Customer’s authorized users in their use of the Products.

(b) License Limitations. Order acknowledgments, Documentation and/or the particular type of the Products/ Licenses purchased by Customer may specify limits on Customer’s use of the Software, and which limits apply to the License(s) granted hereunder for such Software. Such limits may consist of limiting the term of the License, or the number or amount of nodes, storage space, sessions, calls, users, subscribers, clusters, devices, ports, bandwidth, throughput or other elements, and/or require the purchase of separate Licenses to use or obtain particular features, functionalities, services, applications or other items. Use of the Software shall be subject to all such limitations.

(c) For Customer’s Internal Business. Each License shall be used by Customer solely to manage its own internal business operations as well as the business operations of its Affiliates. Notwithstanding the foregoing, if Customer is in the regular business of providing firewall, VPN or Security management for a fee to entities that are not its Affiliates (“MSP Customers”), Customer may use the Products for its MSP Customers provided that either (i) Customer, and not MSP Customers, maintain control and possession of the Products, or (ii) if MSP Customers have possession and/or control of Products in whole or in part, this Agreement must be provided to MSP Customers and they must agree that their use of the Products is subject to the terms and conditions of this Agreement. Customer agrees to indemnify and hold SonicWALL harmless from and against any claims by MSP Customers against SonicWALL relating to the Products and/or Customer’s services for MSP Customers. “Affiliate” means any legal entity controlling, controlled by, or under common control with a party to this Agreement, but only for so long as such control relationship exists.

(d) Evaluation License. If the Software is provided by SonicWALL or a Reseller at no charge for evaluation purposes, then Section 1(a) above shall not apply to such Software and instead Customer is granted a nonproduction License to use such Software and the associated documentation solely for Customer’s own internal evaluation purposes for an evaluation period of up to thirty (30) days from the date of delivery of the Software, plus any extensions granted by SonicWALL in writing (the “Evaluation Period”). There is no fee for Customer’s use of the Software for nonproduction evaluation purposes during the Evaluation Period, however, Customer is responsible for any applicable shipping charges or taxes which may be incurred, and any fees which may be associated with usage beyond the scope permitted herein. Notwithstanding anything otherwise set forth in this Agreement, Customer understands and agrees that evaluation Software is provided “AS IS” and that SonicWALL does not provide a warranty or maintenance services for evaluation Licenses.

(e) Restrictions. Customer may not (i) modify, translate, localize, adapt, rent, lease, loan, create or prepare derivative works of, or create a patent based on the Software or any part thereof, (ii) make copies except as expressly authorized under this Agreement, (iii) copy the Software onto any public or distributed network, (iv) modify or resell the Software, use the Software in connection with the operation of any nuclear facilities, or use for purposes which are competitive to SonicWALL, or (v) except as expressly authorized in Section 2(c) above, operate the Software for use in any time-sharing, outsourcing, service bureau or application service provider type environment. Unless and except to the extent authorized in the applicable Documentation, Software provided with and/or as the Product, in part or whole, is licensed for use only in accordance with the Documentation as part of the Product: Software components making up a Product may not be separated from, nor used on a separate or standalone basis from the Product. Each permitted copy of the Software and Documentation made by Customer hereunder must contain all titles, trademarks, copyrights and restricted rights notices as in the original. Customer understands and agrees that the Products may work in conjunction with third party products and Customer agrees to be responsible for ensuring that it is properly licensed to use such third party products. Any Software provided in object code form is licensed hereunder only in object code form. Except to the extent allowed by applicable law if located in the European Union, and then only with prior written notice to SonicWALL, Customer shall not disassemble or reverse engineer the Software in whole or in part or authorize others to do so. Customer agrees not to use the Software to perform comparisons or other “benchmarking” activities, either alone or in connection with any other software or service, without SonicWALL’s written permission; or publish any such performance information or comparisons.

(f) Third Party Software. There may be certain third party owned software provided along with, or incorporated within, the Products (“Third Party Software”). Except as set forth below, such Third Party Software shall be considered Software governed by the terms and conditions of this Agreement. However, some Products may contain other Third Party Software that is provided with a separate license agreement, in which case such Third Party Software will be governed exclusively by such separate license agreement (“Third Party License”) and not this Agreement. Any such Third Party Software that is governed by a Third Party License, and not this Agreement, will be identified on the applicable Product page on SonicWALL’s website and/or in a file provided with the Product. Except as SonicWALL may otherwise inform Customer in writing, the Third Party License gives Customer at least the license rights granted above, and may provide additional license rights as to the Third


51

Party Software, but only with respect to the particular Third Party Software to which the Third Party License applies. SUCH THIRD PARTY SOFTWARE UNDER A THIRD PARTY LICENSE IS PROVIDED WITHOUT ANY WARRANTY FROM SONICWALL AND ITS SUPPLIERS, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. Notwithstanding the foregoing, SonicWALL shall honor its warranty, maintenance and support obligations in respect to the SonicWALL Products regardless of whether the warranty, maintenance or support issue is caused in whole or in part by the Third Party Software provided by SonicWALL with the Product.

(g) Updates/Upgrades. If Customer purchases or otherwise is eligible to receive a SOFTWARE update or upgrade, you must be properly licensed to use the Product identified by SonicWALL as being eligible for the update/ upgrade in order to install and use the SOFTWARE update/ upgrade. A SOFTWARE update/ upgrade replaces and/or supplements the Software Product that formed the basis for your eligibility for the update/upgrade, and does not provide you an additional License (copy) of the Software to use separately from the Software Product to be updated/ upgraded. You may use the resulting updated/upgraded Product only in accordance with the terms of this Agreement.

(h) Activation Keys May Expire. Certain Products, including Security Services that provide regular ongoing updates for Software (e.g., Security Service consisting of anti-virus signature updates), may come with an activation key or license key (a key that must be entered to activate the Product, “Activation Key”). If the Activation Key for a Product is not activated within five (5) years from the date of issuance by SonicWALL, such Activation Key(s) may expire and no longer activate the Product. Products that come with an expiring Activation Key will operate for the contracted term of the License (or purchased Security Service), so long as the Activation Key is activated within five (5) years from SonicWALL’s date of issuance.

2. OWNERSHIPSonicWALL and its licensors are the sole and exclusive owners of the Software, and all underlying intellectual property rights in the Hardware. All rights not expressly granted to Customer are reserved by SonicWALL and its licensors.

3. TERMINATION OF LICENSE(S)All licenses to the Software hereunder shall terminate if Customer fails to comply with any of the provisions of this Agreement and does not remedy such breach within thirty (30) days after receiving written notice from SonicWALL. Customer agrees upon termination to immediately cease using the Software and to destroy all copies of the Software which may have been provided or created hereunder.

4. SUPPORT SERVICESSonicWALL’s current Support Service offerings (“Support Services”) and the terms and conditions applicable to such Support Services are set forth in SonicWALL’s Support Services Terms located https://support.software.dell.com/essentials/SonicWALL-Support-Offerings and are incorporated herein by reference. Support Services may require an additional fee. Unless otherwise agreed to in writing, SonicWALL’s Support Services are subject to SonicWALL’s Support Services Terms which are in effect at the time the Support Services are purchased by Customer, and these terms and conditions will be incorporated herein by reference at that time. SonicWALL reserves the right to change the Support Services Terms from time to time by posting such changes on its website, which shall apply to any Support Services purchased on or after the date of such posting.

5. SONICWALL WARRANTY(a) Warranty. SonicWALL warrants to Customer (original purchaser Customer only) that for the applicable warranty period (“Warranty Period”) the Hardware will be free from any material defects in materials or workmanship and the Software, if any, will substantially conform to the Documentation applicable to the Software and the License purchased (“Limited Warranty”). Except as may indicated otherwise in writing by SonicWALL, the Warranty Period for Hardware is one year from the date of registration of the Hardware Product (or if sooner, seven days after initial delivery of the Hardware Product to Customer), and the applicable warranty period for Software is ninety days from the date of registration of the Software Product (or if sooner,


52

https://support.software.dell.com/essentials/SonicWALL-Support-Offerings

https://support.software.dell.com/essentials/SonicWALL-Support-Offerings

seven days after initial delivery/download) of the Software Product to/by Customer. SonicWALL does not warrant that use of the Product(s) will be uninterrupted or error free nor that SonicWALL will correct all errors. The Limited Warranty shall not apply to any non-conformance (i) that SonicWALL cannot recreate after exercising commercially reasonable efforts to attempt to do so; (ii) caused by misuse of the Product or by using the Product in a manner that is inconsistent with this Agreement or the Documentation; (iii) arising from the modification of the Products by anyone other than SonicWALL; or (iv) caused by any problem or error in third party software or hardware not provided by SonicWALL with the Product regardless of whether or not the SonicWALL Product is designed to operate with such third party software or hardware. SonicWALL's sole obligation and Customer's sole and exclusive remedy under any express or implied warranties hereunder shall be for SonicWALL to use commercially reasonable efforts to provide error corrections and/or, if applicable, repair or replace parts in accordance with SonicWALL’s Support Services Terms. Customer shall have no rights or remedies under this Limited Warranty unless SonicWALL receives Customer’s detailed written warranty claim within the applicable warranty period.

(b) Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH ABOVE, TO MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW SONICWALL HEREBY DISCLAIMS ON BEHALF OF ITSELF, ITS SUPPLIERS, DISTRIBUTORS AND RESELLERS ALL WARRANTIES, EXPRESS, STATUTORY AND IMPLIED, APPLICABLE TO THE PRODUCTS, SERVICES AND/OR THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE.

6. LIMITATION OF LIABILITYThe Products are not designed, manufactured, authorized or warranted to be suitable for use in any system where a failure of such system could result in a situation that threatens the safety of human life, including without limitation any such medical, life support, aviation or nuclear applications. Any such use and subsequent liabilities that may arise from such use are totally the responsibility of Customer, and all liability of SonicWALL, whether in contract, tort (including without limitation negligence) or otherwise in relation to the same is excluded. Customer shall be responsible for mirroring its data, for backing it up frequently and regularly, and for taking all reasonable precautions to prevent data loss or corruption. SonicWALL shall not be responsible for any system downtime, loss or corruption of data or loss of production. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT OR OTHERWISE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SONICWALL, ITS SUPPLIERS, DISTRIBUTORS OR RESELLERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, LOST OR CORRUPTED DATA, LOST PROFITS OR SAVINGS, LOSS OF BUSINESS OR OTHER ECONOMIC LOSS OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, THE PRODUCTS OR THE SERVICES, WHETHER OR NOT BASED ON TORT, CONTRACT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT SONICWALL HAS BEEN ADVISED OR KNEW OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SONICWALL'S MAXIMUM LIABILITY TO CUSTOMER ARISING FROM OR RELATING TO THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNTS RECEIVED BY SONICWALL FOR THE PRODUCTS AND THE SERVICES PURCHASED BY CUSTOMER, PROVIDED THAT WHERE ANY CLAIM AGAINST SONICWALL RELATES TO PARTICULAR PRODUCT AND/OR SERVICES, SONICWALL’S MAXIMUM LIABILITY SHALL BE LIMITED TO THE AGGREGATE AMOUNT RECIEVED BY SONICWALL IN RESPECT OF THE PRODUCTS AND/OR SERVICES PURCHASED BY CUSTOMER AFFECTED BY THE MATTER GIVING RISE TO THE CLAIM. (FOR MAINTENANCE SERVICES OR A PRODUCT SUBJECT TO RECURRING FEES, THE LIABILITY SHALL NOT EXCEED THE AMOUNT RECEIVED BY SONICWALL FOR SUCH MAINTENANCE SERVICE OR PRODUCT PURCHASED BY CUSTOMER DURING THE TWELVE (12) MONTHS PRECEDING THE CLAIM). CUSTOMER EXPRESSLY AGREES TO THE ALLOCATION OF LIABILITY SET FORTH IN THIS SECTION, AND ACKNOWLEDGES THAT WITHOUT ITS AGREEMENT TO THESE LIMITATIONS, THE PRICES CHARGED FOR THE PRODUCTS AND SERVICES WOULD BE HIGHER.

7. GOVERNMENT RESTRICTIONSCustomer agrees that it will not export or re-export the Products without SonicWALL's prior written consent, and then only in compliance with all requirements of applicable law, including but not limited to U.S. export control regulations. Customer has the responsibility to obtain any required licenses to export, reexport or import the Products. Customer shall defend, indemnify and hold SonicWALL and its suppliers harmless from any claims arising out of Customer’s violation of any export control laws relating to any exporting of the Products. By accepting this Agreement and receiving the Products, Customer confirms that it and its employees and agents who may access the Products are not listed on any governmental export exclusion lists and will not export or re-export the Products to any country embargoed by the U.S. or to any specially denied national (SDN) or denied entity identified by the U.S. Applicable export restrictions and exclusions are available at the official web site


53

of the U.S. Department of Commerce Bureau of Industry and Security (www.bis.doc.gov). For purchase by U.S. governmental entities, the technical data and computer software in the Products are commercial technical data and commercial computer software as subject to FAR Sections 12.211, 12.212, 27.405-3 and DFARS Section 227.7202. The rights to use the Products and the underlying commercial technical date and computer software is limited to those rights customarily provided to the public purchasers as set forth in this Agreement. The Software and accompanying Documentation are deemed to be “commercial computer software” and “commercial computer software documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction, release, performance, display or disclosure of the Software and accompanying Documentation by the United States Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

8. GENERALa) Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without giving effect to any conflict of laws principles that would require the application of laws of a different state. The parties agree that neither the United Nations Convention on Contracts for the International Sale of Goods, nor the Uniform Computer Information Transaction Act (UCITA) shall apply to this Agreement, regardless of the states in which the parties do business or are incorporated. Any action seeking enforcement of this Agreement or any provision hereof shall be brought exclusively in the state or federal courts located in the County of Santa Clara, State of California, United States of America. Each party hereby agrees to submit to the jurisdiction of such courts. Notwithstanding the foregoing, SonicWALL is entitled to seek immediate injunctive relief in any jurisdiction in the event of any alleged breach of Section 1 and/or to otherwise protect its intellectual property.

b) Assignment. Except as otherwise set forth herein, Customer shall not, in whole or part, assign or transfer any part of this Agreement or any rights hereunder without the prior written consent of SonicWALL. Any attempted transfer or assignment by Customer that is not permitted by this Agreement shall be null and void. Any transfer/assignment of a License that is permitted hereunder shall require the assignment/transfer of all copies of the applicable Software along with a copy of this Agreement, the assignee must agree to all terms and conditions of this Agreement as a condition of the assignment/transfer, and the License(s) held by the transferor Customer shall terminate upon any such transfer/assignment.

c) Severability. If any provision of this Agreement shall be held by a court of competent jurisdiction to be contrary to law, such provision will be enforced to the maximum extent permissible and the remaining provisions of this Agreement will remain in full force and effect.

d) Privacy Policy. Customer hereby acknowledges and agrees that SonicWALL’s performance of this Agreement may require SonicWALL to process or store personal data of Customer, its employees and Affiliates, and to transmit such data within SonicWALL or to SonicWALL Affiliates, partners and/or agents. Such processing, storage, and transmission may be used for the purpose of enabling SonicWALL to perform its obligations under this Agreement, and as described in SonicWALL’s Privacy Policy (http://www.sonicwall.com/us/en/Privacy-Policy.html, “Privacy Policy”) and may take place in any of the countries in which SonicWALL and its Affiliates conduct business, including countries outside of the European Economic Area. SonicWALL reserves the right to change the Privacy Policy from time to time as described in the Privacy Policy.

e) Notices. All notices provided hereunder shall be in writing, delivered personally, or sent by internationally recognized express courier service (e.g., Federal Express), addressed to the legal department of the respective party or to such other address as may be specified in writing by either of the parties to the other in accordance with this Section.

f) Disclosure of Customer Status. SonicWALL may include Customer in its listing of customers and, upon written consent by Customer, announce Customer's selection of SonicWALL in its marketing communications.

g) Waiver. Performance of any obligation required by a party hereunder may be waived only by a written waiver signed by an authorized representative of the other party, which waiver shall be effective only with respect to the specific obligation described therein. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.

h) Force Majeure. Each party will be excused from performance for any period during which, and to the extent that, it is prevented from performing any obligation or service as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of war, epidemics, communication line failures, and power failures.


54

http://www.sonicwall.com/us/en/Privacy-Policy.html

http://www.sonicwall.com/us/en/Privacy-Policy.html

i) Audit. Customer shall maintain accurate records to verify compliance with this Agreement. Upon request by SonicWALL, Customer shall furnish (a copy of) such records to SonicWALL and certify its compliance with this Agreement.

j) Headings. Headings in this Agreement are for convenience only and do not affect the meaning or interpretation of this Agreement. This Agreement will not be construed either in favor of or against one party or the other, but rather in accordance with its fair meaning. When the term “including” is used in this Agreement it will be construed in each case to mean “including, but not limited to.”

k) Entire Agreement. This Agreement is intended by the parties as a final expression of their agreement with respect to the subject matter hereof and may not be contradicted by evidence of any prior or contemporaneous agreement unless such agreement is signed by both parties. In the absence of such an agreement, this Agreement shall constitute the complete and exclusive statement of the terms and conditions and no extrinsic evidence whatsoever may be introduced in any judicial proceeding that may involve the Agreement. This Agreement represents the complete agreement and understanding of the parties with respect to the subject matter herein. This Agreement may be modified only through a written instrument signed by both parties.


55

About Dell

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.software.dell.com.

Contacting DellTechnical support:Online support

Product questions and sales:(800) 306-9329

Email:[email protected]

Technical Support ResourcesTechnical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the portal provides direct access to product support engineers through an online Service Request system. To access the Support Portal, go to https://support.sonicwall.com/.

The site enables you to:

• Create, update, and manage Service Requests (cases)

• View Knowledge Base articles

• Obtain product notifications

• Download software. For trial software, go to Trial Downloads.

• View how-to videos

• Engage in community discussions


56

http://software.dell.com/

https://support.software.dell.com/

mailto:[email protected]

http://software.dell.com/trials/


dell™ sonicwall™ directory services connector...

Documents