Knowledge Base

USG Single Sign-On Installation Guide - Part 1


1            Requirement for Domain Controller, Domain workstation

1.1       Requirement for Domain Controller(DC)

Ø  Operating System

²  Windows Server 2008 Enterprise Edition (32/64)

²  Windows Server 2008 R2 (64)

²  Windows Server 2012 Standard (64)

Ø  Support Power Shell for Group Policy Object command and power shell Command


1.2       Requirement for Domain Workstation(Workstation)

Ø  Operating System

²  Windows 7 Pro (32/64)

²  Windows Server 2008 Enterprise Edition (32/64)

²  Windows Server 2008 R2 (64)

²  Windows Server 2012 Standard (64)

Ø  Support Power Shell Command


1.3       Common requirement

Ø  Microsoft Visual C++ 2010 Redistributable Package

Ø  Microsoft .NET Framework 4

1.       Create GPO for Firewall

2.       Set client’s administrator permission for SSO Agent User

3.       Reboot workstation computer (to apply new firewall rule on workstation)


2            Scenario 1: Installation SSO Agent on Domain Controller

Note: this scenario is for the domain with only one domain controller.

          If you have 2 domain controllers, then go for scenario 2.




2.1       Preparing for Installation

2.1.1   Prepare package of SSO Agent into your hard disk

 - Copy the ZIP package file to your domain controller and extract to local file folder


2.1.2  Install .NET Framework v4.0.30319 or above

 - Double-click /SSOAgent_Install_package/DotNetFX40/dotNetFx40_Full_x86_x64.exe to install


2.1.3  Create a domain account for SSO Agent service

 - It’s recommend to use another domain account instead of domain administrator to run the SSO

  Agent service

 - Using Active Directory Users and Computers tool to create a new domain account, for example

  “ssoadmin”, and join this account to Domain Admins group.


2.2       Install SSO Agent on domain controller


-        Double click the install file : SSOAgentInstaller.exe

-        A windows for unzip package will be display for a while and after that Dialog Welcome of installer will be displayed immediately.

When run installer, there are some files for install are displayed in folder of package SSO Agent. These files will be removed when finish install.

-         Click [Next], Dialog Select folder setup will be displayed:

Select folder or setup with default location, then click Next

Select install SSO Agent on DC in this scenario, then click Next.

-  Then click Next to confirm start to install.         

  • Click [Next], and wait process setup running.

  • After a while, a “Set SSO Agent Service” dialog window will pop-up.

Please enter the Domain\Username and password of the domain account that created in step 2.1.3.

Then click OK to continue.

  • When installation finish, Dialog notify setup will be displayed with option choose default run application immediately.

Click Close to finish Install SSO Agent. After install application successfully, Tray Icon of application will be pin to task bar.

3. Configuration SSO Agent

  • Click on “Configure ZyXEL SSO Agent”

You will see the “Agent Configuration Page” window

Under General Setting, click “Configure LDAP/AD server” to configure the LDAP query to get

  group information of user from Active Directory.

Under Gateway Settings, click “Add” to configure the IP address of your USG and the Pre-Share


Go back to “Agent Configuration Page” window, please remember to active the gateway entry.

   Then click OK to save configuration.


4            Enable/Disable Service

- Right click on icon of SSO Agent Application, one popup menu will appear

4.1       Enable Service

To enable Service, user clicks on “Enable ZyXEL SSO Agent”

  • When Service is started successfully, one popup will appear

5            Setup Active Directory Group Policy For Domain Clients

Notice: User on SSO Agent Computer must have local Administrator permission

5.1       Setup for Query Client

5.1.1  Create GPO for deploy firewall rules to all domain clients

- Create GPO for Domain name (sample: domain name is “”, right click on

 “SSO.AGENT.COM” and click to “Create a GPO in this domain and Link it here”

Enter name of the GPO, for example “Deploy Firewall Rules”


5.1.2  Create firewall rules in GPO

- Right click on the GPO rule created in step 6.1.1, then click Edit

-        Configure firewall rule for ICMP echo

Ø  On the left side tree panel, select Computer Configuration => Polices => Administrative Templates => Network => Network Connections => Windows Firewall => Domain Profile

Double click on “Windows Firewall: Allow ICMP exceptions”

Click “Enable” and then check “Allow inbound echo request” option, finally click button [OK]

-        Configure firewall rule for remote WMI

Ø  Computer Configuration => Policies => Windows Settings => Security Settings => Windows Firewall with advanced Security

Right click on Inbound Rules, then click New Rule…

Select “Predefined” rule type, and select “Windows Management Instrumentation (WMI)” from the list. Click Next.

  • Select all rule, then Next.

  • Select “Allow the connection”, then Finish.

6. Setup USG SSO authentication

6.1 Configure SSO

- Go to CONFIGURATION > Web Authentication > SSO

- Agent PreShareKey: Enter Agent PreShareKey (same as configured on SSO


- Primary Agent Address: Enter IP address of the SSO Agent computer

- Primary Agent Port: 2158 (default is 2158, be same as configured on SSO Agent)

6.2       Configure Authentication Policy

- Go to CONFIGURATION > Web Authentication

- Add authentication policy,

 Source address: Select a source address or address group for whom this policy


 Destination address: Select a destination address or address group for whom this

                policy applies.

 Authentication: Select “required”

 Single Sign-on: Select to authenticated by SSO

 Force User Authentication: Select to authenticated by redirect to login page


 Note: If you enable this with SSO enabled, then any client that hasn’t 

 Login Active Directory domain, will be redirect to login page.


7        Single Sign-On test

7.1       Open SSO Agent Log

- Right click on icon on system tray and select “Log”

7. 2       Login Domain

- On clients laptop, login with domain account

- Check SSO Agent log, it show user login successful and Send information to GW (USG) successful

Open browser or application on client laptop (to trigger traffic to pass USG)


- Check login users information on USG

7. 3 Check SSO query client

- Force logout user via USG GUI

- Open browser or application on client laptop (to trigger traffic to pass USG)


- Check SSO Agent log, it show query client successful and Send information to

  GW (USG) successful


Please leave your comment:


Question Profile

TYPE:Application / Configuration Example
FIRMWARE:4.62 and above
MODEL:ATP100,ATP100W,ATP200 (view more model name)

Still have trouble with your device? Contact Zyxel technology support team directly!

Contact Zyxel Support