{{ $t('productDocDetail.updateTime') }}: 2025-12-29

A customer's network includes a mail server; user information is stored in a POP3 server. Before accessing the Internet, users use clients such as Outlook and Foxmail to log in to the POP3 server to send or receive mail. When user login information is detected in monitoring mode, the device identifies and authenticates the users so that the users do not need to enter usernames and passwords again. It applies to scenarios where the POP3 server is deployed within or out of the intranet. The POP3 SSO configurations for these two deployment modes of the POP3 server are described as follows:

Scenario 1: POP3 server deployed in the intranet

The data flow is as follows:

1. A user uses a mail client to communicate with the POP3 server, and the device monitors the communication.

2. When the mail client logs in to the POP3 server, the device authenticates the user so that the user does not need to enter a password again to access the Internet.
3. Because data is exchanged in the intranet, the data for logging in to the POP3 server does not pass through the device. Therefore, a listening port must be configured on the device.

The procedure is as follows:

Step 1.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Step 2.Navigate to Access Mgt > Authentication > Web Authentication > Single Sign-On(SSO) > POP3, and tick Enable POP3 SSO.

In POP3 Server Address List, enter the IP address and listening port of the POP3 server. For multiple POP3 servers, enter one IP address and port number in each row. Set the port numbers to those for POP3 authentication (default: TCP110). See the following figure.

Step 3.In this example, if the login data does not pass through the device, set a mirroring port connected to the mirroring port on the switch forwarding login data packets. Click Others, and set the mirroring port. The mirroring port must be an available one not in use.

Step 4.The PC receives mail using the mail client. After successful POP3 server login, it can access the Internet.

Scenario 2: POP3 server deployed out of the intranet.

The data flow is as follows:

1. The packets of a PC logging into the POP3 server pass through the device.

2. The intranet interface of the device is used as a listening port. No more listening port is required. The procedure is as follows:

Step 1.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Step 2.Navigate to Access Mgt > Authentication > Web Authentication > Single Sign-On(SSO) > POP3, and tick Enable POP3 SSO.

In POP3 Servers, enter the IP address and listening port of the POP3 server. For multiple POP3 servers, enter one IP address and port number in each row. Set the port numbers to those for POP3 authentication (default: TCP110). See the following figure.

Step 3.The PC sends and receives mail using the mail client. After successful POP3 server login, it can access the internet.

If the POP3 server is in the IAG WAN, users must access the POP3 server before being authenticated.

To allow them to access the POP3 server, do as follows:

Choose Authentication Policy > Action > Advanced, select Before authentication added to the group, and set a group.

Configure the Internet access permissions of this group to include the IP address and port number of the POP3 server.