Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

User Manual

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

SSO Implemented in Monitoring Mode

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","SSO Implemented in Monitoring Mode")}}

SSO Implemented in Monitoring Mode

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

In this mode, the IAG intercepts data of the PC that logs in to the domain server and obtains login information from the data, thereby implementing SSO. No component needs to be installed on the domain server, but the data of intranet PCs that log in to the domain server needs to be mirrored through the device or listening port to the device. The device captures the login information by listening to the UDP 88 port. After successful login to the domain, the user can access the Internet directly without being authenticated by the device. It applies to scenarios where the domain server is deployed within or out of the intranet. The SSO configurations for these two deployment modes of the domain server are described as follows:

Scenario 1: Domain server deployed on the intranet.

The data flow is as follows:

Domain login data of a PC is not transferred to the IAG but forwarded within the intranet.

A mirroring port is configured on the switch to mirror the domain login data of the PC to the IAG.
If the user logs in to the domain successfully, the device authenticates the user automatically. The procedure is as follows:

Step 1.Navigate to Access Mgt > Authentication > Web Authentication > Auth Server and set the authentication AD domain server.

Step 2.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Step 3.Enable SSO on the device and set the IP address of the domain server. Navigate to Access Mgt > Authentication > Web Authentication > Single Sing-On(SSO) > MS AD Domain and perform configuration.

Select Enable Domain SSO.

Select Obtain login profile by monitoring the data of the computer logging into the domain. Enter the domain server's IP address and listening port in Domain Controllers. If there are multiple domain servers, enter each domain server's IP address and listening port in one line. See the following figure.

Step 4.The domain login data of the intranet does not pass through the device. You must set a mirroring port and connect it to the mirroring port on the switch forwarding login data. Click Others and set the mirroring port of the device. The mirroring port must be an available one not in use.

Step 5.Log in to the domain on a computer. If the login is successful, you can access the Internet.

Scenario 2: Domain server deployed out of the intranet.

The data flow is as follows:

The packets of a PC logging into the domain pass through the device.

The intranet interface of the device is used as a listening port. No more listening port is required. The procedure is as follows:

Navigate to Access Mgt > Authentication > Web Authentication > Auth Server and set the authentication AD domain server.

Step 1.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users who require SSO.

The LDAP server is not located on the intranet of the device. Before user authentication, access to the domain server must be allowed. Choose Authentication Policy > Action > Advanced > Before authentication, added to group, set the group to be used before authentication, and configure the Internet access policy to allow this group to access the domain server.

Step 2.Enable SSO on the device and set the IP address of the domain server. Navigate to Access Mgt > Authentication > Web Authentication > Single Sing-On(SSO) > MS AD Domain and perform configuration.

Select Enable Domain SSO.

Step 3.Log in to the domain on a computer. If the login is successful, you can access the Internet.

In monitoring mode, only the user login information is monitored. The logout data is not captured. Therefore, the logout status is not obtained. In this case, the PC may have logged out while the user is not removed from the online user list on the device.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

SSO Implemented in Monitoring Mode