Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

User Manual

Use Cases

SSO Configuration

Configuration of SSO Implementation with Third-Party Devices

Ruijie SAM

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","Ruijie SAM")}}

Ruijie SAM

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

The Below configuration is for the Rujie SAM system. The following screenshots will be in Chinese characters.

Ruijie SAM is a broadband authentication and charging management system commonly used by colleges and level-2 carriers. Before accessing the Internet, a user must be authenticated by Ruijie SAM. After a user logs in to or logs out of Ruijie SAM, the user is logged in to or logged out of the IAG automatically. See the following figure.

The data flow is as follows:

A PC logs in to or logs out of Ruijie SAM.

Ruijie SAM's database server notifies the IAG of user login or logout to implement SSO. The procedure is as follows:

Step 1.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add. Set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Step 2.Choose Access Mgt > Authentication > Web Authentication > Single Sign On SSO > Third-Party Server and perform configuration. Select Ruijie SAM system and configure the shared key. See the following figure.

Step 3.Download the Ruijie SAM SSO program from the device and configure the Ruijie SAM database server to send user authentication information to the IAG after a user logs in to Ruijie SAM through a PC.

The following provides an example to describe how to configure the database server SQL Server 2005 of Ruijie SAM.

Click Click Here to Download below Ruijie SAM system to download rjsam.zip (including logon.exe and trigger SQL scripts) to the server. After the file is decompressed, the content shown in the following figure is obtained.

P7915#y1

Copy logon.exe that the triggers must call to the related directory of the server.
The directory 2005 stores the trigger SQL statements customized for SQL Server 2005. Take logon_trigger.sql as an example. Open the file, copy all its content to the query manager of the SQL Server, and modify the following configuration in the content as required (same for logout_trigger.sql and update_trigger.sql):
The three triggers mentioned above call the xp_cmdshell command of the master database, but SQL Server 2005 disallows calling the command by default. Therefore, you must run xp_cmdshell.sql to allow calling the command. See the following figure. In SQL Server 2005 Management Studio, open the file and click Run.

[346]

Access SQL Server 2005 Management Studio and locate SAMDB.
Locate the ONLINE_USER table and click the trigger directory icon. No entry is displayed on the Object Resource Manager Details tab page on the right. No trigger has been created for the ONLINE_USER table. See the following figure.

[347]

Open the 2005 directory and double-click the three files described in step 3. They have opened in SQL Server 2005 Management Studio. Click Run on the toolbar. The trigger corresponding to the active tab page is installed. Go to the other two tab pages and perform the same operations to install the triggers.

[348]

Access the Object Resource Manager Details tab page and refresh the page. The triggers installed are displayed.

[349]

To delete a trigger, right-click the trigger on the Object Resource Manager Details tab page and choose Delete. In the dialog box that is displayed, click OK.

[350]

[351]

Step 4.When Ruijie SAM authenticates a user, the device also authenticates the user.

1. SQL Server 2000 and SQL Server 2005 have similar trigger installation processes. For SQL Server 2000, you need to select the triggers in the 2000 directory to install. If the stored procedure xp_cmdshell is used, xp_cmdshell.sql does not need to be run.

2. If the Ruijie SAM database name is not SAMDB, change SAMDB to use SAMDB in the first trigger SQL statement to the actual database name. If the table name and field names are different from those in the example, change them accordingly.

3. In the trigger SQL statements, pay attention to the field shown in the following figure. If multiple users may log in or log out at the same time, increase the value of @i according to the number of Internet users in the organization. Generally, the value must not exceed 2000 (high-end devices support the maximum value of 3000). If you retain the default value, when two users log in at the same time, the IAG authenticates only one of them, and therefore the other user cannot access the Internet.

See the following figure. The value indicates that a maximum of 10 users can log in or log out at the same time.

4. In the trigger SQL statements, pay attention to the fields shown in the following figure. [zyl352]When logon.exe sends authentication information to the IAG, logging is not performed by default to ensure server performance. If logging is required, use the last line to replace the first line in the following figure. That is, add the -1 parameter to enable the logging function.

Then, logs similar to that in the following figure are generated in users' main directories on the database server.

5. The device and trigger scripts must use the same key, different from other SSO keys.

6. The device must be able to communicate with Ruijie SAM. Ruijie SAM connects to the UDP port 1773 of the device to send authentication information to the device. Data about users logging in to Ruijie SAM does not need to be sent to the device.

7. This method applies to all database systems using MS SQL Server 2000/2005 and Ruijie SAM. You need to modify the SQL scripts for the other database systems to correct the related database names, table names, and field names.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

Ruijie SAM