Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor
As a part of the WatchGuard Single Sign-On (SSO) solution, you must install the WatchGuard SSO Agent. The Event Log Monitor is optional. The SSO Agent and Event Log Monitor are included in the WatchGuard Authentication Gateway installer.
For OS compatibility information and a detailed explanation of how the SSO Agent and Event Log Monitor work, see About Active Directory Single Sign-On (SSO).
Before You Install
Before you start the WatchGuard Authentication Gateway installer to install the SSO Agent, make sure that the .NET Framework v2.0–4.5 or higher is installed on the server where you want to install the WatchGuard Authentication Gateway. If the correct version of the .NET Framework is not installed, the SSO Agent cannot run correctly.
Configure Service Accounts and Domain Policy
The WatchGuard SSO Agent and the WatchGuard Authentication Gateway run as services on your server. These configuration steps are required:
- Run the service as a user account that is a member of either the Domain Admins or Domain Users security group.
- If you select a user account that is a member of the Domain Admins security group, the user account automatically has the correct security permissions.
- If you select a user account that is a member of the Domain Users security group, you must configure the security permissions described in the subsequent section.
- Apply the domain policy to all domain computers that the Event Log Monitor contacts.
WatchGuard recommends these best practices:
- Create a new user account for this purpose.
- Configure a password for the account that never expires.
Configure Domain User account
If you select a user account that is a member of the Domain Users security group, verify:
- The user account has privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information
- The required security permissions described in this section are configured for the user account.
To add a user account that is a member of the Domain Users security group, with the required security permissions:
- Add a new Active Directory user account.
For example, [email protected].
The user account is added to the Domain Users security group by default.
- In the Group Policy Management Editor, specify the Manage auditing and security log permissions for the user account:
- Select Computer Configuration > Policies > Windows Settings > Security Settings > User Rights Assignment > Manage auditing and security log.
- On the Security Policy Setting tab, add the user you created in Step 1.
- Apply the new domain policy to all domain computers.
Event Log Monitor now has the correct permissions to read the Windows security event log on the domain client computer to get the correct user credentials.
To see the SSO Agent and Event Log Monitor debug log messages, look for the wagsrvc.log and eventlogmonitor.log files in the installation directory for each component.
For more information about log messages, see About SSO Log Files.
Download the SSO Agent Software
- Go to the WatchGuard Software Downloads Center.
- Find the software downloads page for your Firebox.
- Download the WatchGuard Single Sign-On Agent software and save the file to a convenient location.
Install the SSO Agent and the Event Log Monitor
When you install the SSO Agent and Event Log Monitor, follow these guidelines:
- If you have more than one domain, install the SSO Agent on only one domain member server or domain controller in your network, and install the Event Log Monitor on one member server or domain controller in each of your domains. The SSO Agent then contacts each Event Log Monitor to get information for the users on that domain.
- When you run the installer to install only the Event Log Monitor, make sure to clear the check box for the SSO Agent component.
- To install an additional WatchGuard Authentication Gateway component on a computer where you have already installed one component, run the installer again and select the check boxes for both the new component and for the previously installed component. If you do not select the check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSO Agent and you want to add the Event Log Monitor, run the installer again and make sure that both the SSO Agent and the Event Log Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.
To install the SSO Agent and Event Log Monitor:
- Double-click WG-Authentication-Gateway.exe.
To run the installer on some operating systems, you might have to type a local administrator password, or right-click and select Run as administrator.
The Authentication Gateway Setup Wizard starts.
- To install the software, follow the instructions on each page and complete the wizard.
- On the Select Components page, make sure to select the check box for each component to install:
- Single Sign-On Agent
- Event Log Monitor
- On the Domain User Credentials page, make sure to type the user name in the form domain\user name.
A domain suffix (for example, .com or .net) is optional, but we recommend that you specify a suffix. For example, example.com\username.
You can also specify the user name in the UPN form [email protected]. If you specify the UPN form of the user name, you must include the .com or .net part of the domain name.
- Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically. Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent