As a part of the WatchGuard Single Sign-On (SSO) solution, you must install the WatchGuard SSO Agent on a domain server on your network. This server can be the domain controller or another domain member server.
The Event Log Monitor is included in the same installer with the SSO Agent, but the Event Log Monitor is optional.
Before You Install
For OS compatibility information and a detailed explanation of how the SSO Agent and Event Log Monitor work, see How Active Directory SSO Works.
Before you start the WatchGuard Authentication Gateway installer to install the SSO Agent, make sure that the .NET Framework v4.0 or higher is installed on the server where you want to install the WatchGuard Authentication Gateway. If the correct version of the .NET Framework is not installed, the SSO Agent cannot run correctly.
Configure Service Accounts and Domain Policy
The WatchGuard SSO Agent and the WatchGuard Authentication Gateway run as services on your server. These configuration steps are required:
- Run the service as a user account that is a member of the Domain Users security group. You must configure the security permissions described in the next section.
- Apply the domain policy to all domain computers that the Event Log Monitor contacts.
WatchGuard recommends these best practices:
- Create a new user account for this purpose.
- Configure a password for the account that never expires.
Configure Domain User account
If you select a user account that is a member of the Domain Users security group, verify:
- The user account has privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information
- The required security permissions described in this section are configured for the user account.
To add a user account that is a member of the Domain Users security group, with the required security permissions:
- Add a new Active Directory user account.
For example, [email protected].
The user account is added to the Domain Users security group by default.
- In the Group Policy Management Editor, specify the Manage auditing and security log permissions for the user account:
- Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage auditing and security log.
- On the Security Policy Setting tab, add the user you created in Step 1.
- Apply the new domain policy to all domain computers.
Event Log Monitor now has the correct permissions to read the Windows security event log on the domain client computer to get the correct user credentials.
To see the SSO Agent and Event Log Monitor debug log messages, look for the wagsrvc.log and eventlogmonitor.log files in the installation directory for each component.
For more information about log messages, see About SSO Log Files.
Download the SSO Agent Software
- Go to the WatchGuard Software Downloads page.
- Find the software downloads page for your Firebox.
- Download the WatchGuard Authentication Gateway installer. The SSO Agent and Event Log Monitor are included in this installer.
Install the SSO Agent and the Event Log Monitor
When you install the SSO Agent and Event Log Monitor, follow these guidelines:
- (Fireware v12.1.1 or lower) If you have more than one domain, install the SSO Agent on only one domain controller on your network.
- (Fireware v12.2 or higher) To add redundancy, you can install the SSO Agent on up to four domain controllers on your network. Only one SSO Agent is active at a time. If the active agent becomes unavailable, failover occurs to the next SSO Agent specified in the Firebox configuration.
- When you run the installer to install only the Event Log Monitor, make sure to clear the check box for the SSO Agent component.
- To install an additional WatchGuard Authentication Gateway component on a computer where you have already installed one component, run the installer again and select the check boxes for both the new component and for the previously installed component. If you do not select the check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSO Agent and you want to add the Event Log Monitor, run the installer again and make sure that both the SSO Agent and the Event Log Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.
To install the SSO Agent and Event Log Monitor:
- Double-click WG-Authentication-Gateway.exe.
To run the installer on some operating systems, you might have to type a local administrator password, or right-click and select Run as administrator.
The Authentication Gateway Setup Wizard starts.
- To install the software, follow the instructions on each page and complete the wizard.
- On the Select Components page, make sure to select the check box for each component to install:
- Single Sign-On Agent
- Event Log Monitor
- On the Domain User Credentials page, make sure to type the user name in the form domain\user name.
A domain suffix (for example, .com or .net) is optional, but we recommend that you specify a suffix. For example, example.com\username.
You can also specify the user name in the UPN form [email protected]. If you specify the UPN form of the user name, you must include the .com or .net part of the domain name.
- Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically. Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for the SSO Agent and Event Log Monitor. For more information, see Configure the Active Directory SSO Agent