Configure the SSO Agent

If you use multiple Active Directory domains, you must specify the domains to use for SSO (Single Sign-On). After you have installed the SSO Agent, you can specify the domains to use for authentication and synchronize the domain configuration with the SSO Agent. You can also specify options to use SSO without the SSO Client. This is known as clientless SSO. You configure settings for clientless SSO when you configure the SSO Agent. To configure the SSO Agent settings, you must have administrator privileges on the computer where the SSO Agent is installed.

When you first launch the SSO Agent, it generates the Users.xml and AdInfos.xml configuration files. These configuration files are encrypted and store the domain configuration details you specify when you configure the SSO Agent.

The SSO Agent has two default accounts, administrator and status, that you can use to log in to the SSO Agent. To make changes to the SSO Agent configuration, you must log in with the administrator credentials. After you log in for the first time, we recommend you change the passwords for the default accounts.

The default credentials (username/password) for these accounts are:

For more information about Active Directory, see Configure Active Directory Authentication.

Log In to the SSO Agent Configuration Tool

  1. Select Start > WatchGuard > Authentication Gateway > WatchGuard SSO Agent Configuration Tool.
    The SSO Agent Configuration Tool login dialog box appears.
  2. In the User Name text box, type the administrator user name: admin.
  3. In the Password text box, type the administrator password: readwrite.
    The SSO Agent Configuration Tools dialog box appears.

Screen shot of the SSO Agent Configuration Tools dialog box

  1. Configure your SSO Agent as described in the subsequent sections.
    Changes to the configuration are automatically saved.

Manage User Accounts and Passwords

After you log in for the first time, you can change the password for the default accounts. Because you must log in with the administrator credentials to change the SSO Agent settings, make sure you remember the password specified for the administrator account. You can also add new user accounts and change the settings for existing user accounts. You can also use both the admin and status accounts to open a telnet session to configure the SSO Agent.

For more information about how to use telnet with the SSO Agent, see Use Telnet to Debug the SSO Agent.

Change a User Account Password

For the admin and status accounts, you can only change the password for the account; you cannot change the user name.

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > User Management.
    The User Management Form dialog box appears.

Screen shot of the User Management Form dialog box

  1. Select the account to change.
    For example, select admin.
  2. Click Change Password.
    The Change Password dialog box appears.
  3. In the Password and Confirm Password text boxes, type the new password for this user account.
  4. Click OK.

Add a New User Account

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > User Management.
    The User Management Form appears.
  2. Click Add User.
    The Add User dialog box appears.
  3. In the User Name text box, type the name for this user account.
  4. In the Password and Confirm Password text boxes, type the password for this user account.
  5. Select an access option for this account:
  6. Click OK.

Edit a User Account

When you edit a user account, you can change only the access option. You cannot change the user name or password for the account. To change the user name, you must add a new user account and delete the old user account.

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > User Management.
    The User Management Form appears.
  2. Select the account to change.
  3. Click Edit User.
    The Edit User dialog box appears.
  4. Select a new access option for this account:
  5. Click OK.

Delete a User Account

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > User Management.
    The User Management Form appears.
  2. Select the account to delete.
  3. Click Delete User.
    The Delete User dialog box appears.
  4. Verify the User Name is for the account you want to delete.
  5. Click OK.

Configure Domains for the SSO Agent

To configure your SSO Agent, you can add, edit, and delete information about your Active Directory domains. When you add or edit a domain, you must specify a user account to use to search your Active Directory server. We recommend that you create a specific user account on your server with permissions to search the directory and with a password that never expires.

Add a Domain

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > Add Domain.
    The Add Domain dialog box appears.
  2. In the Domain Name text box, type the name of the domain.
    For example, type my-example.com.
    The domain name of your Active Directory server is case-sensitive. Make sure you type the domain name exactly as it appears on the Active Directory tab in the Authentication Server settings on your XTM device. For more information, see Configure Active Directory Authentication.
  3. In the NetBIOS Domain Name text box, type the NetBios domain name for your domain.
  1. In the IP Address of Domain Controller text box, type the IP address of the Active Directory server for this domain.
    To specify more than one IP address for the domain controller, separate the IP addresses with a semicolon, without spaces.
  2. In the Port text box, type the port to use to connect to this server.
    The default setting is 389.
  3. In the Searching User section, select an option:
  4. In the text box, type the user information for the option you selected.
    Make sure to specify a user who has permissions to search the directory on your Active Directory server.
  5. In the Password of Searching User and Confirm password text boxes, type the password for the user you specified.
    This password must match the password for this user account on your Active Directory server.
  6. To add another domain, click OK & Add Next. Repeat Steps 2–8.
  7. Click OK.
    The domain name appears in the SSO Agent Configuration Tools list.

Edit a Domain

When you edit an SSO domain, you can change all the settings except the domain name. If you want to change the domain name, you must delete the domain and add a new domain with the correct name.

From the SSO Agent Configuration Tools dialog box:

  1. Select the domain to change.
  2. Select Edit > Edit Domain.
    The Edit Domain dialog box appears.
  3. Update the settings for the domain.
  4. Click OK.

Delete a Domain

From the SSO Agent Configuration Tools dialog box:

  1. Select the domain to delete.
  2. Select Edit > Delete Domain.
    A confirmation message appears.
  3. Click Yes.

Configure Clientless SSO

If the SSO Client is not installed or is not available, you can configure the SSO Agent to use clientless SSO to get user login information from the Event Log Monitors or Exchange Monitors installed in your network. The Event Log Monitors are also installed on one or more domain member servers in each domain. The Exchange Monitor is installed on the same computer where your Microsoft Exchange Server is installed.

If you use the Event Log Monitor, when a user tries to authenticate, the SSO Agent sends the IP address of the client computer to the Event Log Monitor. The Event Log Monitor then uses this information to query the client computer over TCP port 445 and retrieve the user credentials from the Windows security event log file on the client computer. The Event Log Monitor gets the user credentials from the client computer and contacts the domain controller to get the user security group information for the user. If you have installed more than one Event Log Monitor, and the first Event Log Monitor that the SSO Agent queries does not have the correct user credentials, the SSO Agent queries the next Event Log Monitor in the Contact Domains list. The SSO Agent continues to contact each Event Log Monitor in the list until it finds the correct user credentials. The Event Log Monitor then provides this information to the SSO Agent.

If you do not install the SSO Client on your user's computers, make sure the Event Log Monitor is the first entry in the SSO Agent Contacts list. If you specify the SSO Client as the primary contact, but the SSO Client is not available, the SSO Agent queries the Event Log Monitor next, but this can cause a delay.

Clientless SSO is not supported for RDP (remote desktop) sessions.

For users with devices that run Mac OS X 10.6 and higher, iOS, or Android platforms, you can use the Exchange Monitor to get login information for those users. Because the Exchange Monitor is installed on the same computer where your Microsoft Exchange Server is installed, the Exchange Monitor tracks the domain accounts log on/log off actions for each user and notifies the SSO Agent in real-time of these events.

After you install the SSO Agent, you must add the domain information of the domains where the Event Log Monitors and Exchange Monitors are installed to the SSO Agent configuration in the Contact Domains list. If you have only one domain and the SSO Agent is installed on the domain controller, or if you have more than one domain and the Event Log Monitor and Exchange Monitor are on the same domain as the SSO Agent, you do not have to specify the domain information for the domain controller in the SSO Agent configuration Contact Domains list. If you have more than one Event Log Monitor or Exchange Monitor in the Contact Domains list, the SSO Agent queries the first entry in the list for the user credentials and group information. If the first Event Log Monitor or Exchange Monitor is not available, the SSO Agent contacts the next monitor in the list. This process continues until the SSO Agent finds an available monitor.

For more information about how to install the Event Log Monitor and Exchange Monitor, see Install the WatchGuard Single Sign-On (SSO) Agent.

For more information about load balancing and failover for the Event Log Monitor, see the Event Log Monitor section in About Single Sign-On (SSO).

Before you configure and enable the settings for clientless SSO, you must make sure the client computers on your domain have TCP 445 port open, or have File and printer sharing enabled, and have the correct group policy configured to enable the Event Log Monitor to get information about user login events. If this port is not open and the correct policy is not configured, the Event Log Monitor cannot get group information and SSO does not work properly.

On your domain controller computer:

  1. Open the Group Policy Object Editor and edit the Default Domain Policy.
  2. Make sure the Audit Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit logon events policies enabled.
  3. At the command line, run the command gpupdate/force /boot.
    When the command runs, this message string appears:
    Updating Policy… User Policy update has completed successfully. Computer Policy update has completed successfully.

You can add, edit, and delete domain information for clientless SSO. For each domain name that you add, you can specify more than one IP address for the domain controller. If the Event Log Monitor cannot contact the domain controller at the first IP address, it tries to contact the domain controller at the next IP address in the list.

From the SSO Agent Configuration Tools dialog box:

  1. Select Edit > SSO Agent Contacts Settings.
    The SSO Agent Contacts Settings dialog box appears.

  1. In the SSO Agent Contacts list, select the check box for each contact for the SSO Agent:
  2. To change the order of the SSO Agent Contacts, select a contact and click Up or Down.
    You cannot change the position of the Exchange Monitor.
  3. Add, edit, or delete a contact domain, as described in the subsequent sections.
  4. Click OK to save your settings.

Add a Contact Domain

You can specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for user login information.

When you add a domain for the Exchange Monitor, you must specify the IP addresses and the session check interval for the Microsoft Exchange server. The session check interval specifies the amount of time before the Exchange Monitor logs off a user that does not appear in the IIS log messages on your Exchange server as active. The default setting is 40 minutes. You must specify an interval of at least 5 minutes.

Edit a Contact Domain

From the Clientless SSO Settings dialog box:

  1. From the Contact Domains list, select the domain to change.
  2. Click Edit.
    The Event Log Monitor Settings dialog box appears.
  3. Update the settings for the domain.
  4. Click OK.

Delete a Domain

From the Clientless SSO Settings dialog box:

  1. From the Contact Domains list, select the domain to delete.
  2. Click Delete.
    The domain is removed from the list.

Test the SSO Port Connection

To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can use the SSO Port Tester tool. With the SSO Port Tester tool, you can verify whether the SSO Agent can contact a server at a single IP address, or servers at multiple IP addresses or a range of IP addresses. To verify the connection for a single IP address or multiple IP addresses, rather than a range of addresses, you import a plain text file that includes the IP addresses to test. You can also specify the ports to test and the connection timeout interval.

From the Clientless SSO Settings dialog box:

  1. Click Test SSO Port.
    The SSO Port Tester dialog box appears.

Screen shot of the SSO Port Tester dialog box

  1. In the Specify IP Addresses section, select an option:
  2. If you selected Host IP Address Range, in the Host IP Address Range text boxes, type the range of IP addresses to test.
    If you selected Network IP Address, in the Network IP Address text box, type the network IP address to test.
    If you selected Import IP Addresses, click and navigate to select the plain text file with the list of IP addresses to test.
  3. In the Ports text box, type the port numbers to test.
    To test more than one port, type each port number, separated by a comma, without spaces.
  4. Click Test.
    The results of the port test appear in the SSO Port Tester window.
  5. To save the test results in a log file, click Save log and specify the file name and location to save the log file.
  6. To stop the port tester tool process, click Quit.

See Also

About Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Client

Install the WatchGuard Single Sign-On (SSO) Agent

Enable Single Sign-On (SSO)

Download SSO Log Files

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base