Install the WatchGuard Single Sign-On (SSO) Agent

To use the WatchGuard Single Sign-On (SSO) solution, you must install the WatchGuard Authentication Gateway, which includes two components: the SSO Agent (mandatory) and the Event Log Monitor (optional).

The SSO Agent is a service that receives requests for Firebox authentication and checks user status with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway on the computer where you install the SSO Agent software. This computer must have the Microsoft .NET Framework v2.0–4.5 or later installed. You must install the SSO Agent to use Single Sign-On.

The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do not install the SSO Client on all of your client computers, we recommend that you install the Event Log Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address (the client computer) for the user name and domain name that was used to log in. Based on the user name information, the Event Log Monitor gets the information about which users belong to which user security groups, and sends that information to the SSO Agent. This enables the SSO Agent to correctly identify a user and make sure that each user can only log on from one computer at a time.

If you have more than one domain, install the SSO Agent on only one domain member server or domain controller in your network, and install the Event Log Monitor on one member server or domain controller in each of your domains. The SSO Agent then contacts each Event Log Monitor to get information for the users on that domain.

When you run the installer to install only the Event Log Monitor, make sure to clear the check box for the SSO Agent component.

To install an additional WatchGuard Authentication Gateway component on a computer where you have already installed one component, run the installer again and select the check boxes for both the new component you want to install and for the previously installed component. If you do not select the check box for the previously installed component, that component will be uninstalled.

For example, if you have already installed the SSO Agent and you want to add the Event Log Monitor, run the installer again and make sure that both the SSO Agent and the Event Log Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.

Download the SSO Agent Software

  1. Open a web browser and go to http://www.watchguard.com/.
  2. Log in with your WatchGuard account user name and password.
    The WatchGuard Portal appears with your portal Home page selected.
  3. Select the Articles & Software tab.
    The Articles & Software page appears.
  4. In the Search text box, type the name of the software you want to install or the model of your Firebox or XTM device.
  5. Clear the Article check box and make sure the Software Downloads check box is selected.
  6. Click Go.
    The Search Results page appears with a list of the available WatchGuard device models.
  7. Select your device model.
    The Software Downloads page for the device you selected appears.
  8. Download the WatchGuard Single Sign-On Agent software and save the file to a convenient location.

Before You Install

The WatchGuard Authentication Gateway service must run as a user account that is a member of either the Domain Users or Domain Admins security group. We recommend that you create a new user account for this purpose and then add the new user to the Domain Users or Domain Admins security group. For the service to operate correctly, make sure you configure this user account with a password that never expires.

Before you start the SSO Agent installer, make sure that the .NET Framework v2.0–4.5 or later is installed on the server where you intend to install the WatchGuard Authentication Gateway. If the correct version of the .NET Framework is not installed, the SSO Agent cannot run correctly.

Add a User Account to the Domain Users Group

When you select a user account that is a member of the Domain Admins security group for the WatchGuard Authentication Gateway, the user account automatically has the correct security permissions. If you select a user account that is a member of the Domain Users security group, you must apply the correct permissions to the user account and then apply the domain policy to all domain computers that the Event Log Monitor contacts.

To add a user account that is a member of the Domain Users security group:

  1. Add a new Active Directory user account.
    For example, [email protected].
    The user account is added to the Domain Users security group by default.
  2. Open the Default Domain Policy editor, select the new user account, and apply the Manage auditing and security log permissions to the user account:
    1. Select Computer Configuration > Policies > Windows Settings > Rights > Manage auditing and security log.
    2. Add the new user account.
  3. Apply the new domain policy to all domain computers.
    Event Log Monitor now has the correct permissions to read the Windows security event log on the domain client computer to get the correct user credentials.

The SSO Agent debug log messages are located here:

C:\Users\<user name>\AppData\Local\Temp\wagsrvc.log

The ELM debug log messages are located here:

C:\Users\<user name>\AppData\Local\Temp\eventlogmonitor.log

Install the SSO Agent and the Event Log Monitor

If you have more than one domain, make sure to install the SSO Agent on only one server in your network and the Event Log Monitor on one server in each of your domains.

  1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup Wizard.
    To run the installer on some operating systems, you might need to type a local administrator password, or right-click and select Run as administrator.
  2. To install the software, follow the instructions on each page and complete the wizard.
  3. On the Select Components page, make sure to select the check box for each component to install:
  4. On the Domain User Login page, make sure to type the user name in the form: domain\user name. Do not include the .com or .net part of the domain name.

For example, if your domain name is example.com and you use the domain account ssoagent, type example\ssoagent.
You can also use the UPN form of the user name: [email protected]. If you use the UPN form of the user name, you must include the .com or .net part of the domain name.

  1. Click Finish to close the wizard.

When the wizard completes, the WatchGuard Authentication Gateway service starts automatically. Each time the computer starts, the service starts automatically.

After you complete the Authentication Gateway installation, you must configure the domain settings for the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent.

See Also

About Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Client

Enable Single Sign-On (SSO)

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base