To use the WatchGuard Single Sign-On (SSO) solution, you must install the WatchGuard Authentication Gateway, which includes two components: the SSO Agent (mandatory) and the Event Log Monitor (optional).
The SSO Agent is a service that receives requests for Firebox authentication and checks user status with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway on the computer where you install the SSO Agent software. This computer must have the Microsoft .NET Framework v2.0–4.5 or later installed. You must install the SSO Agent to use Single Sign-On.
The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do not install the SSO Client on all of your client computers, we recommend that you install the Event Log Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address (the client computer) for the user name and domain name that was used to log in. Based on the user name information, the Event Log Monitor gets the information about which users belong to which user security groups, and sends that information to the SSO Agent. This enables the SSO Agent to correctly identify a user and make sure that each user can only log on from one computer at a time.
If you have more than one domain, install the SSO Agent on only one domain member server or domain controller in your network, and install the Event Log Monitor on one member server or domain controller in each of your domains. The SSO Agent then contacts each Event Log Monitor to get information for the users on that domain.
When you run the installer to install only the Event Log Monitor, make sure to clear the check box for the SSO Agent component.
To install an additional WatchGuard Authentication Gateway component on a computer where you have already installed one component, run the installer again and select the check boxes for both the new component you want to install and for the previously installed component. If you do not select the check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSO Agent and you want to add the Event Log Monitor, run the installer again and make sure that both the SSO Agent and the Event Log Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.
The WatchGuard Authentication Gateway service must run as a user account that is a member of either the Domain Users or Domain Admins security group. We recommend that you create a new user account for this purpose and then add the new user to the Domain Users or Domain Admins security group. For the service to operate correctly, make sure you configure this user account with a password that never expires.
Before you start the SSO Agent installer, make sure that the .NET Framework v2.0–4.5 or later is installed on the server where you intend to install the WatchGuard Authentication Gateway. If the correct version of the .NET Framework is not installed, the SSO Agent cannot run correctly.
When you select a user account that is a member of the Domain Admins security group for the WatchGuard Authentication Gateway, the user account automatically has the correct security permissions. If you select a user account that is a member of the Domain Users security group, you must apply the correct permissions to the user account and then apply the domain policy to all domain computers that the Event Log Monitor contacts.
To add a user account that is a member of the Domain Users security group:
The SSO Agent debug log messages are located here:
The ELM debug log messages are located here:
If you have more than one domain, make sure to install the SSO Agent on only one server in your network and the Event Log Monitor on one server in each of your domains.
For example, if your domain name is example.com and you use the domain account ssoagent, type example\ssoagent.
You can also use the UPN form of the user name: [email protected]. If you use the UPN form of the user name, you must include the .com or .net part of the domain name.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically. Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent.
About Single Sign-On (SSO)
Install the WatchGuard Single Sign-On (SSO) Client
Enable Single Sign-On (SSO)