To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run commands to review information in the connection cache. You can also enable advanced debug options. A list of the commands you can use in Telnet is available in the Telnet Help and in the subsequent Telnet Commands List section.
We recommend that you only use these commands with direction from a WatchGuard support representative.
To connect to your SSO Agent with Telnet, you must use a user account that is defined in the SSO Agent Configuration Tool User Management settings. For more information, see Configure the SSO Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
To run Telnet commands, you can either open Telnet on the computer where the SSO Agent is installed, or use Telnet to make a remote connection to the SSO Agent over TCP port 4114. Make sure that the SSO Agent service is started before you try to connect to it with Telnet.
For more information about the commands you can use in Telnet, see the Telnet Commands List.
To send debug log messages to the log file, you must set the debug status to ON.
When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients connected to the SSO Agent, and for the Event Log Monitor and Exchange Monitor, are also generated and sent to separate log files. After the debug log messages have been sent to the log files, you can view them to troubleshoot any issues.
For the SSO Agent:
For the SSO Client:
For the Event Log Monitor:
For the Exchange Monitor:
Make sure to disable debug logging when you are finished.
This table includes commands that you can run to help you debug the SSO Agent.
|help||Show help||Shows the list of all Telnet commands.|
|login <user> <password>||Login user. Quote if space in credentials.||Type the user credentials to use to log in to the SSO Agent with Telnet.|
|logout||Log out.||Log out of the SSO Agent.|
|get user <IP>||Show all users logged in to <IP address> address.
Ex: get user 192.168.203.107
|Shows a list of all users logged in to the selected IP address.|
|get timeout||Show the current timeout.|
|get status||Show status about the connections.||Shows connection information used to analyze the overall load in your SSO environment.|
|get status detail||Show connected SSO clients, pending, and processing IPs.||Shows detailed connection information used to analyze the overall load in your SSO environment.|
|get domain||Show the current domain filter.||Gets information about the current domain filters from which the SSO Agent accepts authentication attempts.|
|get version <IP>||Show the SSO component name, version, and build information for the IP address.||Gets information about the SSO components (SSO Agent, SSO Client, Event Log Monitor) that are installed at the specified IP address. The information returned includes the version and build numbers for each installed SSO component.|
|get version all||Show the SSO component name, version, and build information for all the monitored IP addresses.||Gets information about the SSO components (SSO Client, Event Log Monitor) that are monitored by the SSO Agent. The information returned includes the version and build numbers for each installed SSO component.|
|log off <ip>||Kill the IP session on Firebox and clear SSO EM internal cache||Ends the session of the specified IP address and removes the active session details for that IP address from the SSO Exchange Monitor internal cache.|
|set domainfilter on||Turn on domain filter.||Permanently sets the domain filter to ON.|
|set domainfilter off||Turn off domain filter.||Permanently sets the domain filter to OFF.|
|set user||Set artificial user information (for debugging).||Changes the user information in the debug log files to a user name you select. This enables you to clearly track user information when you review debug log messages.|
|set debug on||Save debug messages to a file in the same location as the .exe.||
Sets debug logging on the SSO Agent to ON. This setting sends debug log messages to the log file, which provides detailed information for troubleshooting.
Log file location:
SSO Agent — \Program Files\WatchGuard\WatchGuard Authentication Gateway\wagsrvc.log
SSO Client — \Program Files\WatchGuard\WatchGuard Authentication Client\wgssoclient_logfile.log and wgssoclient_errorfile.log
|set debug verbose||Enable additional log messages.||Includes additional log messages in the debug log files.|
|set debug off||Sets debug logging on the SSO Agent to OFF.|
|flush <ip>||Clear cache of <ip> address.||Deletes all authentication information about the specified IP address from the SSO Agent cache.|
|flush all||Clear cache of all <ip> addresses.||Deletes all authentication information currently available on the SSO Agent.|
|list||Return list of all IP in cache with expiration.||Shows a list of all authentication information currently available on the SSO Agent.|
|list config||Return list of all monitoring domain configurations.||Shows a list of all domains the SSO Agent is connected to.|
|list user||Return list of all registered users.||Shows a list of all user accounts included in the SSO Agent configuration.|
|list eventlogmonitors||Return list of all registered Event Log Monitors.||Shows a list of all instances of the Event Log Monitor and the version of each instance.|
|get log <IP>||Get SSO Client logs and dmp files (if have) in zip format.||Download the SSO Client log files and DMP files in a ZIP file from the specified IP address.|
|get log <xxx.txt>||Same as "get log <IP>', but support multiple ip, full path of txt required and one ip each line in the txt file.
eg: get log C:\my test\ips.txt.
|Download the SSO Client log files and DMP files in a ZIP file from each IP address specified in the TXT file. In the TXT file, each SSO Client IP address must be on a separate line and the full path to the log and dmp files for each SSO Client must be specified.|
|quit||Terminate the connection.||Closes the Telnet connection to the SSO Agent.|
Configure the SSO Agent
Install the WatchGuard Single Sign-On (SSO) Agent
Install the WatchGuard Single Sign-On (SSO) Client
Install the WatchGuard SSO Exchange Monitor
About Single Sign-On (SSO)