Authpoint Gateway - Can it be installed on Win Server Core Edition?

KevinDKevinD
edited July 26 in AuthPoint - General

Have searched through the docs and forums and wasn't able to find an answer to these specific questions:

Does Authpoint Gateway (for windows) require a GUI?

Can it be installed on win server Core (non-gui) via CMD prompt, Powershell, or Group Policy?

If so, how? (how to provide registration key to installer without a GUI prompt.)

We have a windows environment:
2 x M370's in active/passive cluster
OS ver: 12.8.2.B666661
Authpoint handles IKE2VPN MFA, works well.

Currently we have the Authpoint gateway app running on an old domain controller that will be decommissioned soon. That server has a full GUI. Authpoint works great.

Our current domain controllers are running Windows Server 2016 Core edition, so no GUI. If at all possible I would like to avoid having to spin up a new server just to provide a gui for authpoint gateway to install on.

Any help is appreciated!.

Best Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi @KevinD
    The Installer itself requires a GUI to copy/paste the gateway ID into it, but that's all. Once it's on the machine, there's no GUI or anything.

    You should be able to specify the key via the CLI if you invoke silent mode. Be sure to make it write a log file so you can see if anything went wrong after.

    Your command should look something like:

    msiexec.exe /i AuthPoint_Gateway-7.0.1-534.msi ONETIMETOKEN="registration key" /L*V log_gateway.txt /q

    Word wrap will likely murder that line - every gap that isn't a character is a single space.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    This should be more readable:

    msiexec.exe /i AuthPoint_Gateway-7.0.1-534.msi ONETIMETOKEN="registration key" /L*V log_gateway.txt /q

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi @KevinD

    At this point you'll need to create a support case so that we can get this with the AuthPoint support team.
    If you create a case, please reply here with the case number and I can make sure it's with the correct team to help as quickly as possible,

    -James Carson
    WatchGuard Customer Support

Answers

  • KevinDKevinD

    James,

    Thank you for your quick response!

    I tried out what you wrote, but the install is failing.
    _ (I was able to use msiexec to get Amazon Corretto installed without issue however.)_

    The install runs, then fails silently. After it fails it partially rolls itself back, but leaves a "C:\Program Files(x86\WatchGuard\AuthPoint Gateway" with a few files in it, and 4 x windows services, AuthPointADFS, AuthPointGateway, AuthpointLDAP, and AuthPointRadius. I hadn't dug around in the registry to see if any cruft got left there.

    The services won't start as the installer already deleted the executables they point to (such as gateway.exe).

    Server Specs where I made the attempt:

    Java: Amazon Corretto v11.0.16.9.1 x64
    OS: Windows Server 2016 DataCenter Core Edition (no GUI) (v10.0.14393)
    Type: VM running on ESXi v6.7.0 hypervisor.

    I generated a new Registration Key for each attempt.

    I made sure to open up the firewall to udp/1812 & udp/1645 prior to installation.

    Windows was fully updated prior to the attempt.
    Rebooted after getting java installed and firewall setup.
    After reboot, attempted the CLI Installation.

    I used the vmware Web Console to open an administrative command prompt (as domain administrator.)
    I verified Java was usable via java -version;

    openjdk version "11.0.16.1" 2022-08-12 LTS
    OpenJDK Runtime Environment Corretto-11.0.16.9.1 (build 11.0.16.1+9-LTS)
    OpenJDK 64-Bit Server VM Corretto-11.0.16.9.1 (build 11.0.16.1+9-LTS, mixed mode)

    After this, attempted the command:
    ( in case the code macro doesn't display it right, yes this was all input on one single line with spaces between each main element.)

    msiexec.exe /i "C:\bin\Apps\WatchGuard_AuthPoint_Gateway\AuthPoint_Gateway-7.0.1-534.msi" ONETIMETOKEN="F123456789ABCDEFG0123456789ABCDE" /L*V "C:\bin\Logs\WG_Gateway_InstallLog02.txt" /q

    The Token shown here is fake, made up by me.

    I used a valid registration key when I actually ran things.

    Tried on my other core server, same results, same error message as seen on the first.

    I appreciate any help or suggestions on this.

    I have attached the full raw log output (I did replace the correct key with a nonsense one prior to uploading.)

    Here is the portion it choked on:

    MSI (s) (44:04) [15:37:48:097]: Executing op: ActionStart(Name=InstallLDAPSyncExecuteCommand,,)
    MSI (s) (44:04) [15:37:48:097]: Executing op: CustomActionSchedule(Action=InstallLDAPSyncExecuteCommand,ActionType=3073,Source=BinaryData,Target=WixQuietExec,CustomActionData="C:\Program Files (x86)\WatchGuard\AuthPoint LDAP Sync\ldapSync.exe" install)
    MSI (s) (44:9C) [15:37:48:097]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAB62.tmp, Entrypoint: WixQuietExec
    MSI (s) (44:04) [15:37:48:300]: Executing op: ActionStart(Name=InstallRADIUSExecuteCommand,,)
    MSI (s) (44:04) [15:37:48:300]: Executing op: CustomActionSchedule(Action=InstallRADIUSExecuteCommand,ActionType=3073,Source=BinaryData,Target=WixQuietExec,CustomActionData="C:\Program Files (x86)\WatchGuard\AuthPoint RADIUS\radius.exe" install)
    MSI (s) (44:B4) [15:37:48:300]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC2E.tmp, Entrypoint: WixQuietExec
    MSI (s) (44:04) [15:37:48:472]: Executing op: ActionStart(Name=WriteDataAction,,)
    MSI (s) (44:04) [15:37:48:472]: Executing op: CustomActionSchedule(Action=WriteDataAction,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********)
    MSI (s) (44:90) [15:37:48:472]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIACDB.tmp, Entrypoint: WriteData
    SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIACDB.tmp-\
    SFXCA: Binding to CLR version v4.0.30319
    Calling custom action OTTRegistrationCustomAction!OTTRegistrationCustomAction.OTTRegistrator.WriteData
    ---------> Starting WriteData
    Writing properties
    Generating the cert
    Creating the key
    Reading the cert
    Exception thrown by custom action:
    System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
    at OTTRegistrationCustomAction.OTTRegistrator.WriteCerts(String gatewayFolder, String agentCert, String agentCaCert, String accountPubKey, String privateKey, Session session)
    at OTTRegistrationCustomAction.OTTRegistrator.WriteData(Session session)
    --- End of inner exception stack trace ---
    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
    at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
    at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
    at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
    CustomAction WriteDataAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (44:04) [15:37:52:783]: Note: 1: 2265 2: 3: -2147287035
    MSI (s) (44:04) [15:37:52:783]: User policy value 'DisableRollback' is 0
    MSI (s) (44:04) [15:37:52:783]: Machine policy value 'DisableRollback' is 0
    Action ended 15:37:52: InstallFinalize. Return value 3.

  • KevinDKevinD

    Thank you again for your help, I wanted to provide a bit of an update.

    I wasn't able to get that silent install to work, HOWEVER: I was able to get it successfully installed.

    I opened up the Virtual Machine's web console from vCenter.
    Had it send ctrl+alt+del, entered in the administrator password to get the command prompt.

    I ran the installer msi straight from the cli, did NOT use msiexec. Typed it in and hit enter:

    C:\>AuthPoint_Gateway-7.0.1-534.msi

    It immediately popped up an installer wizard window, then showed me the registration key entry page. Finished up the install wizard, and it installed successfully! It then connected up to WG cloud without issue.

    I feel a bit sheepish for not having tried that out of the gate, but I will admit that is the first time I have seen a gui installer wizard popup when dealing with win core console before. Learn something new every day!

    Thank you again for your help!

  • SpencerSpencer

    KevinD hit upon the right approach. Windows Server Core is still Windows, and so the installer is allowed to create all the windows it needs to install the program. Server Core's most noticeable difference is that it doesn't run explorer.exe when you log in.

Sign In to comment.