HELP FILE

How do I run diagnostics for LastPass Universal Proxy?

Use the diagnostic tool for LastPass Universal Proxy to discover and troubleshoot general connectivity issues.

Note: Requirements:
  • Windows PowerShell 3.0 or higher
Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
Note: You can use the diagnostic tool only for the LDAP and RADIUS protocols. LDAPS protocol diagnostics are currently not supported.

The diagnostic tool checks the configuration provided in the server.properties configuration file. It automatically detects whether LDAP or RADIUS protocol is used and checks their communication with the appropriate services.

The tool can be used for the following:

When run, the scripts perform a series of tests and present the results in a console output and also in file, located in /logs folder. The output begins with a summary section that provides a SUCCESS or FAIL indicator for each of the test. A summary of the settings is also listed.

The result of the diagnostics is saved to a .log file in the C:\Program Files\LastPass\Universal Proxy\logs directory (or the path you selected during installation, if different).

If all tests pass, then the output indicates that the specified servers are reachable and can respond to service requests correctly.

Note: Every check starts with a LastPass Service reachability check. If this check fails, the test will not continue.
  • To run diagnostics, open PowerShell and execute the following command:

    uproxy -diagnostic

Checking whether Universal Proxy can access the LastPass service

In this test it is checked whether Universal Proxy can communicate with the LastPass service.
  • Example:

    Example:



    Result:

    • SUCCESS: Indicates that Universal Proxy can access the LastPass service.
    • FAIL: Indicates that Universal Proxy is unable to communicate with the LastPass service.

Checking the RADIUS server configuration with Universal Proxy

In this test a RADIUS Access-Request is initiated to check whether the VPN server/Universal Proxy can communicate with the RADIUS server, the RADIUS server will accept or reject the request.
  • When running the script, you should add the following:

    • Enter user logon name:
    • Enter user's password:

    For the description of the required properties, see LastPass Universal Proxy RADIUS configuration using command line.

    Example:



    Result:

    • SUCCESS:
      • Indicates that the RADIUS server is accessible, expects authentications on the given port and that the user is present with the provided username/password.
    • FAIL:
      • Receive timed out: Indicates that the RADIUS server is not accessible on the given IP address/port.
      • Access-Reject: The response is received but the credentials of the provided user were wrong.

Checking the LDAP server configuration with Universal Proxy

  • When running the script, you should add the following:

    • Enter user's distinguished name:
    • Enter user's password:

    For the description of the required properties, see LastPass Universal Proxy LDAP configuration using command line.

  • Checking whether a designated user can be found in the LDAP server. In this test an LDAP search request is initiated to determine if an LDAP user search will find the necessary user attributes. The LDAP user entry search is first based on the user's distinguishedName, then on the naming attribute which was set in Uproxy configuration (by default, it is sAMAccountName). For more information on the user configuration, see Configuration checklist for LastPass Universal Proxy using LDAP protocol.

    Example:

    Result:

    • SUCCESS: Indicates that the LDAP server is up and running.
    • FAIL:
      • Timeout: Indicates that the LDAP server is not accessible on the given IP address/port.
      • Empty search response LDAP server is accessible, but user is not found.

  • Checking whether a designated user can authenticate to the LDAP server. In this test an LDAP bind request is initiated to check whether a designated user can authenticate to the LDAP server.

    Example:

    Result:

    • SUCCESS: Indicates that the LDAP server is there, listening on the given port and the provided user with the given password was found.
    • FAIL:
      • Timeout: Indicates that the LDAP server is not accessible on the given IP address/port.
      • Access-Reject: The LDAP server is there but the credentials of the provided user were wrong.

  • Checking if the user receives a push notification to their phone.

    Example:

    Result:

    • SUCCESS: The push notification was received and accepted.
    • FAIL: The push notification was not received.