Professional Documents
Culture Documents
Community Sophos Com Sophos XG Firewall F Recommended Reads 125318 Sophos XG Fir
Community Sophos Com Sophos XG Firewall F Recommended Reads 125318 Sophos XG Fir
More
Thread Info
+9
16 replies
36 subscribers
30656 views
1 member is here
Group Policy
Sophos Firewall
logon type
firewall
live user
GPO
collector
Agent
AD
wmi
STAS
Options
Sophos Transparent Authentication Suite (STAS) enables users to automatically log into Sophos Firewall when
logging on Windows AD workstation.
STAS requires software installation on AD severs only, and no need to install any software on workstation.
This article provides best practices to configure STAS on Sophos Firewall v18.5.
The configuration example provided in the article is quite simple, but it explains how STAS works.
It covers Windows AD GPO and Windows Firewall rules needed for STAS, and also provides basic troubleshooting
guides.
If you notice any errors in the article or improvements can be made, please let me know.
Table of Contents
1. How STAS works
a) Deploy STA Agent and STA Collector
b) STA Collector group on Sophos Firewall
c) Deployment example
d) Summary of ports
2. Limitation
a) Max number of live users
b) Computers must be in AD domain
3. Lab environment
a) Network Topology
b) Find out the NetBios Name, FQDN, and Search DN
4. Configure Sophos Firewall
a) Enable Client Authentication in Device Access
b) Configure authentication server
c) Enable STAS
5. Configure Windows AD GPO
a) Enable audit logon events on AD computers
b) Allow inbound WMI on AD computers
c) Update Group Policy settings
d) Verify audit logon events were applied correctly
e) Verify event ID 4768 was generated for user logon
6. Install and configure STAS
a) Install STAS
b) Configure STA Agent
c) Configure STA Collector
d) Configure Exclusion List
d) Configure Exclusion List
e) Advanced
f) Start STA Collector
g) Create Windows Firewall rules to allow STAS traffic
h) Verify workstation poll method
7. Verify STAS is working
a) check STAS live users
b) create a firewall rule for user group
8. Troubleshooting
a) STA Collector shows no Sophos Firewall IP address
c) STA Collector shows no live user
c) Sophos Firewall has no STAS live user, although STA Collector has them
d) STA Collector keeps removing live user
e) Sophos Firewall has some STAS live users missing
f) Group policy of audit logon events is not updated on AD computer
g) STAS service did not start due to a logon failure
9. Known issues
10. Appendix
a) Enable SSL on Windows LDAP service
11. Edition History
The agent monitors AD domain controller for user logon event, which is Windows Event ID 4768, and sends it to the
collector UDP port 5566 (#1, and #2 in diagram logon.type2.png)
The collector analyses the logon event, and sends it to Sophos firewall UDP port 6060, if a user isn’t an existing STAS
live user. (#3, and #4 in diagram logon.type2.png)
Sophos Firewall lookups the username in AD domain controller to retrieve group, email address, and more details of
the user. (#5 in diagram logon.type2.png)
Then the user will be displayed on Sophos Firewall as STAS live user. (#6 in diagram logon.type2.png)
Diagram: logon.type2.png
The collector can also help Sophos Firewall to get user logged on an AD workstation.
For example, Sophos Firewall doesn't have live user on an AD workstation, but firewall rule requires user
authentication for traffic from the AD workstation. (#1, and #2 in diagram logon.type1.png)
In such situation, Sophos Firewall sends a query to the collector UDP port 6677, asking for username on the
workstation. (#3 in diagram logon.type1.png)
The collector talks to the workstation via methods defined in Workstation Polling Method, such as WMI. (#4 in
diagram logon.type1.png)
then the collector records the live user, (#5 in diagram logon.type1.png) and sends it back to Sophos Firewall on UDP
port 6060
Sophos Firewall lookups the username in AD domain controller to retrieve group, email address, and more details of
the user. (#6 in diagram logon.type1.png)
Then the user will be displayed on Sophos Firewall as STAS live user. (#7 in diagram logon.type1.png)
Diagram: logon.type1.png
STA Agent and Collector support to change the default communication ports.
[ Note: Member server is a computer that runs an operating system in the Windows Server family, belongs to a
domain, and is not a domain controller. ]
c) Deployment example
For AD domain with 1 DC, my recommendation is
d) Summary of ports
STA Collector open TCP port 5566 for STA Agent to upload user logon information
STA Collector open UDP port 6677 for Sophos Firewall to connect
Sophos Firewall open UDP port 6060 for STA Collectors to connect
STA Collector sends packet to STA Agent UDP port 50001 for Test connection,
STA Agent sends packet to STA Collector UDP port 50001 for Test connection,
STA Collector sends packet to Sophos Sophos Firewall UDP port 6060 for Test connection.
2. Limitation
a) Max number of live users
Sophos Firewall v17.5 and later supports 12,288 live users, by default.
Log on Sophos Firewall SSH terminal as admin. Once authenticated, you will be presented with the Sophos
Firewall console menu.
Go to 5. Device Management > 3. Advanced Shell, and run the following commands
cish
system auth max-live-users show
If a workstation is not a member of the AD domain, STAS won't be able to detect live user on it.
In such a scenario, Sophos Client Authentication Agent is the solution. Details of Client Authentication Agent is
available at https://support.sophos.com/support/s/article/KB-000038465
3. Lab environment
a) Network Topology
192.168.20.5 is AD DC, and STA Agent will be installed on it
192.168.20.9 is a member server, and STA Collector will be installed on it.
192.168.20.19 is AD workstation
192.168.20.251 is Sophos Firewall LAN interface IP
To find out Search DN, run the command dsquery user in Windows CMD, as shown below.
C:\Users\Administrator>dsquery user
"CN=Administrator,CN=Users,DC=tao,DC=xg"
"CN=Guest,CN=Users,DC=tao,DC=xg"
"CN=krbtgt,CN=Users,DC=tao,DC=xg"
"CN=One User,OU=ABP Users,DC=tao,DC=xg"
"CN=Two User,CN=Users,DC=tao,DC=xg"
"CN=AD Admin,CN=Users,DC=tao,DC=xg"
"CN=User Super,CN=Users,DC=tao,DC=xg"
C:\Users\Administrator>
Later, we’ll configure search DN "DC=tao,DC=xg" in the authentication server on Sophos Firewall.
We need to configure Windows AD DC as an authentication server on Sophos Firewall, so that Sophos Firewall can
fetch group and other information of STAS live user from AD DC.
Log on to the Sophos Firewall webadmin, go to Authentication > Servers, click on the "Add" button.
Configure authentication server as below
-Server Type: Active Directory
-Server Name: any name for the AD DC
-Server IP: IP address of the AD DC
-Connection security: SSL/TLS, by default
-Port: 636, default TCP port for LDAP service on SSL/TLS
[ Note: To enable SSL on Windows LDAP service, just need to generate a CA on AD DC, reboot DC, DC would
automatically assign the CA to LDAP service, and accept LDAP traffic on TCP port 636. Details in the section "10.
Appendix > a) Enable SSL on Windows LDAP service ]
Once the configuration is completed, click "Test connection" to make sure the Sophos Firewall can communicate with
AD DC via LDAP.
2) Import AD user group
This step is optional, however, it’s recommended to import AD user groups, to simplify user management on the
Sophos Firewall.
To apply firewall rule on specific AD user groups, those AD user groups need to be imported into the Sophos Firewall.
Go to Authentication > Server, click the "Import" icon next to an AD server, as shown below
Set common policies for those Groups. Normally we leave it as default during the initial setup.
Click on Next to import the group.
Go to Authentication > Groups, verify the AD group has been imported, as shown below
3) Authentication Service
Go to the Sophos Firewall webadmin > Authentication > Services, choose the Windows AD DC as the first server for
"Firewall Authentication Methods", as shown below.
c) Enable STAS
Go to Sophos Firewall webadmin > Authentication > STAS, turn on "Enable Sophos Transparent Authentication Suite",
and then click "Activate STAS" button, as shown below
Change default settings,
Note:
With the default settings of "Identity probe time-out": 120 seconds, and "Restrict client traffic during identity
probe": Yes, AD workstation experiences 2-minute network outage every hour once STAS is enabled on Sophos
Firewall.
Details about "Restrict client traffic during identity probe" can be found in section "Drop timeout in Learning
Mode" of Sophos KBA https://support.sophos.com/support/s/article/KB-000035730
Click the "Add new collector button", and add the IP address of the STAS server. In this example, it is 192.168.20.5
Collector Port can be checked on STAS Suite> General tab > Listening to the Sophos appliance on Port, as shown
below
5. Configure Windows AD GPO
a) Enable audit logon events on AD computers
1. Log on to Windows AD DC as a member of the Administrators group.
2. Open Administrative Tools, and then click Group Policy Management.
3. In the console tree, open Forest: YOUR_FOREST > Domains > YOUR_DOMAIN_NAME, right-click on Default Domain
Policy, and then click Edit.
[ Note: You can also edit other group policy as needed. ]
4. In Group Policy Management Editor, open Computer Configuration > Policies > Windows Settings > Security
Settings > Local Policies > Audit Policies.
5. Double-click on Audit account logon events, and enable "Define these policy settings: Success and Failure"
6. Open Computer Configuration > Policies > Windows Settings > Security Settings > Advanced audit policy
configuration > Audit Policies > Account Logon
7. Double-click on Audit Kerberos Authentication Service, and enable "Configure the following audit events: Success
and Failure"
8. open Computer Configuration > Policies > Windows Settings > Security Settings > Advanced audit policy
configuration > Audit Policies > Logon/Logoff
9. Double-click on Audit Logon, and enable "Configure the following audit events: Success and Failure."
Once group policy is updated, you can continue to the next step to verify audit policy settings were applied correctly.
You can also wait for the group policy to be updated as per the Windows schedule.
C:\WINDOWS\system32>auditpol.exe /get /category:"Logon/Logoff"
System audit policy
Category/Subcategory Setting
Logon/Logoff
Logon Success and Failure
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
User / Device Claims No Auditing
Group Membership No Auditing
C:\WINDOWS\system32>auditpol.exe /get /category:"Account Logon"
System audit policy
Category/Subcategory Setting
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service Success and Failure
Credential Validation No Auditing
C:\WINDOWS\system32>
If AD DC doesn't generate event ID 4768 in Windows Event Viewer, the STA Agent cannot detect any user logon
activity.
Once event ID 4768 is generated, STA Agent forwards that information to the STA Collector UDP port 5566.
Please check Windows Event Viewer to make sure Event ID 4768 is generated when a user logs on a workstation.
The following screenshot shows user1 logged on AD domain tao.xg from workstation 192.168.20.19.
6. Install and configure STAS
a) Install STAS
Sophos KBA for STAS https://support.sophos.com/support/s/article/KB-000035732
Latest STAS can be downloaded from Sophos Firewall webadmin > Authentication > Client downloads, as below
In this example, STA Agent was installed on a Windows AD DC 192.168.20.5. STA Collector was installed on a member
server 192.168.20.9.
Please install STAS by right click on installation file > 'Run as administrator' to prevent any potential permission issue
on Windows.
For STA Agent, choose "STA Agent"
1) In "General" tab, put in NETBIOS name of AD domain, together with Fully Qualified Domain Name
If STA agent cannot be started, please double check Administrator Credentials, NetBIOS Name, and Fully Qualified
Domain Name.
3) Go to "STA Agent" tab, and specify the subnet where all Windows AD users belong to, as shown below.
In "General" tab, put in NetBIOS Name and Fully Qualified Domain Name of AD domain.
Go to "STA Collector" tab,
"Sophos Appliances": the internal IP address of the Sophos Firewall, 192.168.20.251. If Sophos Firewall is in HA,
please use interface IP address, not HA peer administration IP.
"Workstation Polling Method": WMI is recommended
"Enable Logoff Detection": checked
"Detection Method": Workstation polling
"Dead entry timeout": must be 0. Details in section "9. Known issues".
d) Configure Exclusion List
Go to "Exclusion List",
1) In "Login User Exclusion List": we put in any background service accounts, for example trendupd, trendupd2,
OktaService, and more, depending on software installed on workstation.
That prevents STAS live user to be logged off when a background service account logs in to start background tasks.
Note:
- "Login User Exclusion List" only supports "username", and doesn't support "username@domain.com", nor
"domain\username".
- Username in "Login User Exclusion List" is case insensitive.
2) In "Login IP Address/Network Exclusion List", add IP addresses of any server, for example Citrix terminal server,
Microsoft RDS server, DNS server, web server, to prevent frequent user logon/logoff.
In the example, I put IP address of DNS server and web server into Login IP Address Exclusion List.
e) Advanced
The following is recommended, in case STAS troubleshooting is needed.
STAS log files, stas.log, and stas.log1, are located on the Windows server installed with STAS in the directory of
C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite, by default.
stas.log and stas.log1 get rotated at every 25 MB (or as defined by Log File Size).
Sometimes, STAS service might fail to be started, with the error "Failed: Cannot start service: STAS". Please refer to
section "8. Troubleshooting > g) STAS service did not start due to a logon failure" for solution.
Note:
When there are multiple STA Collectors in the same collector group, Sophos Firewall only communicates with the
STA Collector on the top of list, and only that STA Collector can establish communication with Sophos Firewall,
and only that STA Collector can dispaly IP address of Sophos Firewall in General tab.
To find out which STA Collector is communicating with Sophos Firewall,
go to STAS > General tab, check if it has Sophos Firewall IP address displayed. If yes, it is the STA Collector
communicating with Sophos Firewall, or
check backend logs in Sophos Firewall SSH terminal,
SSH to Sophos Firewall as admin, and go to 5. Device Management > 3. Advanced Shell, and run the following
command
grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail
The sample output below shows Sophos Firewall has been communicating with STA Collector 192.168.20.5
since 16:00 8 Feb
SFVUNL_SO01_SFOS 18.0.4 MR‐4# grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.
DEBUG Feb 08 16:00:36.719168 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:01:06.733092 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:01:36.748435 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:02:06.753870 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:02:36.754746 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:03:06.770399 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:03:36.784307 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
DEBUG Feb 08 16:04:06.799499 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
MESSAGE Feb 09 11:01:29.423157 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5
MESSAGE Feb 09 11:08:30.094186 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5
SFVUNL_SO01_SFOS 18.0.4 MR‐4#
If STA Collector and STA Agent are installed on the same Windows server, create Windows Firewall rules on the
Windows server, to allow
Ports needed by STAS is described in section "1. How STAS works > d) Summary of ports"
Windows Firewall rules are applied on network profile (Domain, Private, Public). Make sure above Windows Firewall
rules are applied to correct network profile.
In above configuration, we configured STA Collector to use WMI as workstation polling method.
We need verify STA Collector can communicate with any AD workstation via WMI:
Sophos Firewall: Configure user sign off detection in STAS using WMI
Microsoft KBA: Setting up a Remote WMI Connection
7. Verify STAS is working
a) check STAS live users
user1 re-logged on AD workstation 192.168.20.19 after STAS was setup
On STA collector, open STAS, go to Advanced > Show Live Users, there was the live user.
On Sophos Firewall webadmin, Current Activity > Live Users also showed the live user
b) create a firewall rule for user group
Create a firewall rule to allow users in IT group to access Internet
Now, 192.168.20.19 can access Internet
Sophos Firewall webadmin > Current activities > Live connections > Live connections for: Username shows live
connection of user1@tao.xg
Firewall rule traffic stats also confirmed traffic from 192.168.20.19 was generated by the user in the IT group and hit
the firewall rule.
8. Troubleshooting
a) STA Collector shows no Sophos Firewall IP address
When STA Collector cannot communicate with Sophos Firewall, STAS "General" tab doesn't show the Sophos Firewall
IP address.
Make sure
Sophos Firewall webadmin > Device Access has "Client Authentication" enabled on the zone where STA Collector
is located.
Windows Firewall on STA Collector allows traffic from/to Sophos Firewall. Details in the section " Install and
configure STAS > f) Create Windows Firewall rules to allow STAS traffic"
c) Sophos Firewall has no STAS live user, although STA Collector has
them
If Sophos Firewall doesn't show any live user, but STAS shows live users, make sure
Windows Firewall rule on STAS server is configured properly, as per section " Install and configure STAS > f) Create
Windows Firewall rules to allow STAS traffic"
Sophos Firewall has "Client Authentication" enabled on the zone where the STA Collector and AD workstation
are located.
Authentication service on Sophos Firewall is running. It can be verified onable Sophos Transparent
Authenticationn Sophos Firewall webadmin > System services > Services, as below
Check if Sophos Firewall reaches STAS server via static route. Details in section "9. Known issues"
Make sure
STAS can communicate with AD computers via the workstation poll method. Details in the section " Install and
configure STAS > h) Verify workstation poll method"
all background service accounts on AD computers have been added into STAS > "Login User Exclusion List".
Details in the section " Install and configure STAS > d) Configure Exclusion List"
Make sure
STA Collector can communicate with AD computers via the workstation poll method. Details in the section "
Install and configure STAS > h) Verify workstation poll method "
all background service accounts on AD computers have been added into STAS > "Login User Exclusion List".
Details in the section " Install and configure STAS > d) Configure Exclusion List"
Please also check if Sophos Firewall reaches STAS server via static route. Details in section "9. Known issues".
1) Go to Windows Service, find "Sophos Transparent Authentication Suite". Right click on it, and click on "Properties"
2) Go to "Log On" tab, and enter AD Domain admin account and password again.
3) Go back to STAS, click on "Start" button, and now STAS should Start.
9. Known issues
a) Dead entry timeout: must be 0, otherwise STAS stops working (applies to STAS v2.5.1.0 and earlier)
b) When Sophos Firewall reaches STAS server via a static route, Sophos Firewall cannot communicate with STAS
server after reboot/boot-up.
Symptom: Sophos Firewall doesn't send packets to STAS server UDP port 6677 to actively query live user on
workstations. Sophos Firewall can only passively receive live user information from STAS server.
[ Note: This bug (NC-84910) will be fixed in Sophos Firewall OS v18.5 MR5. ]
10. Appendix
a) Enable SSL on Windows LDAP service
Note: If you need technical support to enable SSL on Windows LDAP service, please seek help from Microsoft.
Once the installation is complete, in Server Manager, click on "Notifications" > Post-deployment Configuration >
Configure Active Directory Certificate Services
In "AD CS Configuration", click Next to continue
Choose "Enterprise CA"
Now, restart the DC, and Windows automatically enables SSL on LDAP service.
11. Edition History
2022-05-04, major updates:
2021-02-10
2021-01-19
major update
[edited by: taowang at 2:05 AM (GMT -7) on 4 May 2022]
Top Replies
- having multiple Agents and Collectors - best practise (e.g. 4 DC in a domain: 4 agents, 2 collectors? Must we
set up every collector on every agent?)
- Using more than one collector in a collector group - how can we make sure that in case of any device failing
redundancy applies?
- Using a XG cluster: do we have to set up the native IPs of the XG in the collector or the cluster one?
go to STAS > General tab, check if it has XG firewall IP address displayed. If yes, it is the STAS
communicating with XG firewall, or
Advanced Shell command
grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail
Details in section "6. Install and configure STAS > g) Start STAS"
- need to put XG firewall interface IP, not HA peer administration IP, into STA Collector
Thanks!
Which official guide are you referring to? I'd like to follow up with our product documentation team
to have this updated.
Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.
If a post solves your question, please use the 'Verify Answer' button.
for example in no one is described, who is doing WMI polling. agent or collector?
If not, I presume I need to use the member server installation of 2.5. Do I install an agent only on the member
server if I have a collector installed on DC3? Also, how do I handle the two Core DCs. Do I have to have a 1:1
relationship between member servers and DCs if I'm not installing the agent/collector on the Core DC?
But... running STAS as Domain Admin - really? I think it's a security risk.
STAS 2.5 is supported on Windows Server 2008R2, 2012R2, 2016, and 2019. The Essentials
versions should also be supported, starting with SBS 2011. Further more you can refer the
following article - https://support.sophos.com/support/s/article/KB-000038628?
language=en_US
Suggested