SATC functionality in Intercept X for Server

After the rollout happend, which is not on 01.07, instead the rollout phase will take more time (staging etc.).

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationSetupSATCUsingEndpointProtection.html

Is this done yet? If not when can we expect it and where will Sophos notify everyone?

You should discuss this with your local Sophos sales rep to get a solution. 

What sales can do in this case, it is a development issue,

If you can see i am not the only one affected by this issue, check our this other discussion port.

https://community.sophos.com/sophos-xg-firewall/f/discussions/125223/sophos-authentication-client-for-remotedesktopserver-citrix-satc-for-chromiumbased-browser-version-84

whole point is Sophos is charging us for the support package, and on the other side they are expecting us to scrap other end-point solutions and buy their different product?

Why shouldn’t we replace Sophos instead of this ?

Thats what you should discuss with Sales. The SATC Tool will go end of life. The replacement would be a component within the Endpoint Solution of Sophos. The other solution is currently under development to get a direct proxy solution. You could still use a end of life product like SATC but i would not recommend this from a technical and security perspective but the tool is still functional after the EoL date. 

Hi LuCar Toni,

Can you elaborate on the development road map? 

IMHO there are a lot of different functional needs given the many possible situations.

- A Firewall Endpoint Client

To authenticate the user, user's session and endpoint  IP adresses (also Remote desktop sessions). If this firewall endpoint client is build into Endpoint X that is fine for Endpoint protection users but users of other SAV vendors should be able to use a Firewall Endpoint Client to authenticate the user.

- An improved STAS

I experienced that STAS will only register 1 user with 1 IP when in fact I was logged onto multiple devices authenticated with the DC. One having a WIFI guest IP adress which was send tru STAS to the XG and therefor blocking me on the XG on all other devices on the LAN. So I am not a fan of STAS. It should be able to allow for multiple user sessions, IP's.

it can be easily replicated by adding a laptop which has a LAN and a WIFI guest connection. If you see only the Live user with Guest IP in the XG than you have a problem.

- A Secure Web Gateway (cloud solution)

Regards,

Fred

The primary focus of Sophos is of course the synchronized Security story. Sophos is mainly investing in features to simplify the deployment of features with components and technology already in place. Therefore it makes sense to implement this feature in the Endpoint.

In fact the Thin client authentication will work for any server, not only terminal serer. Therefore if you protect your DC, it will also be able to authenticate the RDS session coming from a different place. 

As we move forward, Customers with the endpoint/server installed, can mainly uninstall STAS and only use Heartbeat for the authentication. 

There are plans to rebuild the STAS with other solutions but there are on the backlog. 

Hi LuCar

Is there any news on the SATC functionality? we've a couple of customers desperate for this. Do you happen to know if this will also suffer from the SAM vrs UPN domain name problem that plagues Endpoint? I know there's a plan somewhere to sort that out but not seen any time scale on it.

Regards

The version is/will be V2.19.X. Some customer already got this version. Feel free to check your installed server version.

And SATC will use the same mechanism as Intercept X. Therefore you will see the same behavior. 

Hi LuCar Toni,

Our terminal server Server Core Agent is now at 2.19.8. Still I don't see any live users from this server in the XG. Only the STAS users. 

When we were still at 2.18.x i added these steps:  Set the register keys for adding Satc to Intercept X on the RDS, restarted, via the XG console I added the IP of the RDS.

So from which Core Agent version should I expect to see the SATC result from Intercept X on the RDS server?

Regards,

Fred

Should be working. Try to check the registry keys, if they are correct. 

checked registry setting, checked threat protection policy has default settings, checked the console - ip already configered, checked Local service ACL - client authentication enabled.

Strangely I don't see any port 6060 traffic from the rds to the XG in the firewall log.

checked registry setting, checked threat protection policy has default settings, checked the console - ip already configered, checked Local service ACL - client authentication enabled.

Strangely I don't see any port 6060 traffic from the rds to the XG in the firewall log.

Did you restart the server? Because the service has to be restarted to be loaded. 

Check the Central part, if Network Threat Protection is installed. 

I will restart later tonight to check. 

 I repeated the steps at our new RDS server windows 2019. Used a script to add the keys. It works on the new RDS. Saw a difference in the port registry key between the old RDS server which I added manually and the new one. So I removed the keys and added them with the script. Now both show thin client connections in the XG.

Thanks again.