Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 3693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS Supported Configurations

Ashok Sethi

Hello,

 

I have searched the forums for STAS supported configurations, but couldn't find anything specific to my particular environment.  I have also worked with support pretty extensively on our STAS configuration, but we simply weren't able to get it working.  We confirmed everything was configured correctly, but our network setup seems to be causing it to not work.

 

I want to see if anyone else can use STAS successfully while routing through different subnets...  Every STAS configuration I have reviewed, shows the site having a DC on the same local subnet as the Sophos LAN Gateway.  That's great if you have a DC on every single subnet, but that's hardly practical for a handful of reasons.

 

Our environment uses MPLS backbone which provides network access to all remote sites.  We only have DC's located at the main sites, providing authentication to remote sites.  STAS works perfectly if we configure a Sophos LAN Gateway on the same subnet as the DC, however anytime it goes through the WAN interface it never works.  We tried set advanced-firewall bypass-stateful-firewall-config for remote and local subnets, as well as a DNAT rule to show the LAN gateway IP instead of the WAN interface.

 

Is there anyone that has advice to get this working when we don't have DC's on every single subnet?  I would like to hear if I'm simply trying to make something work that won't.  Any help is appreciated, and I can't imagine we are the only ones trying to get STAS working with a single DC multi site environment.

 



This thread was automatically locked due to age.
Parents
  • 0

    I know this is an old topic, but did you ever get an answer to this? We're facing the same problem, except that we don't use MPLS between the networks, it's only a simple Layer 3 OSPF transfer network between our firewalls, with one DC on one site. The transfer network is declared as WAN because it acts as fallback for internet traffic.

    I see the firewall asking for users on the DC, I see the DC answering, I see the packets (with tcpdump) arriving at the firewall, but the "active users" is empty. I also tried the NAT hack, but it didn't work.

Reply
  • 0

    I know this is an old topic, but did you ever get an answer to this? We're facing the same problem, except that we don't use MPLS between the networks, it's only a simple Layer 3 OSPF transfer network between our firewalls, with one DC on one site. The transfer network is declared as WAN because it acts as fallback for internet traffic.

    I see the firewall asking for users on the DC, I see the DC answering, I see the packets (with tcpdump) arriving at the firewall, but the "active users" is empty. I also tried the NAT hack, but it didn't work.

Children
No Data