STAS Remote Office not working: users not detected

Question

Hello i have this problem with the STAS system. 
 I have 2 XGs, one XG210 (v17 MR5) at the main office site and a XG125 (v17 MR6) at the branch office site. 
 STA AGENT has been configured on the DC01 to scan my local and remote subnet via EVENTLOG. STA Collector has been configured with the ip address of the local lan interface of the XG210 anche local lan interface of the XG125, with enabled subnet based filter for alle the subnet 10.3.0.0/16 (because i have multiple vlans with multiple subnet on the remote site, ie 10.3.10.0/24-10.3.20.0/24 ecc and all are registered as remote subnet in the VPN configuration) 
 Tried on the XG210 everything seems to work, i have nearly ~120 users on the XG210 registered correctly. On the XG125 i got zero (i was connected with my laptop and nothing else, i tried to restart it multiple times and logon to the AD network multiple times) and i can't go out to the internet from the NAT rules with match users enabled (if i disable the match users rule works). 
 Then i found this KB: 
 Sophos Firewall: How to allow Clientless SSO (STAS) authentication over a VPN 
 In prerequisited i found this: 
 
 Branch Office initiated traffic should route through the IPSec tunnel.

So after a quick google search i found this other KB: 
 How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel 
 
 So i go trought all the points the KBs and at the second KB i read this: 
 7.Add the BO WAN IP to the Local Subnet section under Local Network Details , and add the HO WAN IP to the Remote LAN Network section. 
 8.Add the BO WAN IP to the Local Subnet section under Local Network Details , and add the HO WAN IP to the Remote LAN Network section.

Mmmh what? It that i typo or are two configurations that should be inverted for the main and branch site? 
 BTW, i didn't insert any IP becouse it didn't specify if i had to do it at the XG210 of the main site or at the branch site or either. 
 And i have the problem that the WWAN connection of the branch site didn't provide me a static public ip. 
 
 Following the 2 KBs until that last steps doesn't make the STAS working in the branch site. 
 I attach the topology

Federico Boldori · Accepted Answer

Ok after some days and some hours after i wrote here i had succeed in the task. 
 Here what i've done: 
 
 We have 2 DC in main siteand by default the STAS suite was installed on DC01 and not DC02, so i've installed the STA Agent on DC02, configured DC01 collector to collect and be served also from STA Agent on DC02. 
 I've checked audit policies and i've found that DCs were not recording event becouse the local policy was disabled by a rogue GPO (recent restructure in AD made that, d'oh) so i've enforced GPO DC policy to log also success login and verified on DC that the local policy was modified accordly. 
 in AD sites, i've made a link to DC01 and DC02 site to be sure that logon request were handled by DC

With that configuration suddenly everything worked like a charme for my test enviroment.