I have read through https://community.sophos.com/kb/en-us/123154 on setting up STAS to work with Active Directory in a mutli-DC environment. I have 4 DCs for a single domain. The XG Firewall version is 17.0.2 MR-2. The STAS version is 2.2.1.0.
I have been running STAS using "Ping" as the logoff detection method for around 18 months. I am wanting to switch over to using WMI for Logoff detection. So I make sure the Workstation polling method is set to "WMI" and the Logoff Detection is set to "Workstation Polling" and restart the STAS service. However, I am getting reports from several users that they are being logged off of the firewall after 10 minutes. (Very similar to https://community.sophos.com/products/xg-firewall/f/authentication/90464/stas-registry-read-access-vs-wmi)
I read through https://community.sophos.com/kb/en-us/123020 and when I got to step 3, I made this observation:
C:\>ping computer2015
Pinging computer2015.DOMAIN.LOC [10.11.21.52] with 32 bytes of data:
Reply from 10.11.21.52: bytes=32 time=1ms TTL=128
--Results truncated --
Note the hostname resolves to IP address and is pingable.
C:\>wmic
wmic:root\cli>/user: DOMAIN\domainadmin
Enter the password :********wmic:root\cli>/node: 10.11.21.52
10.11.21.52 - Invalid node (discarded).
Note that WMIC to IP address fails.
wmic:root\cli>/node: computer2015
wmic:root\cli>computersystem get username /value
UserName=DOMAIN\user2015
Note that WMIC to hostname works fine, but to the IP address fails. Has anyone else observed this behavior? Does STAS query WMI on the host by IP address or hostname?
This thread was automatically locked due to age.
