V17.5 user sync with Sophos Central EDR EAP no users listed in live users view?

Hi john_kenny 

For context, have you already configured the following on your firewall?

• Sophos XG Firewall: How to enable Security Heartbeat and Central Management

Also for reference:

• Sophos XG Firewall: How Synchronized User ID authentication works
• [Sync Sec] Important announcement on Synchronized Security Features on XG v17.5 Early Access

Regards,

Yes ive followed all the documentation i could find on the matter, from what i gather i should see usernames under the Live users view shouldnt I?  They should be sent from the Central Endpoint right?  From what i read i assumed that i should see the usernames there whether Ive got my XG linked to AD or not because Endpoint sends a username, is that right?  

Also I know XG and Central is sending some kinda usernames from my logs: -

Ive tried to add a user matching what i use to logon with but it didnt seem to work, i still get failed errors.

Should i see that user in the live users view if it fails or not??

See i cant add AD to my XG as i logon with AzureAD, but from those logs i assumed i could use local users on my XG but obviously not?

Thanks for your reply,

JK

Yes, within Central, I can see and manage my Firewall!

I think now, I will wait for support to assist further with the case I have open. Its been well worthwhile with this thread and have advanced further but not yet resolved.

If anyone has any other ideas, they are welcome. I will update further if and when resolved.

Yeah Support is your best bet now, when you resolve the issue please post what Sophos Support did to resolve it id be interested to know myself for future reference.

Sorry couldn't be of more help myself.....

Hi Paul Digby 

I've located your support case and I have followed up with your assigned engineer.

As per the email exchange, kindly organize a time for a remote access troubleshooting session to be performed.

Please PM me directly if you had any questions regarding your support case.

Thanks,

Yes - we are already communicating this evening - thanks

Did you get this sorted Paul?  Be interested to know what your issue was but my user id heartbeat popped to life as soon as my XG instance was authenticating against the same Azure AD directory my Sophos Central was albeit via JumpClouds LDAP which in turn was syncing from the same source Azure AD / Office 365 Directory.  Have you gone over your AD sync on You Sophos Central instance and AD config on your XG instance?  I didnt expect my XG instance to actually show my Azure AD users when i added JumpCloud LDAP to my XG i was aiming at something completely different but was surprised i had fixed my User ID auth via Heartbeat by solving a different Auth Based problem i was having. 

But As soon as i Added the LDAP server to XG it all started working.

So maybe start at the beginning and work through your Central AD Sync, XG AD server inc making sure your xgs authentication source is first your AD server and not local authentication.  Lastly making sure your Endpoints are correctly authenticating against the same AD Servers??

No not sorted, Ran out of time to go through with Sophos Support New Years Eve, but will be doing so Wednesday.

No not sorted, Ran out of time to go through with Sophos Support New Years Eve, but will be doing so Wednesday.

As far as I understood with v17.5 + Central, there is no need to setup AD sync, other than on XG? The Heartbeat is supposed to pickup the login and pass information to GX

It is correct. You do not need any user in Central.

Basically, the Endpoint daemon will pick up Domain, Username and send it to XG. XG will perform the lookup to check the user and that is it. 

Thanks for confirmation - thought I was 'going mad'!!!

Does the log below from heartbeat.log on Endpoint confirm that it is passing the login info? From your earlier reply, looking at logs on XG is not something I am comfortable with and will await Sophos Support to assist with


a 2018-12-30T11:48:19.352Z [2432:2580] - Starting Heartbeat version 1.8.59.0
a 2018-12-30T11:48:19.352Z [2432:2580] - ----------------------------------------------------------------------------------------------------
a 2018-12-30T11:48:20.413Z [2432:2720] - Connection succeeded.
a 2018-12-30T11:48:20.413Z [2432:2720] - Connected to 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' at IP address xxx.xxx.xxx.xxx on port xxxx
a 2018-12-30T11:48:20.507Z [2432:2720] - Sending network status. Active Interfaces:
MAC: xx:xx:xx:xx:xx:xx - INET: xxx.xxx.xxx.xxx - INET6: xxxx::xxxx:xx:xxx:xxxx
a 2018-12-30T11:48:20.538Z [2432:2720] - Received request to enable enhanced application control
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending endpoint state list request
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending login status.
a 2018-12-30T11:48:20.538Z [2432:2720] - Received response to endpoint state list request, size: 0
a 2018-12-30T11:48:21.895Z [2432:2720] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2018-12-30T11:49:21.307Z [2432:2720] - Sending login status.
a 2018-12-30T11:49:54.125Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:50:53.128Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:51:59.583Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:52:14.597Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T15:17:22.571Z [2432:2720] - Sending login status.
a 2018-12-30T15:17:52.575Z [2432:2720] - Sending login status.

Sure that was the case for standard heartbeat but from the articles ive been given to read on 17.5 synchronized user id doesn't that information still need an Ad server to authenticate against against at some point? although i may be mistaken again there as at the mom there isn't enough info on how these new 17.5 xg features all work and work with each other.

In my case it wasn't until i had my XG's authentication source sorted that i saw the live user id show up from the heartbeat agents new user id ability.  I had already had the old heartbeat working ok it was just the user id ability which was giving me issues?? 

As i say hopefully well get more documentation soon to clear up my confusion on the matter for one.

But sophos will know best as paul says

But how Lucar states user id heartbeat auth should work was exactly how simple id hoped this heartbeat agents new synced user id would work i originally thought that this would allow me to see my usernames from my endpoints in XGs live active users without needing to have AD servers setup on XG (as i stated i am using AzureAD for auth) ie all that i would need would be the The latest Central EDR eap agent running and XG v17.5 but it wasnt as simple as id imagined.  I am now sure im getting my wires crossed on how several of XGs new features work in V17.5 for one Synchronized user ID.  Ill be sure to keep an eye out for anymore KB articles / Documentation on these, as i for one am really getting confused. lol

Sure that was the case for standard heartbeat but from the articles ive been given to read on 17.5 synchronized user id doesn't that information still need an Ad server to authenticate against against at some point? although i may be mistaken again there as at the mom there isn't enough info on how these new 17.5 xg features all work and work with each other.

In my case it wasn't until i had my XG's authentication source sorted that i saw the live user id show up from the heartbeat agents new user id ability.  I had already had the old heartbeat working ok it was just the user id ability which was giving me issues?? 

As i say hopefully well get more documentation soon to clear up my confusion on the matter for one.

But sophos will know best as paul says

But how Lucar states user id heartbeat auth should work was exactly how simple id hoped this heartbeat agents new synced user id would work i originally thought that this would allow me to see my usernames from my endpoints in XGs live active users without needing to have AD servers setup on XG (as i stated i am using AzureAD for auth) ie all that i would need would be the The latest Central EDR eap agent running and XG v17.5 but it wasnt as simple as id imagined.  I am now sure im getting my wires crossed on how several of XGs new features work in V17.5 for one Synchronized user ID.  Ill be sure to keep an eye out for anymore KB articles / Documentation on these, as i for one am really getting confused. lol

Hello all,

I am using XG v17.5 with Intercept-X EAP and I have setup heartbeat, but it is acting a little bit strange.

First of all, when I log into my computer with credentials DOMAIN\username, the heartbeat authentication doesn't work at all and in XG authentication logs I can see "username" failed to login because of wrong credentials. There is no mention of DOMAIN anywhere in that log.

When I log into computer with credentials username@domain, heartbeat authetication works, at least for the first 30 minutes (the credentials in logs are also in format username@domain). Everytime after 30 minutes after the first login the heartbeat fails and in the logs I see credentials just stating "username" with no domain failed to login because of wrong credentials. This also happen when I disconnect/reconnect the computer from the network.

Has anyone else experienced this issue?

Although I am yet to see any sign of 'Live Users', I can confirm a couple of things.

If I use the firewall rule and turn on match Known users with show portal to unknown users, then use a web browser from Endpoint, I am offered the login.

If I deliberate enter wrong password it fails (as expected) and AD server informs me of failed login, so I know AD side is working. But, as you say, when you login, within authentication log, it does show the user in the format of name@domain and not the user name you used. For me, it does not recognise domain\user, I just have to enter a domain user name without the domain.

The reason for this behavior, you will find here:

https://community.sophos.com/products/xg-firewall/f/authentication/109490/user-creation-from-portal-creates-a-user-account-with-email-addresse-name-containing-blanks/391924#pi2151=1

I am advised that Security Heartbeat is picking up the user, but not the domain!

For this particular Endpoint, it is a virtual machine and I am running MSTSC to connect to it. Once connected (using domain\user) and go to cmd prompt and run set, it clearly shows both the domain and user name correctly.

Any ideas?

Hi Paul,

True it will look for user details.  In order to acheive this settings the following conditions must be met..

1. The Sophos Central Account must be linked to Sophos XG firewall.

2. The XG firewall must be connected to the domain controller for authentication.

3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address .

4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile.

On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System

I can confirm 1-4 above are correct.

I can also confirm checking (Sophos Endpoint UI> About > Run Diagnostics tool. > System) it indeed confirms both the domain\username


But still not show in Live Users


The Sophos Support engineer (with case [#8526233]) has highlighted that the Heartbeat does not include the domain name when it receives info


2019-01-02 17:36:26 DEBUG HBSession.cpp[2758]:176 handleHeartbeatRequest - Received login request with id 147
2019-01-02 17:36:26 DEBUG LoginRequestHandler.cpp[2758]:71 handleExtendedRequest - Ignoring login from local user in ModuleLogin: domain field in LoginRequest is empty

Just took a quick look into this case. You never mentioned before, you are using only VM´s with RDP connected to them. So i tried to reproduce this issue with a VM and only RDP to this. But my Client is shown under Live User. 

Client is 2.2.2 Core agent. 

.local Domain. 

Still not sure, what is happening in your case, so i would recommend to debug this with Sophos Support. 

A quick update on this.

I was asked by Sophos Support to try using LDAP instead of AD. Although this also failed, for the first time, there was an entry in the Authentication Log, to confirm failure.

Unlike when I login with Captive Portal for same user, it records the UPN login, the failure with LDAP shows just the bit before the @

So, I guess its a bit pf progress, although am told now LDAP will not work.

I have success!!!


So this is what I did precisely


1) Tested with LDAP - failed
2) Re-installed Endpoint
3) Tested with LDAP - failed
4) Change back to AD for authentication
5) Deleted the user (have done this a few times before)
6) Logged in once more and after a few minutes - success

So, I guess a combination of re-installing Endpoint, removing user and changing back from LDAP to AS authentication seems to have resolved the problem. Not conclusive, but hopefully helps someone.

Continue to test repeatedly and will post results here

Least you do have it working now, I did suggest you try starting out fresh where your Authentication on XG is setup.  But like the saying goes if its not broke dont change it (well along those lines i think it goes)  As to the part about it not working WITH LDAP i think that needs to be reworked on the KB article as thats how i got my Heartbeat Auth to work wasnt it,  As long as its LDAP on an AD DC it works.

I know its been said here already that you dont need Sophos Central AD Sync in place for it too work but i found it definitely helped having that in place to start with.  It mean i was pretty sure i had my UPN's setup right.

But congrats, on persevering.