Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 4862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My Sophos XG 135 with STAS configured, not show the users connected

Kenett Hernandez

Greetings to all,
My problem is the following: I have STAS configured on my Active Directory Server, when I go to the agent configuration I can see the logged in users, but in the Sophos XG firewall I don't see the users, they only appear as unidentified.

The data of my environment are:
AD server: 192.168.0.11
Sophos XG: 192.168.0.1
Client computers: 192.168.0.7, 192.168.0.42
User administrator: Administrador(I used on installation)

Here are the screenshots of the configuration of STAS agent

       

and here the local policies on AD Server

 

 

When I do tests to see the users online I can see the users, also if I do the WMI test

 

 

But finally, when I log into my Sophos XG, I don't see the users online, only the users connected via VPN

 

Although I have disabled Windows Firewall on the Active Directory server and also on my client computers, I also opened TCP and UDP ports 5566, 6677, 6060, 135, 145 and ICMPv4.
The firewall is still disabled on all computers, but just in case I opened the ports.

I don't know what to do anymore, can someone help me?



This thread was automatically locked due to age.
  • 0

    Hello,

     

    Could you please provide a screenshot of the STAS configuration in the "Authentication" section of your XG Firewall?

     

    Thank you.

  • 0 in reply to VikenNajarian

    Thanks for your reply, this are the configuration of authentication on Firewall

         

    My server is already added, set as the first authentication method, all of my users sinchronized and the STAS configurated

    And the client authentication is allowed in my internal and VPN zones

  • 0 in reply to LuCar Toni

    Thanks for your replay,

    I already added the gpo policy since the initial configuration, on the STAS configuration I have enabled the logoff detection

       

    and here I have a question

    If I test the policy, I don't get any users as a result

    C:\WINDOWS>wmic
    wmic:root\cli>/user: DOMAIN\administrador
    Enter the password :********

    wmic:root\cli>/node: 192.168.0.7
    wmic:root\cli>computersystem get username /value

    UserName=     <<< not show any value
    wmic:root\cli

    but in the STAS agent I can see the users

     

    and the troubleshooting test wmi show success

  • FormerMember
    0 FormerMember in reply to Kenett Hernandez

    Hi,

    Several points to add - 

    1. STAS agent will only send new Live user info to XG after STAS agent/service is started on server. Existing live user info on STAS won't be sent to XG firewall.

    2. If the STAS suite/agent is installed on the AD server itself, you can leave the Domain Controller IP blank - 

    3. When a user logs into a domain-joined PC, please use tcpdump on XG to check if the STAS agent sends UDP 6060 traffic to XG - 

    # tcpdump -nn port 6060
    tcpdump: Starting Packet Dump
    11:49:16.080294 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:49:17.433021 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 279
    11:49:17.433221 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 321
    11:49:17.433412 PortA, OUT: IP 192.168.111.254.6060 > 192.168.111.200.64174: UDP, length 22

    And in normal state, STAS agent regularly sends packet to XG on UDP 6060 - 

    11:50:46.119369 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:51:16.124174 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:51:46.139131 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:52:16.154188 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:52:46.156084 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:53:16.167989 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11
    11:53:46.182949 PortA, IN: IP 192.168.111.200.64174 > 192.168.111.254.6060: UDP, length 11

    4. Make sure the system time on XG and AD server is synced.

  • 0 in reply to FormerMember

    Thanks for your reply

    here my results:

    1. Ok, I understand

    2. I remove the IP of the AD Server

    3. I did what you asked me, these are the results

     


    console> tcpdump "port 6060"
    tcpdump: Starting Packet Dump
    21:24:21.819126 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:24:51.825351 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:25:21.826742 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:25:51.827865 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:26:21.828567 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:26:51.830251 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:26:58.235795 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 279
    21:26:58.236094 Port1, OUT: IP 192.168.0.1.6060 > 192.168.0.11.49533: UDP, lengt h 22
    21:26:58.435460 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 303
    21:27:21.831685 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:27:51.832301 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:28:15.933278 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 279
    21:28:15.933521 Port1, OUT: IP 192.168.0.1.6060 > 192.168.0.11.49533: UDP, lengt h 22
    21:28:21.833510 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:28:51.834921 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:29:21.835928 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11

    21:29:51.836588 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:30:21.837584 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:30:51.838226 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:31:21.839429 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11
    21:31:51.841097 Port1, IN: IP 192.168.0.11.49533 > 192.168.0.1.6060: UDP, length 11

     4. My sophos xg and AD Server have the same time

     

    I still can't see current users

     

    I have a question, if I go into the log viewer on xg firewall, I don't see any source or destination traffic on port 6060 UDP, should I see traffic?

  • 0 in reply to Kenett Hernandez

    Can you see in Logviewer under authentication something? 

    Assuming STAS sees the user but XG dont, seems like the XG is rejecting the Auth of STAS for some reason. 

  • 0 in reply to LuCar Toni

    Hi, this is the log

     

    thanks for your cooperation

  • FormerMember
    0 FormerMember in reply to Kenett Hernandez

    Hi,

    In Log Viewer, you won't see entries for UDP 6060 traffic.

    Next, please first test if the AD authentication is working for user to log in on User Portal. It looks like there might be a problem with "Search queries" in AD server configuration. 

     

    If the AD user can log into the User Portal with AD authentication, then please use the below command to restart the authentication service on XG firewall.

    NOTE! Restarting the authentication service will cause a short interruption for all authentication services on the firewall.

    service access_server:restart -ds nosync

    Then generate a new user login on a domain PC and check if the user is showing up as live user in STAS agent and XG live user list.

     

    If it's still not showing on XG live user list, please gather the below information and open a support case - 

    1. Access_server debug log, tcpdump output and drppkt output - STAS_Access_server_debug.log,  STAS_tcpdump.log, STAS_drppkt.log as mentioned below 

    Enable authentication service debug - 

    service access_server:debug -ds nosync

    Use the below commands to collect the logs when an AD user is logging into the domain 

    cd /log

    tail -f /log/access_server.log > STAS_Access_server_debug.log &

    tcpdump -nn port 6060 > STAS_tcpdump.log &

    drppkt port 6060 > STAS_drppkt.log 

     

    Ctrl + C                    to stop drppkt

    killall tail                   to stop tail -f 

    killall tcpdump           to stop tcpdump

    service access_server:debug -ds nosync           to turn off access_server debug

     

    3. Screenshots of Log Viewer Authentication events

    3. The AD username used for testing 

    4. Screenshots of 4768 event in Event Viewer on the AD server.

  • +1 in reply to FormerMember

    Thanks everyone, I finally found the problem! Big mistake of mine !!!

    It turns out in the Active Directory server settings, in the "Show name attribute" field I left the box blank so Sophos XG was not reading the name field.

    By adding "displayname" in the name attribute box, connections have already started to appear.

    Thanks to all for your time.