Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 2458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Authentication Client for Remotedesktopserver / Citrix ( SATC) for Chromiumbased Browser >= Version 84

Stef_An

Hello, 

now its more than six month that SATC didnt work with chromium bases Browser line New MS Edge and Chrom Version >= 84.

Sophos support stated that we should use Version < 84 wich is full of know vulnerablitys. 

https://support.sophos.com/support/s/article/KB-000038634?language=en_US .

and they say more than six Month there will be a new Client version released but this didnt happen.

a Migration to Firefox isnt a solution too.

We are paying for the full Feature Support but the Support didnt give a good Solution.

I am I the only one with the SATC problem?



This thread was automatically locked due to age.

Top Replies

  • in reply to Patrick Hindall +2

    Hi Patrick,

    The new solution will be integrated into our Server Protection.

    SATC works by intercepting attempts by applications to send network traffic within the Windows operating system at a point where it can also discover which user account is responsible for sending the traffic. When a new connection is detected, SATC sends a message to the firewall containing the name of the user account along with information allowing the firewall to identify that connection when it sees it (i.e. source port, destination IP and destination port) and 

    The current SATC makes use of a method called 'Detours' to hook API calls at the user level. It intercepts at the point where the application calls into the Windows networking APIs. This method does not work with the new Chrome networking service. I'm not 100% sure of the reason, but I believe it's that Chrome now takes a different route to communicate with the TCP networking stack and so bypasses the points at which Detours would allow SATC to intercept the function calls.

    The new solution leverages the existing lower-level interception done by Sophos Endpoint products to deliver network traffic detection and web filtering in the endpoint. This interception uses a driver-level method called Windows Filtering Platform, which is specifically designed for enabling the kind of network traffic interception and filtering that we need to do here. It sits below the level of Chrome's networking components and so allows us to treat Chrome traffic the same as any other client. In the solution coming out soon, it will still use the same network protocols to pass information to the Firewall so the new solution will be compatible with any currently supported version of SFOS.

    One huge benefit of this method is that it also solves a long-standing issue where Server Protection's web filtering and download malware scanning would prevent SATC authentication working correctly.

    Longer term, we plan to roll this functionality up into our Heartbeat authentication as part of the Synchronized Security suite. At the moment Heartbeat Authentication is geared around providing one identity at a time per IP address and so it's not suitable for use on multi-user systems like Windows Remote Desktop. But Synchronized App Control already requires a similar kind of message to be sent with information about the process on the Endpoint that created a connection. We plan to extend that to include user information as well, removing the need for a separate SATC component. However, for this to be effective for authentication we also need to complete some work to ensure that those messages arrive in a timely fashion. We don't have a firm date for this yet.

    Obviously, this is not ideal for customers who for whatever reason cannot use Sophos Server Protection on their Remote Desktop servers. We are planning an alternative feature for version 19 of SFOS which will provide per-connection proxy authentication. In these, and other situations where SATC can't be used (e.g. Windows Direct Access, or multi-user Linux hosts) per-connection proxy authentication will allow customers to configure direct proxy settings and use proxy authentication to identify each user's traffic.

    Jump to answer
Parents Reply Children
  • 0 in reply to LuCar Toni

    Thats the same Answer i got from Support in the last Month and nothing happens.

    We pay for the full Support package and get nothing! 

    In a few month our Supportagreement ends and whe had the decision Sophos or an other sollution!

    Our reseller is no longer actively marketing Sophos due to the support problem.

     The Case is 03300071, Maybee you can get a view in it an see our Problem with the Support. 

  • 0 in reply to Stef_An

    The KB is updated. A solution to this limitation is on the roadmap for H1 2021. 

    As the feature of SATC technically does not work anymore, the only workaround is to disable Authentication for now or to move to Firefox. 

    SATC will be rebuild in this timeframe to rely on different technical features. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the Answer but this didnt solve the problem. 

    Fact is that the changes in Chrome 84 was anounced with Chrome 80  long time ago. Chrome 84 was released in June 2020.

    So you say that Sophos will take more than one year to get changes in SATC?

    The official Support for SATC ends on 31-JUL-2021, so i didnt think we get an updated SATC Client in H1 short before Support end

  • 0 in reply to Stef_An

    It is not a update. SATC will be rebuild and solved differently. Basically the piece of software does not work anymore. Its not to fix the software, its to create a new software to replace this. SATC will not be there anymore. And the replacement will be a new software. 

    __________________________________________________________________________________________________________________