Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 806 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the best way to use STAS at multiple sites with multiple XG firewalls?

MrMojoRisin76

Greetings all,

I have a client who has 2 sites, both linked together with Sophos XG230 firewalls via IPSEC VPN tunnel.  At the main site there is the domain controller and I'm using STAS to do clientless authentication for internet access based on AD Security Groups. At the second site, there currently is no domain controller so the few computers that are there are using the Client Agent to login and get internet access. Mind you, the Sophos XG unit there is setup to see the AD domain at the main site.  I'd like to break away from using the Client Agent to authenticate for internet access and use STAS instead at the secondary site.  I found this article: Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN https://support.sophos.com/support/s/article/KB-000035620?language=en_US, but don't think that's how I want to do it.  I will be putting a domain controller (same domain) over at the secondary site, so could I just setup STAS to run there as well and point the firewall to that Domain Controller instead?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey,

    Just adding on top of what Nilesh explained here, If the Domain controller which you're planning to deploy on site2 will be a member of the main domain (DC on Site1), then you'll still need IPSEC connection so that both Domain controllers in the same AD domain can exchange user information (Not for STAS Auth but for AD users sync across diff server)

    If you're deploying DC on Site2 as a standalone server (but with the same domain-Different set of users each end) then you can configure STAS normally as you did with Site1. 

Reply
  • FormerMember
    0 FormerMember

    Hey,

    Just adding on top of what Nilesh explained here, If the Domain controller which you're planning to deploy on site2 will be a member of the main domain (DC on Site1), then you'll still need IPSEC connection so that both Domain controllers in the same AD domain can exchange user information (Not for STAS Auth but for AD users sync across diff server)

    If you're deploying DC on Site2 as a standalone server (but with the same domain-Different set of users each end) then you can configure STAS normally as you did with Site1. 

Children
No Data