SATC replacement - Server Endpoint

Who else is struggeling with this issue:

got feedback from support on this case 04666074

He found an identified issue and there is an existing jira(?) ID at Sophos. Dev is working on this.

Main issue is, as can be seen from conntrack -E or drppkt

user=0
luserid=0
usergp=0

they are empty for non HTTP/S or SSH Traffic. Here SMB 445:

XG430_WP02_SFOS 18.0.6 MR-6-Build655# drppkt host 172.xxxxxx5 and host 172.xxxxxx2
2021-12-02 12:03:40 0101021 IP 172.xxxxxx2.56659 > 172.xxxxxx5.445 : proto TCP: S 4128476956:4128476956(0) win 64240 checksum : 3941
0x0000:  4502 0034 0fc9 4000 7f06 ec3f ac10 deca  E..4..@....?....
0x0010:  ac10 c8cd dd53 01bd f613 8f1c 0000 0000  .....S..........
0x0020:  80c2 faf0 0f65 0000 0204 05b4 0103 0308  .....e..........
0x0030:  0101 0402                                ....
Date=2021-12-02 Time=12:03:40 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.222
out_dev=lag0 inzone_id=1 outzone_id=9 source_mac=00:50:56:85:f6:47 dest_mac=c8:4f:86:fc:00:0d bridge_name= l3_protocol=IPv4 source_ip=172.xxxxxx2 dest_ip=172.xxxxxx5
l4_protocol=TCP source_port=56659 dest_port=445 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=2 hotspot_id=0 hotspotuser_id=0
hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
gateway_offset=0 connid=413244928 masterid=0 status=256 state=1, flag0=2748781166632 flags1=72 pbdid_dir0=0 pbrid_dir1=0

fw_rule_id=5 = droprule

Interesting fact:

userauthentication fails for SMB access but if I test the same port 445 with powershell tnc hostname -port 445, my user is authenticated against firewall and TNC succeeds.

tnc hostname -port 445

ComputerName     : hostname
RemoteAddress    : 172.xxxxxxx5
RemotePort       : 445
InterfaceAlias   : Ethernet0
SourceAddress    : 172.xxxxxxx2
TcpTestSucceeded : True

user is logged in conntrack

[NEW] proto=tcp      proto-no=6 timeout=120 state=SYN_SENT orig-src=172.xxxxxx2 orig-dst=172.xxxxxx5 orig-sport=56665 orig-dport=445 [UNREPLIED] reply-src=172.xxxxxx5 reply-dst=172.xxxxxx2
reply-sport=445 reply-dport=56665 id=189458624 masterid=0 devin=lag0.222 devout=lag0 nseid=16818180 ips=13 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=2 fwid=66 natid=0 fw_action=1 bwid=0 appid=0
appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=9 devinindex=43 devoutindex=28 hb_src=8 hb_dst=8 flags0=0x80008200028 flags1=0x30000800000 flagvalues=3,5,21,27,43,87,104,105
catid=0 user=153 luserid=4452 usergp=6 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:00:0d src_mac=00:50:56:85:f6:47 startstamp=1638443160 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0
ipspid=0 diffserv=0 loindex=28 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=18147 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5063 sessionidrev=14592
session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE]...
 [UPDATE]...
 [UPDATE]...
 [UPDATE]...
[DESTROY]...

captured 6060 traffic on the firewall.

on the left side you see TNC 445, right side SMB 445

left side: personal user authenticated and reported to the XG, right side: SYSTEM user reported to the XG

Just wondering, is your Server IP currently authenticated with something else? So is the LAN IP of the service created on firewall via something else? Like Clientless users or something else? 

no, all only local TS sessions

5 currently.

extract from

sqlite_client 0 6061 1 "select * from tblliveuser";

which is the same as can bee seen from GUI Current activities>Live Users

Suche "172.x.x.xx2" (5 Treffer in 1 Dateien von 1 gesucht)
  new 1 (5 Treffer)
	Line 17: 4232,296,aaaaaaaaaa@domain.dc,aaaaaaaaaa@domain.dc,aaaaaaaaaa,172.x.x.xx2-6,6,1584032,1664867,1,1,1,1,1,0,0,2021-09-28,,11,,5374,23617,0,0,0,,,0
	Line 18: 4243,17,bbbbbbbbb@domain.dc,bbbbbbbbb@domain.dc,bbbbbbbbb,172.x.x.xx2-4,1,1584986,1664867,1,1,1,1,1,0,0,2019-09-16,,11,,2803,13460,0,0,0,,,0
	Line 78: 4452,153,cccccccccccccc@domain.dc,cccccccccccccc@domain.dc,cccccccccccccc,172.x.x.xx2-7,6,1655441,1664867,1,1,1,1,1,0,0,2020-06-26,,11,,15979,206975,0,0,0,,,0
	Line 88: 4475,313,ddddddddddddd@domain.dc,ddddddddddddd@domain.dc,ddddddddddddd,172.x.x.xx2-8,1,1659621,1664867,1,1,1,1,1,0,0,2021-11-25,,11,,0,0,0,0,0,,,0
	Line 91: 4481,10,eeeeeeeee@domain.dc,eeeeeeeee@domain.dc,eeeeeeeee,172.x.x.xx2-9,6,1660582,1664867,1,1,1,1,1,0,0,2019-08-27,,11,,4472,13367,0,0,0,,,0

if I tail the log

 tail /log/access_server.log

This is what I get, from the time on when I try to access the SMB share from the terminalserver.

MESSAGE   Dec 02 14:51:03.459218 [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
ERROR     Dec 02 14:51:05.505035 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
ERROR     Dec 02 14:51:05.508223 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
ERROR     Dec 02 14:51:05.508254 [access_server]: check_auth_result: Authentication Failed
ERROR     Dec 02 14:51:05.509987 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
ERROR     Dec 02 14:51:05.512829 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
ERROR     Dec 02 14:51:05.512863 [access_server]: check_auth_result: Authentication Failed
ERROR     Dec 02 14:51:06.515173 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
ERROR     Dec 02 14:51:06.518397 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
ERROR     Dec 02 14:51:06.518432 [access_server]: check_auth_result: Authentication Failed
ERROR     Dec 02 14:51:08.774754 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
ERROR     Dec 02 14:51:08.777990 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
ERROR     Dec 02 14:51:08.778033 [access_server]: check_auth_result: Authentication Failed

can be seen , that a real username is not logged.

setting reg key

HKLM\Software\Sophos\Sophos Network Threat Protection\Application\
DWORD SatcPendDurationMs 500

does not help

Overall some feedback: You need to place the Server in the "Best Protection" EAP (Early Access Program) to get this consistently running. 

Hi LuCar Toni

how can I get that EAP?

I can only see "New Server Protection Features".

The "New Server Protection Features" EAP was actually called "Best Protection" before. Same same (not different). We kept it running to avoid that people would have to jump in and out of EAP's all the time (for Endpoint and Server)

thanks for sending this update about the naming of that EAP - our test server has already been a member of that EAP.

Our test TS server Windows 2019 has now been replaced by a Server 2022 machine and we'll test with it, not expecting it to be different than on 2019.

GES Support confirmed the issue in the meantime to be reproducable by them at least for system generated traffic in a user session like CIFS (Port 445). Traffic generated by applications run by the user is supposed to work with user detection/authentication on the firewall.