Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 795 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC - What are the minimal settings for Server Endpoint?

AndreasHämmerle

I followed theses instructions to setup the SATC Authentication on a Windows Server 2016 Test VM.

https://support.sophos.com/support/s/article/KB-000038634?language=en_US

At our productive Terminal Server, where we plan to use SATC in the future, there is WindowsDefender AV in use.

We only want to use the Sophos Endpoint Software on productive Terminal Servers to do the Sophos-XG User based authentication with SATC integrated Feature in Server Protection

With the folowing Server-Protection settings the SATC authentication works as expected. On XG side I can see authenticated Thin Client Users from the Test VM

When I disable all Features except IPS, I will not see the authenticated Users on XG any more when they are logon/logoff.

(the Sophos Guides only say: "The SATC feature requires IPS to be turned on in the server's threat protection policy" so I assume this should be enough??)

When there is only IPS active, I was iritated by the orange box "This feature won't work as you have Live Protection turned off". So I decided to turn on Live Protection at the same time as IPS. The result is it doesn't work either, no authenticated user on XG.

So the question is:

What is the minimum setting for SATC to running?



This thread was automatically locked due to age.
  • 0

    Hi ,

    Thank you for reaching us with regards to this query. Our team is aware of the current issue with STAC Authentication, and an internal discussion is currently ongoing with Jira # NC-79323. We'll update you for more progress about this. In addition to this, ensure that your server protection is already on 2.19.XX version, or else it won't work. 

  • 0 in reply to GlennSen

    Hi Glenn,

    thank you for sharing this information about the Jira#NC-79323. Unfortunately I can not find anything about it. Is this only a internal Bug-Tracing-Number for Sophos without public access?

    Do you know an approximate time until this problem is resolved? (few days / weeks / month)?

    Are there any more issues in new integrated SATC? I am asking because I observed folowing problems:

    - the performance is very bad. Opening a Website needs +5sec with integrated SATC.

    - While browsing, a small amount of requests are dropped on XG because there was no user assigned to that connectiong. For example opening https://www.google.de loads the site (after few second delay) as expected. When I click on "Google Apps" (top right corner the 9 dots) I can see this connection in XG Web LiveLog as Dropped because it has not assigned the Terminal-Server User, which is mandatory for the Internet-Access-Rule.

    I am running Server Core Agent 2.19.8 at the moment.

    Br

    Andreas

  • 0 in reply to AndreasHämmerle

     I'm also interested about that NC you mentioned as we were having issues recently with our first SATC tests.

     I read that you are seeing the authentication for (most) webrequests. This is what I can confirm from here, though loading a web page takes some time now.

    More interesting for me is, if you can see the user authenticated for non-http/https traffic?

    e.g. here, if the users request a file server share, this connection is without the user. We're not allowing unauthenticated requests to the fileserver and so they cannot access it.

    Also I notice user logon to the server takes almost 5 minutes now with a domain account, and the server is logging

    Error 1055 GroupPolicy (Microsoft-Windows-GroupPolicy) "Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername konnte nicht aufgelöst werden." "The processing of Group Policy failed. Windows could not resolve the user name."

    and

    Winlogon 6006 "Der Anmeldebenachrichtigungsabonnent <GPClient> hat 254 Sekunden benötigt, um dieses Benachrichtigungsereignis (Logon) zu bearbeiten." "The winlogon notification subscriber <GPClient> took 254 seconds to handles the notification event (CreateSession)"

    . We've tested it on a Server 2012 R2, will now go forward an set it up on Srv 2019.

  • 0

    Why do you want to do this? Endpoint is to protect the Server. How are you going to protect the server? 

  • 0 in reply to LuCar Toni

    All Clients + Servers are protected with Sophos Endpoint, expect our Terminal-Servers because we had several problems here. Instead of troubleshooting this problems step by step, the decicion was made to use Windows Defender AV for the Terminal Server instead of the Sophos Endpoint. Thats a long story... I am not happy with this decision, but it is like it is.

    Regardless of that, Sophos decided to retire the legacy SATC and move that functionality into the Sophos Endpoint.

    For customers which are using 3rd party Endpoint software there must be a way (i hope) to use SATC with integrated Sophos Endpoint Software without the neeed of activation all scanning functionalitys.

  • 0 in reply to LHerzog

    I can see the user only in Webtraffic, not in non http Firwall Traffic.

    http/https traffic when loading google -> everything works

    http/https traffic while loading the google-apps -> the google-app overview is not loading because of missing authentication

    non http/https traffic (Firewall Log) -> there is no user at this place like it is on clients heartbeat authentication

    Hope that information helps you

  • 0 in reply to AndreasHämmerle

    Sophos will implement a Legacy Proxy Workaround in V19.0 to use the direct proxy with a Terminal Server without SATC. 

    You should not use Server Protection from Sophos and disable Modules. This could potentially break your security concept.