Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS authentication over SD-WAN

Michael Reed

I have two Sophos XG Firewalls (SFOS 18.5.1 MR-1-Build326)

Both are managed by Sophos Central and I used the platform to create an SD-WAN between the two offices.

I am trying to get the Branch Office XG to access the AD at Head Office in order to use STAS to authenticate clients. 

Both sites have static external IP. HO AD DC is found at 192.168.1.3
HO Primary subnet is 192.168.1.0/24
BO Primary subnet is 192.168.2.0/24

Policy testing shows that BO XG (192.168.2.253) is allowed to access DC (192.168.1.3) (and thats testing policy on both the HO and the BO). BO XG can tracert to DC. 
Clients however cannot ping or tracert to DC. 

All my SSL VPN remote access clients can access the AD DC. If I add the BO subnet to the Firewall rule that handles the SSL VPN users the BO XG still cannot access the DC.



This thread was automatically locked due to age.
  • 0

    Hi Michael,

    I'd create an explicit Deny rule on the firewalls and would look what and why the packets are dropped. One reason could be the routing order (you need cli to check this) but I'd expect that this is set the right way if you are using SD-WAN.

    There might also be a setting missing on the HO firewall to pass the traffic of the clients ...

    Why would you add the BO Subnet to the firewall rule that handles the SSL-VPN users to resolve this issue? Assuming that the dial-in node is the HO firewall the packets will be routet locally in the HO. The setting would only help if you want to reach resources in the BO from the SSL-VPN dial-in ....

    Regards,
    Bernd