Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 860 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

traffic not attributed to user using SATC with Sophos Server Protection

Sophos22

to attribute traffic from remote desktop service host (windows server 2012 r2) to users we created a test implementation of SATC with sophos server protection.

current issue: nearly all traffic is not assigned to user (username in log empty).

but all requirements seem to be fine:

- user is authenticated (listed under live users as client type = thin client)

- sntpService.log show connections assigend to user with username, session id, ip, source port, dest port

used version:

- XGS3300 (SFOS 19.0.0 GA-Build317)

- Core Agent    2.20.13
- Sophos Intercept X    2021.3.1.11
- Server Protection    10.8.11.4

any ideas what is wrong or how to debug?



This thread was automatically locked due to age.
Parents
  • 0

    problem still exists with newer versions. all seems fine, but traffic ist not attributed to user in firewall.

    XGS3300 (SFOS 19.0.1 MR-1-Build365)

    Core Agent                2022.2.1.9 BETA
    Sophos Intercept X        2022.1.2.1 BETA
    Server Protection        10.8.11.4 BETA
    XDR                        2022.2.1.9 BETA

    any ideas or should I open a support case? thanks.

  • 0 in reply to Sophos22

    Can you show us your firewall rule, you are using for this terminal server? 

    And do you see the users in Live Users? What is in the authentication tab of Logviewer? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    These are a lot of rules. Which settings are important?

    Yes, users a listed in live users. But traffic usage is always 0 for these users.

    Log viewers says Sucessful. (Thin Client / AD).

    User xxx@xxx.xxx of group xxxxxxx logged in successfully to Firewall through AD authentication mechanism from x.x.x.x-8

  • 0 in reply to Sophos22

    Do you use any kind of other authentication for this host? STAS or something like that? Is there any logging in of other services as well? 

    Do you have a firewall rule for this TS, which uses captive portal? 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Sophos22

    Do you use any kind of other authentication for this host? STAS or something like that? Is there any logging in of other services as well? 

    Do you have a firewall rule for this TS, which uses captive portal? 

    __________________________________________________________________________________________________________________

Children
Unfiltered HTML