traffic not attributed to user using SATC with Sophos Server Protection

problem still exists with newer versions. all seems fine, but traffic ist not attributed to user in firewall.

XGS3300 (SFOS 19.0.1 MR-1-Build365)

Core Agent                2022.2.1.9 BETA
Sophos Intercept X        2022.1.2.1 BETA
Server Protection        10.8.11.4 BETA
XDR                        2022.2.1.9 BETA

any ideas or should I open a support case? thanks.

Can you show us your firewall rule, you are using for this terminal server? 

And do you see the users in Live Users? What is in the authentication tab of Logviewer? 

These are a lot of rules. Which settings are important?

Yes, users a listed in live users. But traffic usage is always 0 for these users.

Log viewers says Sucessful. (Thin Client / AD).

_{User xxx@xxx.xxx of group xxxxxxx logged in successfully to Firewall through AD authentication mechanism from x.x.x.x-8}

Do you use any kind of other authentication for this host? STAS or something like that? Is there any logging in of other services as well? 

Do you have a firewall rule for this TS, which uses captive portal? 

No other authentication for this host.

What kind of logging could that be?

No captive portal activated.

There is currently one bug with the case sensitivity of the users.

So if you do a RDP and use IT@sophos.de to login to the Terminal server, the firewall will use it@sophos.com and those accounts are mismatching. Could this potentially be an issue here? 

No. It's all lower case. And problem occurs with all users.

Can you contact the support? There needs to be further investigation, if all the points above are met. 

support case is created (05650267).

support case is created (05650267).