Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 29 subscribers
  • Views 25826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS not authenticating to XG

Gavin na

Hello all, First off great product...

Problem my SSO is not working with STAS, even with all tests working and XG authentication server added and all ports open "5566,6060,6677"

inbound   outbound 

 

Live user list does populate and shows all AD users going IN

 

 

 

 i have run the cmd in the CLI to add the collector but complained that it was already added

 

i have restarted both AD server and XG server, multiple times trying to get this to work.

heads up XG is inside a VM on a hyper-V setup, the network works, as blocking page does come up when i hit a banned website, infact everything else work

except this User identity, and i really dont want to add them manually... :P

 

PLEASE HELP



This thread was automatically locked due to age.
Parents
  • 0

    Hi Gavin,

    Have you set up your AD(s) which have the sso suite installed on as authentication servers?

    If so, can you share their setup?

    Emile

  • 0 in reply to Emile Belcourt

    I have and, its was in the picture that i shared in first post, the one with GREEN that show successful, but here is the setup info :

  • 0 in reply to Gavin na

    Gavin,

    I had a similar issue on XG and STAS and the problem was the Firewall rules. Make sure to open the proper ports in the right directions.

    Use tcpdump to see if the proper port from/to xg are opened.

  • 0 in reply to lferrara

    Yip i thought the same, but after putting in the firewall rules i turned off the firewall completely to check and same happend notting...

    what bugs me is that STAS suite says "good connection" but nothing is happening on the XG side, i wish there was some kind of information

    saying listen here this isnt working then i can fix it... lol. I do however see this in the log veiwer, if this helps anyone

  • 0 in reply to Gavin na

    BUMP, plz guys need help here

  • +1 in reply to Gavin na

    Send me a PM and I will help you.

    Luk

  • +2 in reply to lferrara

    Thank you so much Lferrara, for the help:

    steps taken to resolve my issue with the assistance of LFerrara

    1. make sure all users and all groups are deleted except the default ones that came with the setup

    2. create a separate GROUP inside your DC "called mine [internet proxy users]" and add all the DC users that are going to access the internet

    3. go to you GPO editor, and make sure inside you GPO!! not local policy, that auditing logon is on for both OFF and ON logins,

    apply,

    go to PC gpupdate /force in cmd with admin auth, for all domain PC's and restarting each PC after its done

    4. make sure the that you have the ROOT AUTH cert installed on each domain PC aswell, can be found under SYSTEM > Certificates > Certificate Authorities > default "click" > download

    5. If you using a firewall make sure that you have these ports unblocked: 6060, 6677, 5566 TCP/UDP

    6. In authentication on servers delete anything thats there and start over, once added, click the import button just under the manage column

    find the newly created group and import using all the normal steps "it can take time to show the users"

    7. Go to System > Authentication > Authentication Services or Objects > Assets > Authentication Services

    make sure the newly added authentication server is listed first under firewall authentication rule... "drag it to TOP"

     

    References :

    https://community.sophos.com/kb/en-us/123154

    https://community.sophos.com/kb/en-us/123156

Reply
  • +2 in reply to lferrara

    Thank you so much Lferrara, for the help:

    steps taken to resolve my issue with the assistance of LFerrara

    1. make sure all users and all groups are deleted except the default ones that came with the setup

    2. create a separate GROUP inside your DC "called mine [internet proxy users]" and add all the DC users that are going to access the internet

    3. go to you GPO editor, and make sure inside you GPO!! not local policy, that auditing logon is on for both OFF and ON logins,

    apply,

    go to PC gpupdate /force in cmd with admin auth, for all domain PC's and restarting each PC after its done

    4. make sure the that you have the ROOT AUTH cert installed on each domain PC aswell, can be found under SYSTEM > Certificates > Certificate Authorities > default "click" > download

    5. If you using a firewall make sure that you have these ports unblocked: 6060, 6677, 5566 TCP/UDP

    6. In authentication on servers delete anything thats there and start over, once added, click the import button just under the manage column

    find the newly created group and import using all the normal steps "it can take time to show the users"

    7. Go to System > Authentication > Authentication Services or Objects > Assets > Authentication Services

    make sure the newly added authentication server is listed first under firewall authentication rule... "drag it to TOP"

     

    References :

    https://community.sophos.com/kb/en-us/123154

    https://community.sophos.com/kb/en-us/123156

Children