SATC - Mostly Not Working

Question

Hello All, My implementation of SATC is not working and I've run to the limit of my ability to diagnose the problem. 
 Any help in diagnosing this to a resolution would be appreciated! 
 Here's what data I have to offer. 
 Environment: 
 Terminal Server: MS Server 2012R2 
 SATC version: 2.0.6.0 
 Firewall: XG virtual machine (VMware): SFOS 16.01.2 The logs copied below reflect the following scenario: 
 1) SATC Start - 10:28:41 
 2 SATC sends a UDP packet on port 6060 to the firewall 
 - tcpdump on the firewall shows the firewall receiving the packet 
 3) A user logs into this TS at 10:29:10 
 4) The user logs out of this TS at 10:31:40 
 5 STAC Stop - 10:33:14 
 ******Logging Events Log File******* 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------- Logging Events -------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 
 ******SatcSvr Log File******* 
 MSG [0x17d8] 2017-01-31 10:28:41 : ------------BEGINING------------------------------------------ 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : ----------- Sophos AUTHENTICED THIN CLIENT ----------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------- Logging Events -------------------------- 
 MSG [0x17d8] 2017-01-31 10:28:41 : -------------------------------------------------------------------- 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #1 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #2 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #3 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #4 DEBUG [0x17d8] 2017-01-31 10:28:41 : Ini file path: C:\Program Files\Sophos\Sophos Authenticated Thin Client\SATC.ini 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #5 DEBUG [0x17d8] 2017-01-31 10:28:41 : SophosPort:6060 
 DEBUG [0x17d8] 2017-01-31 10:28:41 : Log File Size:25 MB(s) 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #6 DEBUG [0x17d8] 2017-01-31 10:28:41 : SophosIP:10.1.254.245 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #7 DEBUG [0x17d8] 2017-01-31 10:28:41 : TimeInterval:180 sec 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #8 DEBUG [0x17d8] 2017-01-31 10:28:41 : MaxUsers:8100 
 ERROR [0x17d8] 2017-01-31 10:28:41 : PLACE #9 DEBUG [0x17d8] 2017-01-31 10:28:41 : SATCService Name Ini file path: C:\Program Files\Sophos\Sophos Authenticated Thin Client\SATCName.ini 
 DEBUG [0x17d8] 2017-01-31 10:28:41 : Sending flush to CR. 
 DEBUG [0x17d8] 2017-01-31 10:28:41 : UDP Packet sent to Sophos. Bytes Sent: 1 
 DEBUG [0x1b80] 2017-01-31 10:31:41 : Enumerating Windows Session 
 DEBUG [0x1b80] 2017-01-31 10:31:41 : GetSessionData::THRDB[sessionID]=TRUE for 1 DEBUG [0x1b80] 2017-01-31 10:31:41 : GetSessionData::THRDB[sessionID]=TRUE for 2 DEBUG [0x1b80] 2017-01-31 10:31:41 : GetSessionData::THRDB[sessionID]=TRUE for 4 DEBUG [0x1b80] 2017-01-31 10:31:41 : GetSessionData::THRDB[sessionID]=TRUE for 10 DEBUG [0x1b80] 2017-01-31 10:31:41 : Checking for Sending LogOff 
 DEBUG [0x1b80] 2017-01-31 10:31:41 : Max Session ID: 0 
 ERROR [0x17d8] 2017-01-31 10:33:14 : Error: Not overlapped i/o or server stop signaled! 
 DEBUG [0x17d8] 2017-01-31 10:33:14 : At Cleanup: Clearing memory and closing pipe

Rodrigo Araujo · Accepted Answer

Hello. 
 A costumer has had this exact same problem on one of his servers, however on another server it was working. We then noticed that on the server that was working, he still had an older version of the thin client agent, CATC 2.0.5.4, installed before he did the upgrade from his Cyberroam firewall to the Sophos XG. 
 We then completely uninstalled SATC 2.6 from the server with problems and downloaded the older client from the Cyberroam page: 
 https://www.cyberoam.com/cyberoamclients.html 
 (select "Thin Client", and when uninstalling SATC ensure that there arent any leftovers inside the Sophos folder in Program Files folder) 
 It started detecting the logon and logoff events correctly then. This was on Windows 2012 R2 Server, by the way. 
 To finish off, it was also necessary to: 
 1) On the Domain Controller where STAS is installed, add an IP exception to any terminal server (where you install SATC/CATC) for logon and logoff events 
 2) Disable UAC on the terminal servers that have SATC/CACT, and to REALLY do it on Windows Server 2012 or newer, you have to edit the registry as stated in: 
 social.technet.microsoft.com/.../13953.windows-server-2012-deactivating-uac.aspx 
 Quoting: 
 "The same approach is still available in Windows Server 2012, though UAC is still active after you selected "Never notify". You have the option to turn off UAC via registry by changing the DWORD "EnableLUA" from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system". You will get a notification that a reboot is required. After the reboot, UAC is disabled." 
 
 So I would like to suggest Sophos: 
 1) To use this information to try to solve the problem in a newer version of SATC (comparing CATC 2.5 with SATC 2.6) 
 2) To update the knowledge base in https://community.sophos.com/kb/en-us/125218 with the updated steps to disable UAC on Windows 2012 and newer 
 3) To fix the screenshot links on https://community.sophos.com/kb/en-us/125218 since they are all broken 
 
 To sum up: 
 1) SATC 2.6 doesn't work (at least on Windows 2012 R2) but CACT 2.5 works (with Sophos XG, fully updated) 
 2) You need to properly disable UAC on the terminal server(s) 
 3) You need to place the proper exceptions for the terminal server(s) on STAS 
 
 I hope this helps.

sachingurung · Answer

Hi Gary, 
 The issue is reported under the JIRA NC-16959. There is no ETA on the fix from the Developer and the workaround is to use an older client. We are in process to launch a new version of SATC which will be made available soon. 
 Thanks