Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 16885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clientless SSO STAS logoff detection vs dead entry timeout clarification needed

Jarrod Goetz

Please bear with me, I am a 1-man IT band, and am NOT a "Firewall" guy. :-)

Background:

Simple Network:

  • 2 Active Directory Domain controller Servers (for redundancy) w/ STAS Suite loaded on BOTH controllers.
  • 1 XG Sophos Firewall XG 230

 

I am in the works setting up a new Sophos XG 230 for our business, and decided that "Clientless SSO Authentication w/ AD" sounded the best? (I THINK)?

I have it up and running, BUT was dealing with some issues with a test workstation being disconnected within minutes of logging on, even though I had "Dead Entry Timeout" selected on the STAS Suite for 2 hours (for testing).  Within minutes of logging on, (and showing up under "Live Connections" the workstation would suddenly drop off the list.  If I "logoff" or even "Lock" the workstation and log back in... it works again for a few minutes.


After working with support for some time, I noticed if I set "Dead entry timeout" on the AD Domain Controllers STAS Suite to 0 (disabled) this not longer happened and the user would stay connected indefinitely.  Previously had it set for 2 hours (just for testing).

BUT... I noticed in the Sophos Article: "Sophos Firewall: Clientless Single Sign-On in a Active Directory Domain Controller Environment" it states:

Note:

  • Ensure Logoff Detection and Dead Entry Timeout are not simultaneously disabled because users will remain live in the STAS DB.  (which is what I just did in order to rectify my problem of my test workstation getting dropped off every few minutes).

 

Question to you guys MUCH smarter than I:  What is the most FOOL PROOF, dependable, way to setup SSO w/ AD authentication (As far as logging off workstations that sit idle for an extended period)?

  •   Logoff Detection? (On STAS Suite on AD Domain Controllers)?
  •   Dead entry timeout? (on STAS Suite on AD Domain Controllers)?
  • "  Enable User Inactivity"?  (on Sophos XG firewall)?

- Which one?  or Combination?

Again, my only concern is that I am not missing some Security hole, or Performance issue by leaving users connected indefinitely on either the XG firewall or STAS Suite (DC's).

Long story short, I am looking to see what you guys with MUCH more KNOWLEDGE than I recommend for SSO w/ AD integration settings. (especially pertaining to Logoff due to idle time).

THANKS!

 



This thread was automatically locked due to age.
  • 0

    Hi Jarrod,

    User logoff detection works in conjunction with the Windows WMI queries to detect a logoff entry. Read the KBA here for further information. Alongside, ‘Dead entry timeout’ is independent of whether the Logoff Detection is enabled or not. Using Dead Entry Timeout in STAS, an administrator can configure the time period (in hours) after which a user is to be logged out from the XG. After user login, on completion of the specified time period, the user is automatically logged out. 

    One of the most interesting, User inactivity timeout is necessary for Single Sign On implementation to get the accurate reporting about a user's activity. Users at their workplace do not shut down their system at the end of their shifts. If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to the appliance. So, in XG Live User Page, users will remain logged in till the next time he/she logs into the Windows Domain. This would result in showing the User on the Live UserPage for many days without any logoff. To avoid such situation ‘Inactivity Time’ parameter for STAS settings must be configured.

    Hope that helps.

  • 0 in reply to sachingurung

    Thank you for the reply...

    Here is what I was "THINKING" would work... PLEASE let me know if you think this is a good option or if there is a better solution/approach!

    Implementation Ideal:

    • Enable:  "Dead entry timeout" set for 9 hours (this way the user should stay logged in all day, but will be eventually logged off after work hours  (NOTE: Should this be set on BOTH DC's or just the primary)?
    • Enable: "Enable User Inactivity" on Sophos XG Firewall. 

    Question:

    • Do these 2 settings work well together?  Or should I use a different combination?

    NOTE: whatever settings I use, I am trying to avoid adding exceptions or software to the workstations (just do to limited time, and creating more possible issues/security holes).  Just want a reliable solution that is stable and easy to implement.

     

    Thanks again!

     

  • 0 in reply to Jarrod Goetz

    Hi Jarrod,

    I think is a good configuration to go with but, the perfect one will only come after several permutations; learning the need in your network. This shall give you an inch inside the reporting section alongside, it will also automatically sign out the users after 9 hours. 

    Thanks

  • 0

    Logoff Detection using ping is what i use now. It's much easier to deal with than wmi and won't drop user's internet after X hours. Dead entry timeout will drop user after X hours, then it depends on wmi query to get user back unless user logoff and login another time.

    Client base authentication is much better since they didn't rely on network access of wmi. I use authication client everyday and never have a problem. But SSO Client is complete broken currently (user get kicked off for no reason every minute).

  • 0 in reply to daiqingxu

    Thanks for the reply's

    On my old SonicWall, I use to use LDAP integrated w/ Active Directory.  It has worked well, but did require a separate login for Firewall access (something that some of my users struggled with).  And I did have some security/certificate issues w/ Browser upgrades and Certificate issues.  (so I thought I would try something different)


    I figured with setting up my new Sophos, I should "get with the times" and setup clientless SSO w/ AD integration.    But maybe this isn't a good idea?


    Here is what I am THINKING I may try:  Let me know if I understand this incorrectly

    On Sophos XG (Configure>Authentication>STAS) "Enable User Inactivity" w/ Inactive Timer (example: Inactivity:360 minutes / 256byte "Data Transfer Threshold")   (MY understanding:  This will watch user activity and if a user is "inactive" for more than 360 minutes, it will log the user OUT of the Sophos XG "Live Connections" list ONLY.

    THEN:

    On DC's (BOTH) set "Dead Entry Timeout" set for (example: 9 hours) (My Understanding:  This remove the user from the "Live Users" table after 9 hours of log in).  Clearing them out of the "Live Users" database).  ODD thing:  During testing I set this for 1 hours (Dead Entry Timeout), but as long as the Sophos XG showed the user under "Live Connections" the would not get logged out, UNTIL the sophos XG would remove them from the "Live Connections" list, then the user would fall off the "Show Live Users" list on DC's STAS Suite. Not sure if I was doing something wrong, for I thought the two: ("Dead Entry Timeout, and XG "Enable User Inactivity") do not necessarily work together... I think?

    daiqingxu:  When you say "Client Based Authentication" do you mean you loaded the Client on all of your workstations?  I was thinking this would be a lot of worn (1 man IT department) and possibly cause issues Security/Performance, (loading more software on workstations)?

     

    Thanks again for the ideas and help!

  • 0 in reply to Jarrod Goetz

    You can load the client with authication client or sso client with gpo. sso client is broken so you can't use it. authication client will require user to enber their credential once then it can remember it and login automatically. If users already familiar with login through some thing, it maybe the best choice. it use heart beat to detect user logout, which is most reliable solution i believe.