NEED HELP!
Background:
One-Man-Band IT guy (I do it all from Servers, Printers, PC, you name it... etc) So one of these "Jack of all trades, Master of none" type of guys. So needless to say, time is ALWAYS an issue, and I don't usually have time to constantly come back and fix issues. So I need ROBUST, SIMPLE implementation. (AKA: I just need stuff that works).
Environment:
-Standard network Windows Network
-2 Active Directory Domain Controllers (for redundancy: BOTH Server 2008 R2)
-1 Firewall (currently Sonicwall) - Replacing w/ Sophos XG 230
-Windows 7 and Windows 10 workstations
On all my previous routers we have used LDAP (with Active Directory integration). (Users have to periodically "Login" to the firewall through web browser, using their AD credentials. This has worked, but recently been a bit of a pain due to Internet Browsers security updates and Certificate issues. So I figured on our NEW Sophos XG I would try a different route.
I figured Clientless SSO w/ STAS sounded like the thing to use.
-Setup just as described in Sophos Article: "SSO w/ Multiple Active Directory Domain Controllers"
RESULT:
I have NO PROBLEM authenticating users. When a users logs in, they are quickly Authenticated and show up under "Live Connections" tab (Monitor & Anylize>Current Activity>Live Connections)
PROBLEM: The users will be DROPPED within minutes. Either the user name will no longer be listed, or possibly replaced with NA. Then if I either reboot, or even simply "LOCK" the workstation and log back on, the user once again shows up under "Live Connections".
I have played with NUMEROUS settings:
Option 1:
(STAS Suite for Windows - BOTH DC's):
"Enable Logoff Detection" (Set for 9 hours)
(Sophos XG Firwall: Configure>Authentication>STAS):
"Enable User Inactivity" (Set for 360 minutes / 256 Bytes)
Option 2:
(STAS Suite for Windows - BOTH DC's):
"Enable Logoff Detection" - (Set for PING / 605 Seconds)
(Sophos XG Firwall: Configure>Authentication>STAS):
"Enable User Inactivity" (Set for 360 minutes / 256 Bytes)
Option 3:
(STAS Suite for Windows - BOTH DC's):
"DISABLED ALL SETTINGS: "Logoff Detection"
(Sophos XG Firwall: Configure>Authentication>STAS):
"Enable User Inactivity" (Set for 360 minutes / 256 Bytes)
The ONLY thing that seems to help (but is not viable fix) is to DISABLE ALL "Logoff Detection" and "Dead Entry Timeout" (Which is not advised: From Sophos Article: Sophos Firewall: Clientless Single Sign-On in a Single Active Directory Domain Controller Environment
"Ensure Logoff Detection and Dead Entry Timeout are not simultaneously disabled because users will remain live in the STAS DB."
After reading quite a bit on different forum threads... it seems a few are having issues with Clientless SSO, or SSO in general for that matter.
MY QUESTION/PLEA FOR ADVICE/HELP:
What is a viable (ROBUST, as close to a "Set it and forget it" type of a solution?)
- LDAP (with AD integration) This is what I have used on our Fortigate and Sonicwall we had used previous to our New Sophos XG
- Authentication Client? This seems like much more work, with having to get software onto each PC (which I think I can do through GPO) but just not sure if more software = more problems?
- SSO (this seems to be the most problematic)?
- Something else?
THANK YOU FOR ANY HELP!
Edited Tags
[edited by: Erick Jan at 12:41 AM (GMT -7) on 16 Sep 2022]
