Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 9818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Communication between DC's with STAS for SSO... NEED HELP!

Jarrod Goetz

WARNING... Amature looking for guidance. :-)

Environment:

  • Standard network Windows Network
  • 2 Active Directory Domain Controllers (for redundancy: BOTH Server 2008 R2)
    • DC 1: 10.130.210.40  (FSMO Roles: PDC, RID pool master, Infrastructure master)
    • DC 2: 10.130.210.41  (FSMO Roles: Schema master, Domain naming master)
  • Sophos XG 230: 10.130.210.112
  • Windows 7 and Windows 10 workstations

 

SO, I have been struggling to get my new Sophos XG 230 off the ground (as far as SSO Clientless Authentication).  After DAYS of messing around with this... I think I am starting to aleast hone in on some of my issues.

Observed Problem: Users will get added to the "Live Connections" screen... but then within minutes drop off. (Lock or Logoff and the user will be back on, and everything starts to work again... for a few minutes).

Where I THINK the problem exists:  Communication between the 2 DC's running "Sophos Transparent Authentication Suite" (I know documentation shows one DC should have one "Suite", and the other "Agent".  But I have tried both ways, and I don't think that is my problem.

NOTICED ISSUES: Under the "Advanced" tab on the STAS Suite, some of the test FAIL:

Test Connectivity: Sophos (XG appliance): Successful

STAS Agent: From DC1 to DC1: Success

STAS Agent: From DC1 to DC2: FAILURE

STAS Collector: From DC1 to DC1 (or DC2 to DC2): Success

STAS Collector: From DC1 to DC2: Failure

ALSO:

If I try and use the "Configuration Sync" to copy information between the 2 DC's... They both show FAILURE:

-------------------------------

So I am "THINKING" my issue is communication between the two DC's (as far as STAS needs):

I know the literature states to open TCP/UDP ports: 6677, 5566, 6060

I even found this reply to a similar issue:

Question/HELP:

I am FAR from a Server/Network expert (I wear to many hats(jobs) here to get GOOD at anything).  But this is what I did to "Open Ports" for these needed connections (PLEASE correct my errors).

STEPS:

  • ON BOTH DC's (Adminitrative Tools>Windows Firewall with Advanced Security):
  • Inbound Rules: "New Rule"
    • Select "Port"
    • "Specific local ports":  TCP: 5566
    • "Allow the connection"
    • "When does the rule apply?"  I selected "Domain" and "Private"... I did not check "Public"?  (Not sure what I should have used here?)  Would like to keep things SECURE!
    • Gave it a name and "Finish".

After this I repeated it w/ - Inbound: UDP:6677

Then I configured: "Outbound Rules"

I did this on BOTH DC's... but STILL can not communicate between the two (as far as testing like above: w/ STAS "Test Connectivity".

NOTE: I can PING between the DC's w/ no problem

 

I TRULY appreciate any help on configuring this... I am starting to run short on time on getting this into production, and am SO LOST!

 

THANKS to ANYONE who can help!



This thread was automatically locked due to age.
Parents
  • 0

    What i would do is to start troubleshooting by trying to disable the windows firewall on the server first to rule out the windows firewall being a problem.

    Then test authentication settings on the xg, is the stas service running on the dcs?  Try running services with the domain administrator account.

    I would work on getting stas up on the primary dc first to get stuff going then go set the secondary stas if they are not running at all.

    Can you verify importing active directory groups in the xg?  That might give you another clue maybe the fqdn isn't set correctly.

    Try stas transparent mode that worked when i set it up the first time.

    Good luck!

  • 0 in reply to B.R.O.

    Thank you for the reply.

    The odd thing is almost everything is working just as it should.  I was able to Connect to my 2 DC's with Sophos XG (no problem).  Import Users/Groups (no problem).  Setup STAS (no problem).  Everything seems to work just fine... BUT.  It drops my Workstations off of the "Live Connections" every few minutes. (BIG PROBLEM)

     

    Things I have tried:

    -Using Domain Administrator account for setting up Sophos SSO and STAS Suite.  (Didn't seem to help)

    -Disabling ALL "Logoff Detection Settings"... this seems to work, for it stops DROPPING my workstations every few minutes, but it is also NOT advised by SOPHOS.  Per: Sophos Article: Sophos Firewall: Clientless Single Sign-On in a Single Active Directory Domain Controller Environment
    "Ensure Logoff Detection and Dead Entry Timeout are not simultaneously disabled because users will remain live in the STAS DB."

     

  • 0 in reply to Jarrod Goetz

    Just another update:

     

    Like B.R.O mentioned above, today I figured I would try just 1 DC and see if I could get that connection working.  So I unchecked my 2nd DC in "Authentication Server List" and also removed it from the STAS "Collector" list.  So my setup was just 1 DC with STAS SUITE loaded.

     

    SAME EXACT ISSUE... I would be able to get authenticated as soon as the workstion logged onto the network, and all was good, but after a few minutes... it fell off the "Live Connections" list and the workstation would not longer have Internet access.

    NOTE: I was using the setting on DC STAS SUITE: "Enable Logoff Detection" PING.

    NOTE 2: Just to try, I again disabled ALL "LOGOFF Detection Settings"... my workstation would then remain able to access the Internet.  (BUT) I did notice it would fall off the "Live Connections" within minutes, but as soon as I would initiate Internet active on the Workstation again, it would re-show back on the list of "live connections".  So whatever is removing my Workstations every few minutes, seems to be less bothered when there is NO "Logoff Detection" set on the DC.  But I also know this is not an advised setup.

     

    I am really starting to think I should maybe think about another authentication method.  I just hate to load the Client, for I noticed it requires Java on every workstation.  Something I would rather not have to load on all my workstations (mainly due to security issues with Java often).

    Still open to ideas???? :-)

     

    Thanks

  • 0 in reply to Jarrod Goetz

    INFO:  I think I have been looking in the wrong area for the fix to my dropped users.  All focus has been on my DC’s and the STAS Suite they run.  BUT here are some observations I have been making the last few days since I am STILL trying to get this unit ready for production! L

    Lately the focus has been on possible communication issues between my 2 DC’s and the SUITE/Agent roles… thinking that something was causing the users to get dropped minutes after being “Authenticated” w/ clientless SSO. (Users fall off of “Live Connections” within minutes:  BUT as I show below, I am starting to doubt this is my problem area:

    Observations:

    1. SETUP: Loaded STAS SUITE on only 1 DC. 
      1. Only the 1 DC listed as a “Authentication Server” (on XG box)
      2. Only the 1 DC listed on “Authentication Server List” (on XG box)
      3. Only the 1 DC listed as “Collector” on STAS tab (on XG box)
      4. “Enabled Logoff Detection: PING”

    Result:  EXACT SAME… users would get authenticated… then minutes later (even with Internet open to MSN page) would be dropped off the “Live Connections” List… replaced with either NA or nothing.  On the workstation, Internet access would stop and I would be presented with the “Network Authentication” page.    I would then have to “Lock” the workstation or “logoff” and back on in order to reestablish the workstation under “Live Connections”, and resume Internet connectivity on workstation.  Only to have this happen again a few minutes later.

     

    1. SETUP #2: -Disable “Enable Logoff Detection”- (On DC STAS Suite)

    RESULTS: As stated many times before, IF I DISABLE ALL “logoff Detection” settings on the STAS Suite (on DC) my test workstations would STILL fall off the “Live Connections” list (on XG) within a few minutes, BUT as soon as I would click a link, or do anything on the workstation to initiate Internet activity… the workstation would show back up on the “Live Connections” list.

     

    1. SETUP #3: –Captive Portal-
      1. I wanted to see if “Live Connections” would DROP off my workstations if I tired a completely different Authentication method. SO I signed my test workstations in w/ Captive Portal logon screen

    Results:  JUST like above, the workstations would show up under “Live Connections” and after a few minutes (with browsers open to CNN) the would be removed from “Live Connections”… BUT if I would initiate browrser activity again (click on something new) they would again show back up under “Live Connections”.

     

    My NON-EDUCATED guess:  It seems I have been looking in the WRONG place for this fix.  I think my STAS SUITE is working correctly(though it may need a few tweeks), for when “Enable Logoff Detection” is enabled it is monitoring the XG “Live Connections” for workstations that are not longer “Active”… and DUE to the XG box dropping users off of “Live Connections” every few minutes, it does see my workstations as NOT ACTIVE and drops the workstation off of it’s “Live Users” (requiring the workstation to re-authenticate with the AD server.

    So my problem (SEEMS TO ME) to be with the XG box dropping my workstations every few minutes off of “Live Connections”.  For it seems to do this no matter what authentication I use (SSO or Captive Portal)?

     

    Question to anyone who can verify:

    1. Do your users appear and disappear (fall off) of the “Live Connections” every few minutes, or do they stay on this list until they SHOULD be removed due to inactivity or whatever “User Inactivity” you setup?

    Thanks for help trouble shooting this...

     

    P.S. Call out to Sophos Tech support... I have updated my case over 2 days ago, but still have not heard ANYTHING?  I am going to again update my case with these new findings.

Reply
  • 0 in reply to Jarrod Goetz

    INFO:  I think I have been looking in the wrong area for the fix to my dropped users.  All focus has been on my DC’s and the STAS Suite they run.  BUT here are some observations I have been making the last few days since I am STILL trying to get this unit ready for production! L

    Lately the focus has been on possible communication issues between my 2 DC’s and the SUITE/Agent roles… thinking that something was causing the users to get dropped minutes after being “Authenticated” w/ clientless SSO. (Users fall off of “Live Connections” within minutes:  BUT as I show below, I am starting to doubt this is my problem area:

    Observations:

    1. SETUP: Loaded STAS SUITE on only 1 DC. 
      1. Only the 1 DC listed as a “Authentication Server” (on XG box)
      2. Only the 1 DC listed on “Authentication Server List” (on XG box)
      3. Only the 1 DC listed as “Collector” on STAS tab (on XG box)
      4. “Enabled Logoff Detection: PING”

    Result:  EXACT SAME… users would get authenticated… then minutes later (even with Internet open to MSN page) would be dropped off the “Live Connections” List… replaced with either NA or nothing.  On the workstation, Internet access would stop and I would be presented with the “Network Authentication” page.    I would then have to “Lock” the workstation or “logoff” and back on in order to reestablish the workstation under “Live Connections”, and resume Internet connectivity on workstation.  Only to have this happen again a few minutes later.

     

    1. SETUP #2: -Disable “Enable Logoff Detection”- (On DC STAS Suite)

    RESULTS: As stated many times before, IF I DISABLE ALL “logoff Detection” settings on the STAS Suite (on DC) my test workstations would STILL fall off the “Live Connections” list (on XG) within a few minutes, BUT as soon as I would click a link, or do anything on the workstation to initiate Internet activity… the workstation would show back up on the “Live Connections” list.

     

    1. SETUP #3: –Captive Portal-
      1. I wanted to see if “Live Connections” would DROP off my workstations if I tired a completely different Authentication method. SO I signed my test workstations in w/ Captive Portal logon screen

    Results:  JUST like above, the workstations would show up under “Live Connections” and after a few minutes (with browsers open to CNN) the would be removed from “Live Connections”… BUT if I would initiate browrser activity again (click on something new) they would again show back up under “Live Connections”.

     

    My NON-EDUCATED guess:  It seems I have been looking in the WRONG place for this fix.  I think my STAS SUITE is working correctly(though it may need a few tweeks), for when “Enable Logoff Detection” is enabled it is monitoring the XG “Live Connections” for workstations that are not longer “Active”… and DUE to the XG box dropping users off of “Live Connections” every few minutes, it does see my workstations as NOT ACTIVE and drops the workstation off of it’s “Live Users” (requiring the workstation to re-authenticate with the AD server.

    So my problem (SEEMS TO ME) to be with the XG box dropping my workstations every few minutes off of “Live Connections”.  For it seems to do this no matter what authentication I use (SSO or Captive Portal)?

     

    Question to anyone who can verify:

    1. Do your users appear and disappear (fall off) of the “Live Connections” every few minutes, or do they stay on this list until they SHOULD be removed due to inactivity or whatever “User Inactivity” you setup?

    Thanks for help trouble shooting this...

     

    P.S. Call out to Sophos Tech support... I have updated my case over 2 days ago, but still have not heard ANYTHING?  I am going to again update my case with these new findings.

Children
  • +1 in reply to Jarrod Goetz

    Just wanted to post a follow up...

     

    After WAY to long working on this... it turned out to be the DUMBEST issue.

    IF, I would have noticed sooner, PING was an issue between my DC's and my test machines.  They would join the domain just fine, but due to a DNS issue (I do believe) they were not getting registered correctly.  Causing a issue where the were not able to be PINGED from the DC.  They could ping the DC, but the DC could not ping them.

    SO... IF you are having this issue... PLEASE double check you can ping BOTH directions and double check SIMPLE network setup.

    THANKS all who helped and gave tips!  ALWAYS appreciated!

    Till next time!  See ya!