Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 6323 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS: 2 questions

Bill Roland

I installed the STAS agent and collector on my domain controller, setup the client and tested as much as I could and everything seems to test ok. I enabled STAS on the XG firewall, enabled User Inactivity, added the collector IP.  So far so good.

My first question is that I am not seeing the number of "live" users I would expect on the XG firewall.  Right now for instance it shows me exactly 1 live user, when I know there are closer to 15.  I know this because when I look at the "Live Users" within the STAS client software and I see them there, but I do not see them on the XG.  Also, clients seem to disappear from the Live Users on the XG almost immediately even though they are still in active web sessions.  Is this the normal or expected behavior?

The second question; I have an Exchange 2013 server on premises.  I guess when people connect to it and check their mail, it is generating an event log logon entry on the domain controller that STAS is picking up, such that I see Live Users in an SSO session, originating from the Exchange server. They are obviously not actually "on" the Exchange server.  So the question is, should I add the Exchange server to the "Login IP Address exclusion list" in the STAS client?



This thread was automatically locked due to age.
Parents
  • 0

    Just to sort of answer my own questions here, I eventually saw the "Live users" discrepancy clear up; I believe it was a combination of having dead/idle session disconnection enabled all over the place; on the Sophos box, and 2 places within the STAS client. 

    The second answer is, yes, you just add the Exchange server IP to the exclusion list and that solves that problem straight away. 

    Unfortunately it does not appear to me that the WMI polling for logoff detection actually works correctly.  It tests fine when you test within the client, but I see STAS log off everyone after 10 minutes (or whatever interval you set for it to check) even though the user is still happily logged in and browsing the web.  I will play around a little more with it as time permits but I don't think its a configuration issue on my end.

  • 0 in reply to Bill Roland

    I have the same problem as Rolland. I am sure that logof detection DOESN´T WORK.

    When we switched it on (several various configuration and different WIndows servers version- the same problem had previous CTAS.EXE) some clients are randomly disconnected and pushed in "learning mode" as in https://community.sophos.com/kb/en-us/123156. For this client it means "two minutes" of being disconnected fom LAN.

Reply Children
No Data