Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 13325 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos STAS Configuration

Jan Zhang

 Hi Guys,

New to the forum. we have a XG in our office. and two domain controllers. We trying to get SSO to work. i have configured STAS using the document here:

https://community.sophos.com/kb/en-us/123154

My understanding is that there are two domain controllers, one of which will act like an CTA Controller and agent while other will be only an agent.

i have enabled STAS on the XG. however, i as soon as i enable this, all traffic from most machines stop. this is the one thing that i cant get. why the traffic only stops on certain machines. i understand that if the client is authenticated, it will have access to the internet. for that reason, i log off windows and log back on. when i do, i can monitor the live users on the DC but not on the sophos. i suppose thats whats lacking. for the firewall ports, i have disabled the firewall completely. so all traffic would be flowing without restriction.

the only other thing, which i cannot find any documentation of, is one of my domain controllers is on a different subnet. not sure if Sophos supports this.

 

any help and guidance on this will be appreciated.



This thread was automatically locked due to age.
  • 0

    Hi Jan,

    here also problems with disconnecting clients. 

    The clients got disconnected for 120 seconds for no reason but probably a buggy STAS "Logoff Detection"

    Sophos support had turned this Off and also the "Dead entry timeout" to 0 (is disabled)

    I try to put in a screenshot from my configuration.

  • 0 in reply to SGH

    Hello all.

    This is the reason, i fight against this issue a couple of months ago.
    By the way configure the agent as collector (full agent) in both DC and put them as "other collector" of each one.

    Look below and set it to 1. there is some document that it explain what you should do with this kind of configurations:
    https://community.sophos.com/kb/en-us/123039 

    I hope it helps, for me the issue was fixed in this way.

    Best regards,
    Salvatore

    console> system auth cta show
    CTA Status : disable
    CTA Collector : disable
    Unauth-Traffic Drop Time: 120 sec
    ============================================================
    Collector IP : Collector Port : Collector Group
    ------------------------------------------------------------
    - : - : -
    =========================================
    VPN Source Network : VPN Source Netmask
    -----------------------------------------
    - : -

    console> system auth cta se

    console> system auth cta
    collector enable unauth-traffic
    disable show vpnzonenetwork
    console> system auth cta unauth-traffic drop-period 0
    % Error: Unknown Parameter '0'
    console> system auth cta unauth-traffic drop-period 1
    console> system auth cta show
    CTA Status : disable
    CTA Collector : disable
    Unauth-Traffic Drop Time: 1 sec
    ============================================================
    Collector IP : Collector Port : Collector Group
    ------------------------------------------------------------
    - : - : -
    =========================================
    VPN Source Network : VPN Source Netmask
    -----------------------------------------
    - : -

    console>

  • 0 in reply to Salvatore Palazzolo

    Hi Salvatore,

    I have the collectors also looking at each other.

    Also found your solution "unauth-traffic drop period" here

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/86512/violation-reason-user_identity-issue/320421#320421

    On that solution he mentions to not use below 45 seconds, I don't know why? But 120 seconds is really to long.

    I keep my Logoff Detection and Dead entry disabled.

  • 0 in reply to SGH

    Hi I know that they say to not set below 45 seconds... but really can you accept that if you have a flat lan with Server and Client in same lan (there are these cases...), the traffic of the servers, because they are tipically not authenticated, is dropped for 120 or 45 seconds? I think they say that for security purpose not for performance or similar.

    For me it's not my expected behavior, so i disabled it and i have no issue anymore. I set that parameter to 1 and i set the clientless user for some servers. As you told is really long. Consider also that it will not drop only the traffic between for example the server A in LAN segment A to WAN , but it will drop also the traffic from server A in LAN segment A to server B in LAN segment B if the 2 LAN are routed by the firewall.

    I hope this helps because i lost a couple of months about it... but i must say also that it's in the product documentation.

    Sincerely,
    Salvatore

  • 0 in reply to Salvatore Palazzolo

    Hi Salvatore

    thanks for the reply and the configuration screenshot. i don't think i have a problem with the agents and collectors. on both the domain controllers, i can see the live users. But this is not reflected in my Sophos Appliance. it seems that this information is not passed to the Appliance at all. and because of that, Sophos ends up dropping traffic.

    i can change the unauthenticated traffic timeout but its only a matter of time before the traffic gets dropped.  

    Clientless users are fine to add but that doesn't help us get the authentication to work.

  • 0 in reply to Jan Zhang

    Hi Jan,

    If you see live users in STAS (and for example you see "user1") and you can check via WMI remote computer where user1 is logged in -> Your STAS setup on Domain Controller (DC)  is OK.

    Local firewall rule on PCs allow remote management (TCP 445... ), Audit account logon on DC is OK.

    If you not see those users in firewall this can be:

    - You have not specifed Logon/LogOff IP exclusion (example: RDS Session Host servers)

    - Port TCP 6677 in DomaniController (where is running STAS collector) is blocked

    If you deployed two separate STAS Collector (even same domain), you must add two collector group in your firewall

    A month ago I had problems with STAS: It seemed to work well. I saw users logged into STAS but after a while they disappeared.

    The problem was STAS cold not check WMI on to remote PCs; It took me a while to figure it out.

    I solved with the reinstallation of the Stas Suite, and now all works!