This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC functionality in Intercept X for Server

I have received answer from Sophos Commerce that the EOL SATC functionality is now included in Intercept X for Server and will be rolled out to different users in phases as of July 1th.

Is there a document outlining the chances in Intercept X?

Thanks,

Fred



This thread was automatically locked due to age.
Parents
  • After the rollout happend, which is not on 01.07, instead the rollout phase will take more time (staging etc.).

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationSetupSATCUsingEndpointProtection.html

    __________________________________________________________________________________________________________________

  • Is this done yet? If not when can we expect it and where will Sophos notify everyone?

  • I have not noticed any change yet. Having the future release number tto look for hat includes the SATC functionality would help.

    Current versions running are:

    Licensed Assigned Version
     Core Agent 2.18.2
     Sophos Intercept X 2.0.20
     Server Protection 10.8.10.3
  • As far as i know, the Core agent 2.19.x includes the SATC replacement. 

    __________________________________________________________________________________________________________________

  • Does it means for SATC we will have to use Intercept X along with the  XG firewall to protect RDP/Thin-Client, actually, this is not an acceptable solution from sophos, because we have purchased Sophos XG firewall and there is another endpoint security solution, we deployed, why should sophos force user to buy another product, they should provide solution within the XG Firewall only, without forcing users to buy another their product.

    As Sophos XG is an independent product, further solution has to be within product line only, user shouldn’t be forced to buy another product when they have alternative end-point products like Symantec, Mcafee, Bitdefender working in their network.

  • You should discuss this with your local Sophos sales rep to get a solution. 

    __________________________________________________________________________________________________________________

  • What sales can do in this case, it is a development issue,

    If you can see i am not the only one affected by this issue, check our this other discussion port.

    https://community.sophos.com/sophos-xg-firewall/f/discussions/125223/sophos-authentication-client-for-remotedesktopserver-citrix-satc-for-chromiumbased-browser-version-84

    whole point is Sophos is charging us for the support package, and on the other side they are expecting us to scrap other end-point solutions and buy their different product?

    Why shouldn’t we replace Sophos instead of this ?

  • Thats what you should discuss with Sales. The SATC Tool will go end of life. The replacement would be a component within the Endpoint Solution of Sophos. The other solution is currently under development to get a direct proxy solution. You could still use a end of life product like SATC but i would not recommend this from a technical and security perspective but the tool is still functional after the EoL date. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    Can you elaborate on the development road map? 

    IMHO there are a lot of different functional needs given the many possible situations.

    - A Firewall Endpoint Client

    To authenticate the user, user's session and endpoint  IP adresses (also Remote desktop sessions). If this firewall endpoint client is build into Endpoint X that is fine for Endpoint protection users but users of other SAV vendors should be able to use a Firewall Endpoint Client to authenticate the user.

    - An improved STAS

    I experienced that STAS will only register 1 user with 1 IP when in fact I was logged onto multiple devices authenticated with the DC. One having a WIFI guest IP adress which was send tru STAS to the XG and therefor blocking me on the XG on all other devices on the LAN. So I am not a fan of STAS. It should be able to allow for multiple user sessions, IP's.

    it can be easily replicated by adding a laptop which has a LAN and a WIFI guest connection. If you see only the Live user with Guest IP in the XG than you have a problem.

    - A Secure Web Gateway (cloud solution)

    Regards,

    Fred

  • The primary focus of Sophos is of course the synchronized Security story. Sophos is mainly investing in features to simplify the deployment of features with components and technology already in place. Therefore it makes sense to implement this feature in the Endpoint.

    In fact the Thin client authentication will work for any server, not only terminal serer. Therefore if you protect your DC, it will also be able to authenticate the RDS session coming from a different place. 

    As we move forward, Customers with the endpoint/server installed, can mainly uninstall STAS and only use Heartbeat for the authentication. 

    There are plans to rebuild the STAS with other solutions but there are on the backlog. 

    __________________________________________________________________________________________________________________

Reply
  • The primary focus of Sophos is of course the synchronized Security story. Sophos is mainly investing in features to simplify the deployment of features with components and technology already in place. Therefore it makes sense to implement this feature in the Endpoint.

    In fact the Thin client authentication will work for any server, not only terminal serer. Therefore if you protect your DC, it will also be able to authenticate the RDS session coming from a different place. 

    As we move forward, Customers with the endpoint/server installed, can mainly uninstall STAS and only use Heartbeat for the authentication. 

    There are plans to rebuild the STAS with other solutions but there are on the backlog. 

    __________________________________________________________________________________________________________________

Children
  • Hi LuCar

    Is there any news on the SATC functionality? we've a couple of customers desperate for this. Do you happen to know if this will also suffer from the SAM vrs UPN domain name problem that plagues Endpoint? I know there's a plan somewhere to sort that out but not seen any time scale on it.

    Regards

  • The version is/will be V2.19.X. Some customer already got this version. Feel free to check your installed server version.

    And SATC will use the same mechanism as Intercept X. Therefore you will see the same behavior. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    Our terminal server Server Core Agent is now at 2.19.8. Still I don't see any live users from this server in the XG. Only the STAS users. 

    When we were still at 2.18.x i added these steps:  Set the register keys for adding Satc to Intercept X on the RDS, restarted, via the XG console I added the IP of the RDS.

    So from which Core Agent version should I expect to see the SATC result from Intercept X on the RDS server?

    Regards,

    Fred

     

  • Should be working. Try to check the registry keys, if they are correct. 

    __________________________________________________________________________________________________________________

  • checked registry setting, checked threat protection policy has default settings, checked the console - ip already configered, checked Local service ACL - client authentication enabled.

    Strangely I don't see any port 6060 traffic from the rds to the XG in the firewall log.

  • Did you restart the server? Because the service has to be restarted to be loaded. 

    Check the Central part, if Network Threat Protection is installed. 

    __________________________________________________________________________________________________________________

  • Sophos Network Threat Protection 1.14.663.0

    I will restart later tonight to check. 

  •  I repeated the steps at our new RDS server windows 2019. Used a script to add the keys. It works on the new RDS. Saw a difference in the port registry key between the old RDS server which I added manually and the new one. So I removed the keys and added them with the script. Now both show thin client connections in the XG.

    Thanks again.