Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

rumors of Heartbeat disabled for Windows Server 2012 R2 - true?

Hi,

I just read this article: https://borncity.com/win/2022/11/15/windows-server-2012-r2-sophos-user-authentication-using-heartbeat-disabled-on-rds-servers/

saying a customer found out tha his Windows 2012 R2 Servers no longer send their heartbeat status to the XG/S Firewall after Sophos disabled that feature.

Sounds serious.

Can Sophos confirm that is true?

I cannot report this from our side - our 2012 R2 machines have heartbeat -  but the reason may be that the relevant updates have not yet been pushed by central in our region.

Looking forward to your answers on that thing.

edit:

I want to add: the blog post is a bit mixed up - writing of SATC, User authentication and heartbeat things. SATC has been replaced by Intercept-X - I know.



This thread was automatically locked due to age.
Parents
  • Hi LHerzog, as you suggested I think there is some confusion around some different technologies in that blog post.  

    SATC(Sophos Authentication for Thin Client), which enables the Sophos Firewall to authenticate users accessing a server or remote desktop, used to be available as a stand alone agent but is now included with Sophos Central Server Protection in Sophos Central.  As mentioned it is currently only supported on Windows Server 2016 and later.  We had previously provided access to a potential workaround approach for older operating systems via an Early Access (beta) program but as with all beta software and features provided by Sophos, capabilities provided via Early Access programs may be discontinued at any time and may not be made Generally Available (GA) and unfortunately that was the situation here.

    There is an alternative method in version 19 of the Firewall that doesn’t provide quite the same level of integration with the Firewall, but can at least identify individual users’ web traffic from Remote Desktop servers. This is a potential solution for customers looking to continue to run Server 2012 R2 until they get to upgrading.  The feature is “Per-connection authentication” and is documented here: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html.  You can also find a tech on that topic here: https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

    Security Heartbeat is an unrelated feature that allows endpoints and firewalls to share their health status with each other and as you suggest there are no issues with Windows Server 2012 R2.

    Hope that provides some clarity for you.

    Thanks,

    Kevin

Reply
  • Hi LHerzog, as you suggested I think there is some confusion around some different technologies in that blog post.  

    SATC(Sophos Authentication for Thin Client), which enables the Sophos Firewall to authenticate users accessing a server or remote desktop, used to be available as a stand alone agent but is now included with Sophos Central Server Protection in Sophos Central.  As mentioned it is currently only supported on Windows Server 2016 and later.  We had previously provided access to a potential workaround approach for older operating systems via an Early Access (beta) program but as with all beta software and features provided by Sophos, capabilities provided via Early Access programs may be discontinued at any time and may not be made Generally Available (GA) and unfortunately that was the situation here.

    There is an alternative method in version 19 of the Firewall that doesn’t provide quite the same level of integration with the Firewall, but can at least identify individual users’ web traffic from Remote Desktop servers. This is a potential solution for customers looking to continue to run Server 2012 R2 until they get to upgrading.  The feature is “Per-connection authentication” and is documented here: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html.  You can also find a tech on that topic here: https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

    Security Heartbeat is an unrelated feature that allows endpoints and firewalls to share their health status with each other and as you suggest there are no issues with Windows Server 2012 R2.

    Hope that provides some clarity for you.

    Thanks,

    Kevin

Children
  • Thank you   for taking your time and writing a detailled answer. I think it helps us to understand the issue the customer has now with his 2012 R2 Server. So it's probably only the userauthentication not working or being unsupported for him anymore but heartbeat should be no issue as I can confirm from here while we use to get new Intercept-X updates very delayed. Our servers are still on Core Agent 2022.2.2.1.

    I must admit, I have no experience with Userauthentication through Intercept-X on Server 2012 R2 Terminalserver but with 2019 and 2022 TS. It works with some limitations regarding system generated traffic like SMB share access.

  • Agreed that's what I also expect is the situation here and I'd hope the alternative method might also be useful for the customer.