User authentication against firewall from Terminalserver not working properly

You should check the logviewer of the firewall for authentication requests and the local server (sntp.log). 

thank you. I put

service access_server:debug -ds nosync

and HB on the TS in debug.

Need to wait now and hope the log on the firewall is not filling up the disk.

It looks like we have a development ticket opened for this issue as well. This is logged under the ID "WINEP-45479". This was identified just recently after a review from our L3 team. It seems the case was transferred to Endpoint support just after this was identified, as the development ticket is also with our Endpoint developers.

Correction: The case was transferred to our network team so that information is available from both sides to progress the investigation.

I will follow up with our support team to ensure the case is progressing smoothly.

Thanks a lot  Qoosh !

to me it looks like the endpoint has issues recognizing the correct RDP session ID.

In most cases I cannot find correct RDP Session ID of a user in the sntpservice log - it appears as an other ID. posted that already before.

Today Support did the whole debug thing again in a remote session and updated me that they found that a login of a user is logged as logout.

weird things going on.

back again to the client team. just as mentioned here

Case is still open, currently at Dev to recreate issue on their side. I hope they do. On the other hand, we have a "working" life demo with the issue still ongoing....

Today I noticed the opposite issue:

A user that is no longer logged on a terminalserver, still has a Thin-Client session on the firewall.

You don't use STAS too for the same network?

doc.sophos.com/.../index.html

I had a similair strange issue with STAS tho. We used 2 different mailboxes (2 AD Accounts) sometimes STAS used the 2nd AD Account which didn't had the right perms for http access. So the use with his logged in AD Acc in Win10 got blocked due to the 2nd AD Acc Mailbox. Pretty weird too.

no we're not using STAS.

support case still going...
a file ...netfilter/xt_LOG.ko has been replaced with a debug version to find out what's happening.
I hope they do.

today on one of our TS it is only possible to authenticate one user. The user that comes second will not be authenticated.

also a new experience. nothing logged in access_server.log when second user logs in.

at logoff event of second user:

MESSAGE   Aug 18 10:02:02.384832Z [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
ERROR     Aug 18 10:02:07.621513Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP xxx.xxx.xxx.xxx-3 (sqrs
ERROR     Aug 18 10:02:07.621539Z [access_server]: (handle_external_logout_req_finish_free): SQLITE_REQ_GETLIVEUSERINFO query failed

all parameters for SATC are correctly set on FW and TS.

ntp logs on the client show the user logins and logoffs.

the case is still open. unbelievable, that it is not possible to catch the issue at Sophos side.

2 versions of some debug files have been installed on the firewall since, we're on 19.5. MR3 and the reason why it is happening daily is still unidentified. TS user auth gets fordwarded to firewall, sometimes not.

issue happening with and without EAP verision of enspoint.

documenting this Methusalem a little bit.

last suggestion was:  add reg key on TS

"HKLM\SOFTWARE\Sophos\Sophos Network Threat Protection\Application"  SatcPendDurationMs (DWORD)

No specific value was given. So I tested with 2000ms but that made user logins on the TS extremely slow. So went to 1000ms. That should be enough in LAN environment anyway.

This had absolutely no effect on the SATC Authentication on the Firewall on 2 TS I tested with. Still randomly users on the TS are not authenticated against the Firewall.

even the 1000ms value slowed down user logins massively, less than the value with 2000ms though.

Somehow it is hard to believe that this is working smoothly in production elsewhere.

documenting this Methusalem a little bit.

last suggestion was:  add reg key on TS

"HKLM\SOFTWARE\Sophos\Sophos Network Threat Protection\Application"  SatcPendDurationMs (DWORD)

No specific value was given. So I tested with 2000ms but that made user logins on the TS extremely slow. So went to 1000ms. That should be enough in LAN environment anyway.

This had absolutely no effect on the SATC Authentication on the Firewall on 2 TS I tested with. Still randomly users on the TS are not authenticated against the Firewall.

even the 1000ms value slowed down user logins massively, less than the value with 2000ms though.

Somehow it is hard to believe that this is working smoothly in production elsewhere.

Update: in May 2023 (!) the case moved  from Endpoint Team to NSG, back to Endpoint and back again to NSG.

Today I got an update from the case owner that it is now back at the Endpoint Team.

Hi, we have the same issue as LHerzogs describes.

Since we change to XGS there is a lot of trouble all around authentification from am a terminal server session. support was already in, and one bug was fixed in one of the last firmeware updates.

It is a shame for sophos. User based web filtering is a key feature, the only workaround is via direct proxy, what is not possible in our company.

It get even worse as we were force from the standalone auth client to the new endpoint. both clients are sending the data package so it was no technical issue but a economic problem.

LHerzog please keep us up to date.

"good" to hear that we're not the only customer with this issue. Hope double debug analysis my lead someone to the root cause.