User authentication against firewall from Terminalserver not working properly

You don't use STAS too for the same network?

doc.sophos.com/.../index.html

I had a similair strange issue with STAS tho. We used 2 different mailboxes (2 AD Accounts) sometimes STAS used the 2nd AD Account which didn't had the right perms for http access. So the use with his logged in AD Acc in Win10 got blocked due to the 2nd AD Acc Mailbox. Pretty weird too.

no we're not using STAS.

support case still going...
a file ...netfilter/xt_LOG.ko has been replaced with a debug version to find out what's happening.
I hope they do.

today on one of our TS it is only possible to authenticate one user. The user that comes second will not be authenticated.

also a new experience. nothing logged in access_server.log when second user logs in.

at logoff event of second user:

MESSAGE   Aug 18 10:02:02.384832Z [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
ERROR     Aug 18 10:02:07.621513Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP xxx.xxx.xxx.xxx-3 (sqrs
ERROR     Aug 18 10:02:07.621539Z [access_server]: (handle_external_logout_req_finish_free): SQLITE_REQ_GETLIVEUSERINFO query failed

all parameters for SATC are correctly set on FW and TS.

ntp logs on the client show the user logins and logoffs.

the case is still open. unbelievable, that it is not possible to catch the issue at Sophos side.

2 versions of some debug files have been installed on the firewall since, we're on 19.5. MR3 and the reason why it is happening daily is still unidentified. TS user auth gets fordwarded to firewall, sometimes not.

issue happening with and without EAP verision of enspoint.

documenting this Methusalem a little bit.

last suggestion was:  add reg key on TS

"HKLM\SOFTWARE\Sophos\Sophos Network Threat Protection\Application"  SatcPendDurationMs (DWORD)

No specific value was given. So I tested with 2000ms but that made user logins on the TS extremely slow. So went to 1000ms. That should be enough in LAN environment anyway.

This had absolutely no effect on the SATC Authentication on the Firewall on 2 TS I tested with. Still randomly users on the TS are not authenticated against the Firewall.

even the 1000ms value slowed down user logins massively, less than the value with 2000ms though.

Somehow it is hard to believe that this is working smoothly in production elsewhere.

Update: in May 2023 (!) the case moved  from Endpoint Team to NSG, back to Endpoint and back again to NSG.

Today I got an update from the case owner that it is now back at the Endpoint Team.

Hi, we have the same issue as LHerzogs describes.

Since we change to XGS there is a lot of trouble all around authentification from am a terminal server session. support was already in, and one bug was fixed in one of the last firmeware updates.

It is a shame for sophos. User based web filtering is a key feature, the only workaround is via direct proxy, what is not possible in our company.

It get even worse as we were force from the standalone auth client to the new endpoint. both clients are sending the data package so it was no technical issue but a economic problem.

LHerzog please keep us up to date.

"good" to hear that we're not the only customer with this issue. Hope double debug analysis my lead someone to the root cause.