This article explains how to integrate STAS in an environment with a single Active Directory Server.
Note: Please be aware that once STAS is activated for testing or implementation, the firewall drops un-authenticated traffic until the probing responds or times out.
Applies to the following Sophos products and versions Sophos Firewall
Sophos Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). The STA Suite consists of:
Go to Start > Administrative Tools > Local Security Policy to view Security Settings. Browse to Security Settings > Local Policies > Audit Policy and double click on Audit account logon events to view the Audit account logon events Properties window.
Select both the Success and Failure options and click OK to close the window.
While still in the Local Security Policy, browse to Security Settings > Local Policies > User Rights Assignment and double click on Log on as a service to view the Log on as a service Properties.
If the Administrative user being used to install and run STAS is not listed here, select Add User or Group and add the user. Select OK to close the window.
Configure the Windows Firewall and/or 3rd party firewall software to allow communication over the following ports:
Note: RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.
Log in to your AD Server using an Administrator account and follow the steps below to install and configure STAS:
From the graphical user interface (GUI) of the XG Firewall, go to Authentication > ... (click on the ... symbol at the far right of the authentication menu) > Client Downloads and install it on the AD Server.
You can also download STAS from the Download Clients page in the User Portal while logged in as an Administrator.
Proceed to install the recently downloaded STAS file. Click Next and follow the wizard.
Choose the destination folder.
Select the start menu folder.
Select whether to create desktop and Quick Launch icons.
Review and click Install.
Select SSO Suite and click Next.
Enter the administrator user name and password(s), select Next.
Press Finish to complete the installation.
Once STAS in installed, launch it from Start > All Programs > STAS > Sophos Transparent Authentication Suite or from the Desktop shortcut.
Please refer to Sophos XG Firewall: How to Integrate Sophos XG Firewall with Active Directory for detailed instructions.
Note: You must add the AD Server as a Firewall Authentication Method under the Services tab.
Enter the IP address of the AD server into the Collector IP box and Save.
At this point, the XG Firewall attempts to contact STAS on the AD server over UDP 6060. On the AD Server, open STAS and go to the General tab to see the XG Firewall’s IP address under Sophos Appliances. This is an indication that STAS is connected to the XG Firewall correctly.
Go to Firewall > + Add Firewall Rule to create an identity based firewall rule to control the traffic in a user based fashion.
When the XG Firewall detects non-authenticated traffic from an IP, STAS will put this IP in Learning Mode and send a request to the collector for user information from this IP. While in a learning state, the firewall drops the traffic generated from this IP.
By default, the unauthenticated drop timeout value is 120 seconds. to verify this value, login to the command line interface (CLI) and choose option 4 Device Console and type the following command:
system auth cta show
This timeout is configurable, as an example, to change it to 60 seconds, type the following command:
system auth cta unauth-traffic drop-period 60
Once users has successfully authenticated to the domain, they can be viewed as a live users on either STAS or in Sophos XG Firewall.
On STAS, go to the Advanced tab and select Show Live Users.
On the XG Firewall, go to Monitor & Analyze > Current Activities > Live Users.
On the top right corner of the graphical user interface (GUI), select Log Viewer.
On the Log Viewer window, select Add Filter. Ensure the Field is Log Component, Condition is is and the Value is Firewall Rule. Click Add Filter.
Assuming the user's traffic is hitting a firewall rule which has Match User Identity enabled, their username should now reflect under the Username column.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.