Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.
This article describes the steps to set up Sophos authentication for thin client (SATC) in which users are authenticated to a Microsoft Remote Desktop server (legacy Terminal server). Sophos Firewall controls those authenticated users using session based approach via an identity based firewall rule providing more granular access controls per usergroup. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
From Sophos Firewall's graphical user interface (GUI) go to Authentication > Client Downloads and download Sophos Authentication For Thin Client (SATC).
Once downloaded, go to Microsoft Remote Desktop server to install SATC.
Choose destination folder.
Please refer to Sophos Firewall: How to integrate Sophos Firewall with Active Directory for detailed instructions.
Please refer to Sophos Firewall: How to import Active Directory OUs and groups for a step by step guidance.
Login to the command line interface (CLI) and choose option 4. Device Console. Type the following command to add the Remote Desktop server IP:
system auth thin-client add citrix-ip 192.168.3.100
Note: From SFOS version 17.0 MR5 (188.8.131.52) onwards, XG Firewall supports up to 192 servers. Previously, only 64 servers were supported. Once the limit is reached, the error message below will be received:
"Maximum Thinclient limit reached. Maximum supported Thinclients are 192."
Go to Firewall and add a new or edit an existing rule to configure identity and add users or groups.
Note: In the event that thin client users need to run applications installed on the Remote Desktop server, a firewall rule allowing these applications from the Remote Desktop server itself is required. This firewall rule must be below the identity based firewall rule.
Have users logon to Microsoft Remote Desktop server then surfing the Internet. Go to Current Activities > Live Users and verify that users are categorized as Thin Client and are connected from the same IP address of Microsoft Remote Desktop server with different session id.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.