Sophos Transparent Authentication Suite (STAS) version 2.5 is now available for download from the XG Firewall.
Supported deployment modes:
This articles describes the steps to deploy STAS v2.5 on a DC and on a member server.
Note: STAS v2.5 is supported on Windows Server 2008R2, 2012R2, 2016 and 2019. The Essentials versions should also be supported, starting with SBS 2011. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Please refer to Sophos XG Firewall: Clientless Single Sign-On in a Single Active Directory Domain Controller environment. The only changes in STAS v2.5 is when you configure the STA Agent tab you have the option to add the Domain Controller IP, but since we are installing the STAS in the DC, we can leave it empty.
Logon to a member server machine and go to Local Security Policy, browse to Security Settings > Local Policies > User Rights Assignment and double click on Log on as a service to view the Log on as a service Properties.
If the Administrative user being used to install and run STAS is not listed here, select Add User or Group and add the user. Select OK to close the window.
Click Next and follow the Wizard.
Choose SSO Suite and click Next.
Enter the administrator username in the form of DomainName\UserName along with its password. We need to specify the DomainName because we are installing STAS on member server's machine.
In the General tab, add the NetBIOS Name and the Fully Qualified Domain Name.
In the STA Agent tab, set the Domain Controller IP (the only new changes in STAS v2.5) and Specify the networks to be monitored.
In the STA Collector tab, set the XG firewall's IP address.
Click on OK to close the app and start the STA agent automatically or go back to the General tab to start the STA agent.
STA Agent is now started.
Please refer to Sophos XG Firewall: How to Integrate Sophos XG Firewall with Active Directory for detailed descriptions.
Note: You must add the AD Server as a Firewall Authentication Method under the Services tab.
Go to Authentication > STAS to enable STAS by selecting the ON button and click on Activate STAS.
Once activated, select Add New Collector.
Enter the IP address of the member server into the Collector IP box and Save.
At this point, the XG Firewall attempts to contact STAS on the Member server over UDP 6677. On the Member Server, open STAS and go to the General tab to see the XG Firewall’s IP address under Sophos Appliances. This is an indication that STAS is connected to the XG Firewall correctly.
Go to Firewall > + Add Firewall Rule to create an identity based firewall rule to control the traffic in a user based fashion. Make sure to enable Log firewall traffic.
Once users has successfully authenticated to the domain, they can be viewed as a live users on either STAS or in Sophos XG Firewall.
On STAS, go to the Advanced tab and select Show Live Users.
On the XG Firewall, go to Monitor & Analyze > Current Activities > Live Users.
On the top right corner of the graphical user interface (GUI), select Log Viewer.
On the Log Viewer window, select Add Filter. Ensure the Field is Log Component, Condition is is and the Value is Firewall Rule. Click Add Filter.
Assuming the user's traffic is hitting a firewall rule which has Match User Identity enabled, their username should now reflect under the Username column.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.