Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I have some virtual machines with SafeGuard Client and I'm trying to enable users to access them via RDP.
My problem is that when a new user log in using RDP his user status is always SGN guest, so I have to go and manually add the user to the machine using the Management Center only then he gets a SGN Windows user/ SGN user status and is able to use his keyring. But if a new user is using TeamViewer he gets a SGN Windows User status and the keyring is available, so I dont have to do anything on the Management Center.
How can I make log in with RDP the same as TeamViewer for new users? I have already read a lot of posts in this forum and have already created a specific machine settings policy with "Allow registration of new SGN users for" as Everybody and "Enable registration of SGN Windows users" and applied to the OU containing the virtual machines, but new RDP users are still getting SGN guest status.
Thanks for the help!
It is a very interesting issue. I'd request you to check whether the user is able to log in through team viewer with SGN user when he is getting SGN guest status when it tries to login through the RDP.
Also, I'd suggest you apply the above-mentioned setting on the users OU as well and check the result.
In reply to Jasmin:
Hi Jasmin, thanks for looking into my problem.
Yes, when the same user logs in through TeamViewer he gets SGN user status. But the next thing I noticed is that if that same user now logs in through RDP he gets the Safeguard Logon window, asking to complete the logon. Inserting the password and clicking ok unlocks the user keyring and all is fine. That said, now I believe that when the users are logging in via RDP it isn't using the Safeguard credential provider(that's why the Safeguard logon window is showing up), so in the first login it isn't able to do the initial configuration, because the Safeguard credential provider isn't called. Is there a way to force login in the machine (including RDP) to use only the safeguard credential provider?
I already tried that but no luck.
In reply to rfrancois:
There is no way to force login for Safeguard Credential provide for the users but if Microsoft Credential provider is not available, the user will only be prompted through Safeguard Cred provider.
To hide the Microsoft Cred Provider, we have this document which will help you complete this task. I'd suggest you perform this on the one test computer and you can implement on others if it gets completed successfully.
I followed the instructions in the link you sent and was able to remove the Microsoft Credential Provider, so now every time I connect via RDP I'm not automatically logged in: I'm presented with the windows log in screen and the only Credential Provider available is Safeguard's.
Even with this configuration I'm still facing the same problem when a new user logs in: they only get SGN guest status until they log in using TeamViewer.
To verify that the Safeguard Credential Provider was indeed being called I did the following test: With a new user I did the first log in with TeamViewer, got the message saying that the initial configuration was successful and got SGN user status, then restarted the machine and connected via RDP. As per the new configuration I didn't logged in automatically and had to log in using the Sophos Credential Provider. When I did log in, this time, I wasn't prompt by the Safeguard log in window like I was before doing this configuration and got SGN user status, so I think the Sophos Credential Provider is working ok now.
How can I force the initial registration/configuration to trigger using RDP?
This is certainly a new issue for me as well as I have not seen such an issue till now. I'll consult our product support team and will get back to you with their thoughts on this.
I discussed the above scenario with our product support team and found that authentication for Safeguard is blocked while communication with Safeguard management center when the user has used RDP and because of that initial sync is not initiated straight away instead of that login windows pops up to initiate synchronization.
Team viewer is not using the RDP but it just provides a console type access to the user to access the machine, hence the process is different for the team viewer.
If the authentication for Safeguard is blocked when the user connects through RDP why do I get SGN user state when the user first logs in using TeamViewer? I can reboot the machine and only log via RDP and, after that first TeamViewer log in, I always get SGN user, so the authentication must be working. I can't ask all user to log in with TeamViewer the first time.
It's just a quick thought as I nip off to a meeting, but would using Service Accounts help?
This is something that needs in-depth investigation to check a few logs, hence I would suggest you open a support case and PM me the case details.
In reply to Shweta:
As the engineer suggested on the case after discussing the same with escalation team, the issue you are seeing is due to RDP automatically uses the Microsoft Credential Provider which leads to the users being listed as "SGN Guest". Unfortunately, RDP is not supported for use with SGN (SGN credential provider) as it will automatically leverage the Windows Credential Provider.