Log of detection using WMI and STAS on two sites?

This is a set up question.

I have two UTM on different sites, A and B. Each site has a Windows 2016 server DC and STAS is working locally. The sites are connected to each other via Site2Site VPN.

I am trying to achieve that a logged in user is registered in both UTM through STAS regardless if the user is logged in on site A or B.

First I configured each STAS with the two IP-adress of each UTM. But I ran into problem when configuring remote STAS in the UTM. UTM requires that the STAS should be on a physical interface (when configuring IP-address, you must select an interface in UTM). Since the remote STAS is connected via VPN there is no local interface.

Next I configured each STAS agent to also serve the remote STAS Collector. It worked! When a user logs in, the username and IP-address is now registered in both UTM!

I am using WMI for log off detection. Locally it works flawlessly, but not for clients registered on the remote site. I have opened all ports from each DC to the remote networks, and according to firewall log they are communication when testing WMI in the STAS application. Currently the test fails. 

But since this is Microsoft I am not certain that the communication is correct. I believe that there might be a firewall issue for WMI  communication between local DC and clients on remote sites? Or cannot a local DC check a remote network which belongs to the remote DC?

  • Anyone got it to work with several sites on different nets?

  • I have not tried your method.   I have configured support for multiple domains by using AD for the primary and LDAP for the others.   Webfilter works well with both, capturing user identity from NTLM and enforcing policy based on group membership.

    For user portal or WAF logins, the AD domain uses an unqualified username, while LDAP users are qualified (user@example.com, taken from userPrincipalName attribute), so some training may be required for your usets.

    LDAP syntax is a bit obscure, and documentation is scattered.  Send me a private message if you need syntax examples.

  • In reply to DouglasFoster:

    My use case is not differerns domain on each site. It's the same domain on both sites.

    The more I think of it, the more convinced I am that what I have described above does not work. WMI works only on local IP networks that belongs to respectively DC.

    BR
    /Erik

  • In reply to ErikFranzén:

    Erik, if you can replace the VPN tunnel with a RED connection, you can make your solution work.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks for the reply. The reason for having two sites is for redundancy => If site A goes down, site B can be used.

    When configuring site B as a RED, it will be offline if Site A is down?

  • In reply to ErikFranzén:

    We've got 4 DC's setup using STAS and although the logon works, the logoff using WMI doesn't. It doesn't appear to work with terminal servers either

  • In reply to ErikFranzén:

    There's no requirement to configure a RED tunnel in such a way that site B goes down if site A is down, Erik.

    Configuring a RED tunnel between two UTM can give the same result as configuring an IPsec tunnel.  Unlike the IPsec tunnel, the RED tunnel can carry Layer-2 traffic, allowing you to create a bridge between a LAN on one side and a LAN on the other.  Careful to have only a single DHCP server for the bridged LAN.

    Cheers - Bob