CTAS / STAS interop

This has previously been a (mostly) Cyberoam site. We are now setting up our first Sophos XG 115. CTAS 2.1.2.5 is in place and working.

Will Sophos devices work with CTAS?

Will Cyberoam devices work with STAS?

If I install STAS over CTAS, will the configuration migrate to STAS?

TIA

  • 55 views, 0 replies. Guess I'll be opening a support ticket!

  • In reply to IT IT7:

    382 views, 6 subscriber, 0 replies.

    Never did call support...outrageous hold times, even for partner support. Then again, phone support might have answered by now. Where here on the forum, still no answers at all! And then there's chat support, which is awesomely responsive--because their only job is to refer you to phone support. And email support, which results in an auto-reply telling you no ticket has been opened, and to contact phone support.

    Yikes.

    So I came up with my own answer--

    Empirically and unofficially, after running it this way for a couple months, Sophos XG115's don't care that I'm running CTAS. I'd speculate that CRs wouldn't balk at using STAS, either, but untested here.

    Sophoroam needs to get their support act together; this is unacceptable.

  • In reply to IT IT7:

    This forum is most likely moderated by people in their free time. 
    Plus there are some people working for Support who actually interact with people. 

     

     

    The correct way to interact with Support should be always to open a Case via Webpage. 

    https://secure2.sophos.com/en-us/support/open-a-support-case.aspx

    The Page is pointing to you, you should call, if you have a urgent request. 

    For Critical Cases:
    You’ll receive a case number when you submit your ticket. Once you have this number, call us for immediate assistance. Select your region below to view the correct number to call.

     

    Actually, i cannot answer that question, because i never used a Cyberoam Appliance. 

     or  can maybe give some insights. 

  • In reply to LuCar Toni:

    I understand how forums work...I've been a volunteer and user on many going all the way back to the days when most IT companies hosted forums on CompuServe. That experience also enables me to tell a useful forum from a marginal one. Sophos needs to step up their official presence here.

    Regarding your quote from the support page, this was FAR from a "critical case". I was planning the addition of a Sophos firewall to our previously all-Cyberroam network weeks in advance of deployment. This question was a PERFECT fit for a forum, and a good opportunity to gauge the value of the forum--or lack thereof. Regarding phone support, Sophos has a different view of "Immediate assistance" than I do; the 20 minute hold times I've experienced are unacceptable.

  • In reply to IT IT7:

    Hi  

    My sincere apologies for your negative experience. As Luca mentioned, we do have Staff monitoring the forums and are working to increase our overall presence on the Community. Please don't hesitate to PM me directly if you had any other questions or concerns I could help with.

    Regards,

  • Hi  

    We are sorry for the inconvenience caused!

    If you are running with Sophos XG firewall, I would recommend you to install STAS in the AD server for a seamless experience for STAS authentication for the users.

    I would also recommend you to bypass ports such as 6060, 6677 from the AD server's local firewall.

    Please make sure that the kerberos authentication event is enabled for success and failure events.

    Please refer to the article for the configuration purpose- https://community.sophos.com/kb/en-us/123156

    Please contact us for any further assistance for the STAS, we are happy to help you.

  • In reply to Keyur:

    Thank you, Keyur and FloSupport.
    We have a mix of Cyberoams and Sophos. Until we're 100% migrated Sophos, we need a solution for both devices. So your answer returns us to my original questions:

    (Don't know how that text became purple; other than that it was pasted from a Win 10 Sticky Note, where it was black text!)

    Will Sophos devices work with CTAS? (Empirically, yes, because we're doing it...but is it supported?)

    Will Cyberoam devices work with STAS?

    If I install STAS over CTAS, will the configuration migrate to STAS?

    Thanks.

  • In reply to IT IT7:

    Hi  

    Unfortunately, you have to use separate authentication software for Cyberoam and Sophos.

    STAS for Sophos and CTAS for Cyberoam.

    There is no configuration migration will happen nor there is a feature available to migrate the configuration from CTAS to STAS or vice versa.

    I will contact the concerned team and if any possibilities are there as per your requirement, I will inform you further.

  • In reply to Keyur:

    Keyur, the concerned team needs to know that because both CTAS and STAS would be required in our scenario, CTAS and STAS would have to share the same DCs. If guidance is required on that beyond using non-default ports for one or the other, please let me know.

    I can see this quickly becoming a nuisance. This client is pretty dynamic about setting up and taking down remote sites. We will have legacy Cyberoam's around until end-of-support.

    I don't really like running ANY software on a DC--much less TWO programs that are identical except for the icon and the first word in the title bar!

  • In reply to IT IT7:

    You could actually run STAS on a second server and simply fetch the Logs.

    STAS 2.5 is able to be installed on another server and fetch all the DC Logs.

    https://community.sophos.com/kb/en-us/133531

    Maybe this helps. 

  • In reply to LuCar Toni:

    Thanks, LuCar, I did not know that. That would let me keep STAS off the DCs and use default ports throughout to simplify deployment.

    It doesn't address keeping the relevant portions of CTAS & STAS configs synchronized, so I'm still hoping Sophos will provide a more sensible migration path. Even if that require migration to STAS, and Sophos supporting using Cyberoam CRs against it.

    That said, I'd speculate that the config sync works between CTAS and STAS, just as Sophos XG can clearly obtain logon data from CTAS.

  • In reply to IT IT7:

    Hi  

    I would request you to open a service request for further assistance on your requirement.

    Please message us the service request number. 

  • In reply to Keyur:

    SR number sent.

  • In reply to IT IT7:

    Hi there,

    Thanks for providing the service request number.