Sophos Client Authentication Agent - Multi Site Setup

Hi All,

We have a multi site environment with a business requirement for all users to be authenticated for Internet Access. We seem to be unable to authenticate users at the Branches against the Head Office XG Firewall. Head Office users authenticate without issue. All branches connect to head office via RED. 

Does anyone know if this setup is supported? If not, are there any best practices / recommendations for how we can achieve multi site authentication against the head office firewall?

Quick Environment Summary

At present we have Head Office & 3 Branch Sites. The branches all connect to head office using RED.

Head Office: XG210 - authentication is achieved using Active Directory Integration & the server is physically located on the same site & subnet.

Branches (x3): XG125 - different sites & subnets - all traffic routed over RED to Head Office

Any assistance / guidance would be much appreciated.

Thanks

Adam

 

 

 

  • This should be possible. 

    Lets wrap up.

    Your clients on the branches uses the same AD on Head office and the authentication (via Windows) works? 

    So all Logon Events are logged on AD? 

    You basically should include the subnets on STAS Agent and the collector should pick up all users of branches. 

  • In reply to LuCar Toni:

    Thanks for the response.

    Yes single AD server which all users from all sites authenticate via.

    Yes logon/ log off events for all sites are against this AD server

    We have had very mixed results with STAS in the past. Any tips for young players?

    Thanks

  • In reply to Adam Rippon:

    Most important part is to use the proper logoff detection. STAS needs to verify the user is actually logged in. 

    https://community.sophos.com/kb/en-us/123020

    Use STAS2.5 (newest version).

    Install the STAS Suite and configure everything like here: https://community.sophos.com/kb/en-us/123156

     

    Verify your GPO like KBA123020 works properly. 

     

    Afterwards this should work fine. 

  • In reply to LuCar Toni:

    Thankyou mate.

    Seems like the WMI query was the issue - when resolved it started working a lot more reliably.

    Will do some more detailed testing now.

     

    Much appreciated for your help