Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
After implementing STAS in my environment, I've got an issue I don't understand why it's happening.
It's an environment of 3 domains: one top-level domain (eg domain.local), and two sub-domains (sub1.domain.local and sub2.domain.local, hypothetically). Each of these domains have 3 domain controllers, so nine in total. In each domain, 1 domain controller is configured as STAS Collector + Agent, the other two as just Agents. The Agents (and collectors) are configured to send their information to ALL other collectors. All three collectors are configured in Sophos in the same collector group, with their connectivity successfully tested in the STAS suite.
After logging with a user on a workstation, this user immediately appears in the Live Users list in the XG appliance. As long as he stays in this list, the users gets access to the internet through my configured firewall rules with Web Policy etc.. All is well.
The issue is that after some time, this user disappears from the Live Users list. He's still logged in and working on the workstation, but he disappears from the list. All connectivity is gone, as the user-based rule will not match any longer.
So issue#1: Why is the user getting logged out when he's still doing his stuff? STAS Inactivity Timer is set to 540 minutes (A bit longer than a working day), Logoff detection in STAS Suite is set to WMI Workstation Polling, Detection interval 605s, dead entry timeout 0) WMI test is successful:
Issue#2: Based on the following settings, I would expect the captive portal to show up after trying to connect to the internet. It doesn't. (but i can reach it manually at https://ip.of.sophos:8090)
I must be missing something, but can't see what exactly. Did someone experience the same issues?
what XG version are you using?
In reply to lferrara:
We're using SG330 (SFOS 16.05.7 MR-7). I read somewhere that WMI failure is most likely the cause of premature logoffs... I did notice that the WMI check succeeds from the STAS collector in the same domain as the user, but fails from the parent-domain or the sibling-domain. I will investigate this a bit further.
In reply to Ruben Theys:
Hey Ruben.. we too are suffering from premature logoffs with our XG and STAS Live Users.
Have you found any KB articles about WMI Polling failure?
I need to investigate also...
In reply to Tam Ben-Jusu:
Hi in this topic we discussed about a similar issue:
In my case I disabled logoff detection at STAS agent and the problem was solved. To control the user session I only use "User Inactivity"
And to force the captive portal in this case you may check the option at firewall rule:
Obs: I dont know if SG series has similar options... hope that help...
You've probably solved this already but I had the same issue. STAS users disconnecting randomly after a few minutes.
Turns out it was a combination of:
1. The NTP server not being set correctly (by the Sophos expert who initially setup the XG!) and the time had drifted out.
2. One of the domain controllers not being in a server group (on the XG) with a rule applied to stop ip address 'masquerading'.
This resulted in the Kerberos Event 4768 on the dc showing the user with the IP address of the XG!
Hope it helps
Hi. I had the same problem and in my case I discovered that it was because the Sophos Transparent Authentication Suite could not connect via WMI to the workstations. Try deactivating the firewall of the workstation and see if the problem persists. If the user remains connected then that was the fault.To fix it, enable the firewall entry rules for WMI, or you can also do it from the GPO.
In reply to danecix Cicco:
There is a KBA for this.