PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
Reaching out to kind, wonderful, HELPFUL community! (Buttering you guys up) :-)
IN all seriousness... I am hoping ANYONE can help me out answering a few (Possibly dumb) questions that I seem to not be able to get answers for. (been waiting over a week to get this answered from Sophos support).
TOPIC: STAS Suite on Windows Servers (In particular Multiple DC's)
1. SHOULD I BE able to "TEST Connectivity" Between my 2 DC's (BOTH RUNNING SUITE)? YES / NO?
Referring to: STAS Suite "Advanced Tab" >"Test Connectivity"
What I see:
XG Firewall Appliance: 10.130.210.112
"Test Connectivity" on DC STAS Suite:STAS Agent: From DC1 to DC1: (or DC2 to DC2) SuccessSTAS Agent: From DC1 to DC2: FAILURESTAS Collector: From DC1 to DC1 (or DC2 to DC2): SuccessSTAS Collector: From DC1 to DC2: Failure
ALSO:If I try and use the "Configuration Sync" to copy information between the 2 DC's... They both show FAILURE:
Question 2: (I REALLY appreciate WHOEVER takes the time to answer this... I know I can not repay you, but I will THANK YOU FOREVER... and pray for you to be BLESSED!)
2. How would you "Recommend" opening communication Between these servers: Sophos Documentation only stats:
"Make sure that the AD Server has the UDP port 6677 open for communication between STAS and SF.Make sure that the AD Server has the TCP port 5566 open for communication between the STA Collector and STA Agent."
I have also read elsewhere to open TCP/UDP ports: 6677, 5566, 6060... Are these the right ports?
I am FAR from a Server/Network expert (I wear to many hats(jobs) here to get GOOD at anything). But this is what I did to "Open Ports" for these needed connections (PLEASE correct my errors). any Step-by-Step or tips WELCOME!
Example of Step by step I am looking for:
After this I repeated it w/ - Inbound: UDP:6677
Then I configured: "Outbound Rules"
I did this on BOTH DC's... but STILL can not communicate between the two (as far as testing like above: w/ STAS "Test Connectivity".
NOTE: I can PING between the DC's w/ no problem
Any help WILL NOT go unappreciated... I thank the community (especially individual) for ALL THE HELP they provide!
I Advice you to follow this KB:
where you can find which ports and direction ports need to be opened. On Windows Firewall, select the Private Profile.
In reply to lferrara:
Thanks for the reply Luk,
I have read the Linked article a few times... plus others... but have not seen any info on just "HOW" to open these ports (or alteast "Best Practices") on the most secure way. I know this is probably second nature to most Server/Security guys... but for us one-man-bands (I seem to work on ANYTHING that plugs in the wall around here) it isn't something I do every day. I just want to make sure I am not opening myself up for SECURITY issues. I know Sophos markets itself as "EASY for the ONE-MAN-IT" departments, so I was hoping their documentation would reflect this. But so far I have found the community to be more informative. :-(
I noticed you put down that I should have "Private" selected for the "Profile".
Should I NOT enable "Domain"? Just "Private"?
Do I need to worry about any of these other settings? Or just leave them for they cause more issues (Stablity) is ALSO an issue, I don't want such strict settings that it causes issues of its own. Just looking for "Best Practices". :-)
Again, sorry if these are dumb questions, but I HOPE I am not the only one wondering about opening these ports. Your answers will help MORE! :-) Thank you for taking the time to reply!
In reply to Jarrod Goetz:
yours is a question most regarding Windows Firewall and not XG itself. I advice you to read more carefully Microsoft article, like:
Thanks again for info and getting back to me.
I do realize that setting up the "opening of ports" on my servers is not Sophos direct issue, and I thank you for the linked articles. I will give them a look over.
But I do have one outstanding question for ANYONE running 2 or more DC's with STAS Suite on them:
What I see:
"Test Connectivity" other DC (Agent): FAILED
"Test Connectivity" other DC (Collector): FAILED
Maybe this doesn't work this way in general, and I am wasting my time... so I REALLY need to know if this functions for ANYONE?
As far as the logging my workstations in, it does seem to be working just fine (but still only with TEST workstations) I am a bit affraid to do this until I know this will not cause me issues in PRODUCTION.
You have to read the Sophos KB carefully in order to understand how the flow works.
Anyway Stas uses agents to capture Domain control events and send them to the collector, then the collector collect the agents data and sends them to XG firewall. Even if you install multiple STAS packages, only one collector will be elected and works at time (the first pingable from XG and it is selected automatically). So test between agents should work and even collectors. Make sure the proper firewall ports are opened between DC.
Everything is documented inside the Sophos XG.
Ok... Some VERY INTERESTING development in this adventure: Please read, for there are some ODD findings... that I think atleast raise some questions to SOPHOS!
So when we last left this adventure into why my 2 Domain Controllers running STAS Suite do not seem to be able to "Communicate" between themselves, it looked as if this was a Windows Firewall issue on my servers.Setup: So I can not get "Test Connectivity" to function between my DC's.
I did what SOPHOS and others have Stated in MANY of their KB's and Forum threads...
On BOTH DC's
Inbound: TCP: 5566 / UDP: 6677 (both set for "Private" Profile (Least restrictive)
Outbound: TCP:5566 / UDP: 6060 (both set for "Private" Profile (Least restrictive)
(Here I am testing communications between my 2 DC's - within the SOPHOS STAS Suite)
RESULT: "Test Connection FAILED" (For both STAS Agent and STAS Collector)
But... TEST to Sophos XG: "Test Connection Successful"
SO... I decide to try and figure this out (as best I can)
RESULT: "Test Connection FAILED"
Just for the heck of it... lets disable "Domain" Profile (Even though ALL the rules I setup were for "Private" profile)
RESULT: "Agent Connectivity test SUCCESSFUL" (WHAT? All the rules had "Private" profile selected... this should not have worked?)
OBSERVATION: By disabling "Domain" Policy's... I got communication to go between by 2 DC's running SOPHOS STAS Suite... even though the RECOMMENDED firewall rules were set for "Private" Profile?
Lets see if we can find MORE odd info:
I decided to TURN ON "Logging" for "Domain" profile so I could possibly see what is going on?
#Version: 1.5#Software: Microsoft Windows Firewall#Time Format: Local#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2017-03-21 10:38:36 DROP UDP 10.130.210.41 10.130.210.40 57531 50001 33 - - - - - - - RECEIVE
WHAT is this? It is showing port: UDP port 50001? Shouldn't this be UDP 6677 or 6060? or some rule I made per SOPHOS?
That can't be... lets try and prove it is trying to use UDP port 50001 (something I DID NOT setup)
So I create a INBOUND rule in Windows Firewall to allow traffic on UDP port 50001 (a port I HAVE NEVER SEEN mentioned by SOPHOS)
RESULT: "Agent Connectivity test Successful"
Lets DISABLE ALL the rules Sophos (and others) have told me I NEED to open:
I DISABLED these (ONLY Leaving UDP port 50001 open) (THIS SHOULD NOT WORK)!
Inbound: TCP: 5566 / UDP: 6677 (DISABLED)
Outbound: TCP:5566 / UDP: 6060 (DISABLED)
RESULT: "Agent Connectivity Test Successful" (this SHOULDN'T work? for I DISABLED the needed rules?)
FINAL THOUGHTS or CONCERNS...
It seems even though Sophos STAS Suite shows it wants to "Listen to port 6677 and port 5566"
It seems to be communicating on port: 50001 (on DOMAIN profile)... for ONLY when I enable this does communication start.
Am I missing something? Again, I am a ONE-MAN IT department that is NOT specialized in Firewall/Networking. But this doesn't make sense?
I would like to say I am working on this with SOPHOS... but I have not heard from them for almost 3 days now... and when I do it is 1 sentience!
Thanks a lot for the thorough troubleshooting. I feel your frustration because I was experiencing the same issue. Opening UDP 50001 did the trick. I have no idea why Sophos is not mentioning this port anywhere, as it's clearly being used to test the connection.
Did you get an answer from Sophos in the end?
I feel your pain! I am a one-man network team (plus additional tasks). The questions you ask where right in line for this thread. Some simple real world pointers and best practice regarding using Windows firewall from other more experienced people is how we learn.
The reason why I am on this thread in the first place is exactly why Jarrod created this thread - Doing the 'STAS->Advanced->STASAgent '[Test]' resulted 'Test Connection Failed'.
I have three STAS Agents running on our three DC and the STAS Collector running on a utility server. Logon events being collect and showing the UTM.
Wanted to find out why test fail. Used Wireshark and saw the test used udp/50001 to query the STAS Agent. This was NOT documented in any official SOPHOS documentation.
By the way, there is a lot of things not formally documented regarding the STAS product.
- Issue: Starting STAS service resulted in 'did not start due to a logon failure' message --> Resolved: Easy to open the STAS service and reenter the STAS logon credentials
- Issue: After fresh install, try to start STAS service - 'Error 5: Access denied' --> Resolved: STAS service account needs R/W file access to STAS installed directory.
- Issue: Updates to UTM stop flowing - STAS Agent running out of threads --> Resolved by remove Collector off DC, only install Agents on DC.
- Issue: STAS-Advance 'Test Connectivity' tests fail --> Resolved by open FW inbound port udp/50001 on Agent DC from STAS Collector server)
- Issue: STAS-harvested users still exist on UTM after log off event
Jarrod - As a network person, learn 'Wireshark' packet analysis to capture traffic. This tool will be your best friend in advance troubleshooting. Network packets do not lie!
One of the thing love about Sophos UTM is it is Linux and can use 'tcpdump' to see traffic going from one interface to another interface. Wireshark and tcpdump syntax is similar.
Some of us do not have the luxury to get paid training and have to do on the job training (Google) to complete our tasks.
Last training was for Aruba wireless $3k out of my pocket. Last paid training was over 10 years ago.
We used to be an all HP shop and forced to Cisco gear for two years and then Avaya. Guess what, HP / Cisco gear is still running here and have to make all this gear interop with everything.