Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC issue - Users not showing up in Live Users - Endpoint protection 10.8?

I've been working on testing SATC on one of our RDSH servers to a Sophos XG310, but can't seem to get it to work.

I have run through the troubleshooting SATC document, and the only thing which remains which may be the issue is that we have Endpoint Protection 10.8.2.227 installed along with InterceptX 2.0.11. There is an article that states that Endpoint Web Protection is incompatible with SATC, but it refers to version 10.7.2 as the latest affected, however - does anyone know if the Web Protection issue remains in version 10.8.2 and will need disabled?

 

I've added the RDSH server IP to the XG310 using the CLI

Firewall authentication is AD first, then local

There is a firewall rule set up for testing for outbound HTTPS traffic from that server for all authenticated users

As described in the diagnostics KB, I've run a packet capture on the XG310

It receives packets from the RDSH on port 6060 (UDP)

The packet decodes correctly, with the username, source and destination ports

The traffic shown (source and destination port values) match traffic which subsequently appears in the packet capture

The Authentication service on the XG310 has been restarted

 

Any ideas on anything else I can try?



This thread was automatically locked due to age.
Parents
  • Hello  

    Yes this is still a problem and AV would either have to be disabled completely or the web control portion of it.  The reason is because SATC when designed, operates similar to the way malware now operates to hijack user sessions.  It is this process that is being recognized as malware and blocks it.

    As you are doing web control from the XG, there is no need for web control policies on the endpoint.

    User mapping with RDS is being redeveloped to see if it can use the virtual IP services that RDS can provide.  

    Thanks.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hello  

    Yes this is still a problem and AV would either have to be disabled completely or the web control portion of it.  The reason is because SATC when designed, operates similar to the way malware now operates to hijack user sessions.  It is this process that is being recognized as malware and blocks it.

    As you are doing web control from the XG, there is no need for web control policies on the endpoint.

    User mapping with RDS is being redeveloped to see if it can use the virtual IP services that RDS can provide.  

    Thanks.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
  • OK, that confirms what I am now seeing with regards to traffic being authenticated from Office 365 apps (Teams and Outlook) but not from IE or Chrome regardless of the Enhanced Protection (IE) or Network In Process (Chrome) settings.

    Within Sophos Central, what is the least required settings to turn off to allow SATC to operate correctly for web browsing? We cannot disable AV completely due to other potential threats.

    Many thanks,

    Richard