Hi,
For some time we have been struggling with the problem of the appearance of a large number of active sessions on individual user accounts. Our users work remotely by connecting via Sophos Connect to their desktop computer in the company, and from there via a remote desktop to the terminal server. As a result, XG Firewall detects several simultaneous active sessions on the same login: 1x IPSec VPN, 1x STAS (desktop) and 1x Thin Client. I would like to add that SATC has been installed and correctly configured on that server.
Unfortunately, sessions detected as Thin Client from time to time do not automatically expire, they only accumulate. After some time, in the Current Activity tab, one login shows 5 or more Thin Client sessions with start dates up to a few weeks back. Finally, the limit of 7 simultaneous sessions set by us was exhausted and further user logins were rejected by the router with the message "auth_client =" CTA "auth_mechanism =" AD "reason =" max login limit reached ".
In order to solve this problem, in the Authentication tab I turned on the "Maximum session timeout" option and set it to 1440 minutes. From then on, after 24 hours, the old Thin Client sessions started to be properly deleted and the problem of exceeding the session limit disappeared.
Unfortunately, another problem emerged in its place. Well, after 24 hours, IPSec sessions initiated by Sophos Connect also began to expire. The effect was that the router stopped associating the user's login with his IP address assigned by vpn and after exactly 24 hours it began to block all data flow on those firewall rules that were based on logins and AD groups. In such a situation, the only solution for the user was restarting his VPN connection - however, this causes various problems and we would generally prefer to avoid it. For example, restarting VPN connection means that all ongoing ssh connections with remote Linux servers must be broken.
In short, I wanted to determine if it is possible to exclude sessions assigned to the Sophos Connect client from the "Maximum session timeout" option? Alternatively, is it possible to somehow "refresh" them on the router to break expiration time?
In my opinion, such a function should be implemented in the Sophos Connect client. Until the end of an ongoing VPN connection, I would expect that the user should never have been logged out of the router.
BTW, our router currently runs on XG Firewall version 17.5.13 MR13.
Regards,
Michal
This thread was automatically locked due to age.
