This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC replacement - Server Endpoint

We had a customer put a case in yesterday about having the Server Endpoint Software configured to replace the failing SATC software. I advised I knew it was in the pipe but hadn't heard it had been released yet, and then he shared these two links:

Set up SATC with Sophos Server Protection

Sophos Firewall: SATC with Server Protection

I worked through it with him, and I'm happy to report it all worked a treat across multiple browsers and clients on his THIN Client. Just thought I'd give anyone a heads up who has been waiting and may have missed the announcement. 



This thread was automatically locked due to age.
Parents
  • It is attached to the Server Core Version 2.19.X 

    So if a customer wants to use this, make sure, the Core Agent is updated to a 2.19.X Version. 

    __________________________________________________________________________________________________________________

  • Yeah the customer had to opt in to EAP, the process is in one of the above links.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • found this post by chance.Thanks for posting this

    last week I planned for SATC Client deployment during this week after reading the articles on the Sophos website. Now with EAP enabled and waiting for the Server to receive the 2.19.x beta  I can skip that and only need to create the registry keys on the Terminal Server and add the machine to XG on advanced shell

  • Hello LHerzor,

    unfortunately it's not just about the correct version of the Core agent and EAP participation.The web security in the Core agent have to be disabled. Unfortunately, it is not written anywhere and a colleague solved it with the Sophos GES team for more than two months before the whole solution was fully functional.

    Regards

    alda

  • Hi   ,

    I installed  EAP on a Terminalserver today, set the reg keys, added IP it on the XG, logged on at the TS and could see at least 2 authenticated AD Users with type Thin Client from that IP on the XG Fw.

    Sure, something still needs to be disabled? At least IPS is required to be enabled on the Intercept-X client regarding to the documentation.

  • Hello LHerzog,

    my colleague told me that until web security is disabled in the Core agent on the Terminal Server, the Core agent blocks client access to the Internet. This request was notified from the GES team. Unfortunately, this requirement is not mentioned anywhere.

    I assume he has a statement from the GES team in his email. I could send it to your PM.

    Regards

    Alda

Reply
  • Hello LHerzog,

    my colleague told me that until web security is disabled in the Core agent on the Terminal Server, the Core agent blocks client access to the Internet. This request was notified from the GES team. Unfortunately, this requirement is not mentioned anywhere.

    I assume he has a statement from the GES team in his email. I could send it to your PM.

    Regards

    Alda

Children
  • thanks for the PN, I have tested WAN website access from that machine:

    as soon as I opened a public website:

    https://www.splunk.com

    here  Splunk as an example, for which I created a firewall rule, I got the denied because of security heartbeat banner on the machine, with the Certificate shown from the Intercept X endpoint

    At the same time, the server lost security heartbeat at the firewall and is now shown as status red there:

    It has not recovered from that state while writing this post.

  • Do you do HTTPS Scanning on the Server? And whats the firewall rule? What are the settings on the firewall Rule? Do you use Kerberos? Because this feature is not kerberos. 

    __________________________________________________________________________________________________________________

  •  yes, I created a FW rule for that server, based on allowed Users and with green source security heartbeat. HTTPS Scan, no decryption.

    The issue is heartbeat on the Intercept-X Client. It cannot get Heartbeat configuration when SATC is set up between Computer and XG Firewall.

    This is the heartbeat log of the client after the reboot I did minutes ago:

    a 2021-11-15T16:05:14.670Z [2040:2080] - ----------------------------------------------------------------------------------------------------
    a 2021-11-15T16:05:14.670Z [2040:2080] - Starting Heartbeat version 1.14.663.0
    a 2021-11-15T16:05:14.670Z [2040:2080] - ----------------------------------------------------------------------------------------------------
    a 2021-11-15T16:05:14.678Z [2040:2188] - No configuration available to establish Heartbeat connection.
    a 2021-11-15T16:20:45.220Z [2040:2188] - The connection configuration has changed. Reloading settings.
    a 2021-11-15T16:20:45.352Z [2040:2188] - Connection succeeded.
    a 2021-11-15T16:20:45.353Z [2040:2188] - Connected to 'xxxxxxx-ede8-xxxxxx-99b1-xxxxxx13f1b' at IP address 52.5.76.173 on port 8347
    a 2021-11-15T16:20:48.349Z [2040:2188] - Sending network status. Active Interfaces:
    MAC: 00:50:56:85:3B:1B - INET: xxx.xxx.xxx.45 - INET6: fe80::xxx:xxx:xxx:7377

    At ~ 16:18 I created a new Central Policy with Web Filtering disabled for that SATC-enabled Server in the Threat Protection Policy

    At ~ 16:20 I clicked on Update on the Client Intercept X.

    At 16:20:45 the heartbeat through the XG firewall was established first time.

    I can now connect to the test website splunk

    Other websites are disallowed as per policy.

    Disabled Webfilter:

    What's the question about Kerberos is about? SATC? Webfilter?

  • I mean, do you use Kerberos (AD SSO) for the zone of the Server on the firewall? Is Kerberos (AD SSO) enabled on your Firewall? 

    Because right now, the heartbeat is not implicate in any way by the HTTPS Scanning of SATC. Because HTTPS Scanning works only for HTTPS (443/80) and the Heartbeat port is another one (8347). 

    Does the firewall use "Match unknown users"? 

    __________________________________________________________________________________________________________________

  • Hi,

    no, we're not using AD SSO on any Zone.

    Most firewall rules match known AD Users.

    I can see the user is authenticated on XG from that server. But when I try hit some firewall rule by communicating with other machines in other subnets, it's not working because the user is not bound to the traffic as can bee seen in the live logging.

    Currently, I cannot access any internal targets that require user authentication from that SATC Sercer.

    Web rules are working though. Nothing else... What's that?

    I'm not aware of a feature "Match unknown users" - can you explain this?

  • I wonder how got this all working at the customer? Or do they need the TS only for surfing? Or don't they have user-based rules on the XG for internal servers?

  • I'm not sure I follow all of the above, but essentially:

    Customer just connects to RDC from the internet using published apps, and then we use SATC to filter OUTBOUND HTTP(s) web requests and apply the appropriate filtering.

    The RDC server has a number of applications on the session host that all work fine (outlook, etc.) and when they come to use the published browser, it just makes sure they can't get on stuff they shouldn't be able to.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • OK, that explains, why they probably did'nt notice issues as long as they have Webfiltering in Intercept-X disabled.

    Would be nice to know if they could access some other internal destination from that Server that have user authentication required on the firewall rule.

  • As far as i know, all traffic should be covered by Server Protection, and not only Web based. But you need to difference between traffic generated by the server itself and by a session. If you RDP to a session, can you do a SSH and it gets filtered by the firewall rule accordingly? 

    __________________________________________________________________________________________________________________

  • So: 

    This is rule 6. 

    RDP Session to the server.

    proto=tcp proto-no=6 timeout=102 state=SYN_SENT orig-src=192.168.1.5 orig-dst=172.17.1.2 orig-sport=7484 orig-dport=3390 packets=3 bytes=152 [UNREPLIED] reply-src=172.17.1.2 reply-dst=192.168.1.5 reply-sport=3390 reply-dport=7484 packets=0 bytes=0 mark=0x0 use=1 id=1974529064 masterid=0 devin=PortA devout=xfrm1 nseid=50334781 ips=1 sslvpnid=0 webfltid=1 appfltid=1 icapid=0 policytype=2 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=10097 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=5 devinindex=6 devoutindex=34 hb_src=0 hb_dst=0 flags0=0x100008000a20000a flags1=0xb1020a00800 flagvalues=1,3,21,25,27,43,60,75,85,87,93,100,104,105,107 catid=0 user=12 luserid=5 usergp=32 hotspotuserid=0 hotspotid=0 dst_mac=00:0d:3a:22:81:b5 src_mac=fc:bd:67:7b:9d:51 startstamp=1637165173 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=34 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=17498 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=9248 sessionidrev=9721 session_update_rev=4 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

    Just a random connection is mapped to fwid=6

    But what you have to do: You should create a HTTPs Connection in the first place and get the user authenticated. 

    BTW: 

    SATC Replacement does not work with Clientless user. If you have the TS as a clientless server, you need to delete the clientless user on SFOS. 

    __________________________________________________________________________________________________________________