SATC replacement - Server Endpoint

We had a customer put a case in yesterday about having the Server Endpoint Software configured to replace the failing SATC software. I advised I knew it was in the pipe but hadn't heard it had been released yet, and then he shared these two links:

Set up SATC with Sophos Server Protection

Sophos Firewall: SATC with Server Protection

I worked through it with him, and I'm happy to report it all worked a treat across multiple browsers and clients on his THIN Client. Just thought I'd give anyone a heads up who has been waiting and may have missed the announcement. 



Added TAGs
[edited by: emmosophos at 6:59 PM (GMT -7) on 15 Oct 2021]
Parents
  • It is attached to the Server Core Version 2.19.X 

    So if a customer wants to use this, make sure, the Core Agent is updated to a 2.19.X Version. 

    __________________________________________________________________________________________________________________

  • Yeah the customer had to opt in to EAP, the process is in one of the above links.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • Hi,

    no, we're not using AD SSO on any Zone.

    Most firewall rules match known AD Users.

    I can see the user is authenticated on XG from that server. But when I try hit some firewall rule by communicating with other machines in other subnets, it's not working because the user is not bound to the traffic as can bee seen in the live logging.

    Currently, I cannot access any internal targets that require user authentication from that SATC Sercer.

    Web rules are working though. Nothing else... What's that?

    I'm not aware of a feature "Match unknown users" - can you explain this?

  • I wonder how got this all working at the customer? Or do they need the TS only for surfing? Or don't they have user-based rules on the XG for internal servers?

  • I'm not sure I follow all of the above, but essentially:

    Customer just connects to RDC from the internet using published apps, and then we use SATC to filter OUTBOUND HTTP(s) web requests and apply the appropriate filtering.

    The RDC server has a number of applications on the session host that all work fine (outlook, etc.) and when they come to use the published browser, it just makes sure they can't get on stuff they shouldn't be able to.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • OK, that explains, why they probably did'nt notice issues as long as they have Webfiltering in Intercept-X disabled.

    Would be nice to know if they could access some other internal destination from that Server that have user authentication required on the firewall rule.

  • As far as i know, all traffic should be covered by Server Protection, and not only Web based. But you need to difference between traffic generated by the server itself and by a session. If you RDP to a session, can you do a SSH and it gets filtered by the firewall rule accordingly? 

    __________________________________________________________________________________________________________________

  • So: 

    This is rule 6. 

    RDP Session to the server.

    proto=tcp proto-no=6 timeout=102 state=SYN_SENT orig-src=192.168.1.5 orig-dst=172.17.1.2 orig-sport=7484 orig-dport=3390 packets=3 bytes=152 [UNREPLIED] reply-src=172.17.1.2 reply-dst=192.168.1.5 reply-sport=3390 reply-dport=7484 packets=0 bytes=0 mark=0x0 use=1 id=1974529064 masterid=0 devin=PortA devout=xfrm1 nseid=50334781 ips=1 sslvpnid=0 webfltid=1 appfltid=1 icapid=0 policytype=2 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=10097 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=5 devinindex=6 devoutindex=34 hb_src=0 hb_dst=0 flags0=0x100008000a20000a flags1=0xb1020a00800 flagvalues=1,3,21,25,27,43,60,75,85,87,93,100,104,105,107 catid=0 user=12 luserid=5 usergp=32 hotspotuserid=0 hotspotid=0 dst_mac=00:0d:3a:22:81:b5 src_mac=fc:bd:67:7b:9d:51 startstamp=1637165173 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=34 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=17498 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=9248 sessionidrev=9721 session_update_rev=4 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

    Just a random connection is mapped to fwid=6

    But what you have to do: You should create a HTTPs Connection in the first place and get the user authenticated. 

    BTW: 

    SATC Replacement does not work with Clientless user. If you have the TS as a clientless server, you need to delete the clientless user on SFOS. 

    __________________________________________________________________________________________________________________

  • SATC Replacement does not work with Clientless user. If you have the TS as a clientless server, you need to delete the clientless user on SFOS. 

    can you please explain this? According to the KBs I've read, we need to enable SATC via Registry parameters on the Terminalserver

    reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SendSatcEvents /t REG_DWORD /d 1
    reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SatcDestinationAddr /t REG_SZ /d xxx.xxx.xxx.xxx
    reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SatcDestinationPort /t REG_DWORD /d 6060

    And on the XG

    system auth thin-client add citrix-ip xxx.xxx.xxx.xxx (TS IP Address)

    .

    I performed an other test with Windows Server 2019 as TS:

    Whenever I log on to the Terminalserver, Port 80 and 443 Packets appear with Userauthentication on the XG.

    For this test I put the Terminalserver 2019 into the Client LAN where we have User authentication working against XG from Windows 10 clients.

    All other packets: CIFS, DNS, LDAP, are without user.

    I have also checked this from an other 2019 server which is not configured as Terminalserver and does'nt have the EAP Client installed. It is acting the same - so no user autentication is arriving at the FW.

    tested also SSH (putty): different:  I can see the Source IP, and the User.

  • You can have a look at this Log File. Here you can see the Connection to User/SessionID relation which the Endpoint sends to the Firewall.

    "C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log"

    In my setup I have skipped the local Users like SYSTEM and NETWORK SERVICE etc... via registry key (SatcExcludedUsers) and saw that after skipping these users will not longer be logged in that Sntp.Service.log file.

    But when I scroll up in this log in the time while this local users where not skipped, I can see:

    - SYSTEM user had a lot of smb/445 entries

    - NETWORK SERVICE user had a lot of dns/53 entries

    I am not an expert in SATC, I dont know even how it works 100%. But I assme that some traffic you want to authenticate against a specific AD-User is "generated" by one of the system users and thats your problem.

    Other applications like your SSH test is binded to your AD-User Session ID and thats the reason why you can see that information in XG Log.

  • thank you! I#m just in the process of writing all this together and saw your post - will add the SntpService.log - one less question from support I hope. Currently I have not excluded the system users and see them on the XG logs.

  • to add some more information here:

    found this in the XG access server log

    XG430_WP02_SFOS 18.0.6 MR-6-Build655# cat access_server.log | grep terminalserver_IP
    ERROR     Nov 25 12:37:25.138360 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:37:29.327584 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 12:37:31.582105 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 12:44:01.917202 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 12:45:06.811953 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:48:05.351970 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:53:07.561911 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:55:08.716986 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-5
    ERROR     Nov 25 12:55:09.000721 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 12:55:14.879696 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 12:55:14.881768 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 13:05:03.447016 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 13:07:08.460984 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:07:08.641793 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:07:08.914866 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 13:09:04.314358 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:12:14.403464 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:18:08.124805 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:18:09.364701 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 13:19:13.509368 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:41:37.547174 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:41:38.926125 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:12:14.932129 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:16:09.756777 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:22:18.354221 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:31:29.488805 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:34:26.402013 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 14:34:27.945061 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:34:27.947143 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:37:50.705532 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:51:16.886054 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:16.893019 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.939470 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.942277 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.948203 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.975657 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.984067 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:53:40.980600 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:54:46.488496 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 15:00:33.272375 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 15:12:21.256203 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    

Reply
  • to add some more information here:

    found this in the XG access server log

    XG430_WP02_SFOS 18.0.6 MR-6-Build655# cat access_server.log | grep terminalserver_IP
    ERROR     Nov 25 12:37:25.138360 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:37:29.327584 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 12:37:31.582105 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 12:44:01.917202 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 12:45:06.811953 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:48:05.351970 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:53:07.561911 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 12:55:08.716986 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-5
    ERROR     Nov 25 12:55:09.000721 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 12:55:14.879696 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 12:55:14.881768 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-3
    ERROR     Nov 25 13:05:03.447016 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 13:07:08.460984 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:07:08.641793 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:07:08.914866 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 13:09:04.314358 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:12:14.403464 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:18:08.124805 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:18:09.364701 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 13:19:13.509368 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:41:37.547174 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 13:41:38.926125 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:12:14.932129 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:16:09.756777 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:22:18.354221 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:31:29.488805 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:34:26.402013 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-4
    ERROR     Nov 25 14:34:27.945061 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:34:27.947143 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:37:50.705532 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-2
    ERROR     Nov 25 14:51:16.886054 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:16.893019 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.939470 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.942277 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.948203 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.975657 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:51:48.984067 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:53:40.980600 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 14:54:46.488496 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 15:00:33.272375 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    ERROR     Nov 25 15:12:21.256203 [access_server]: (process_citrix_login_request): An identical SATC request is being processed at the moment, canceling the current request from terminalserver_IP-1
    

Children
  • Who else is struggeling with this issue:

    got feedback from support on this case 04666074

    He found an identified issue and there is an existing gira(?) ID at Sophos. Dev is working on this.

    Main issue is, as can be seen from conntrack -E or drppkt

    user=0
    luserid=0
    usergp=0

    they are empty for non HTTP/S or SSH Traffic. Here SMB 445:

    XG430_WP02_SFOS 18.0.6 MR-6-Build655# drppkt host 172.xxxxxx5 and host 172.xxxxxx2
    2021-12-02 12:03:40 0101021 IP 172.xxxxxx2.56659 > 172.xxxxxx5.445 : proto TCP: S 4128476956:4128476956(0) win 64240 checksum : 3941
    0x0000:  4502 0034 0fc9 4000 7f06 ec3f ac10 deca  E..4..@....?....
    0x0010:  ac10 c8cd dd53 01bd f613 8f1c 0000 0000  .....S..........
    0x0020:  80c2 faf0 0f65 0000 0204 05b4 0103 0308  .....e..........
    0x0030:  0101 0402                                ....
    Date=2021-12-02 Time=12:03:40 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.222
    out_dev=lag0 inzone_id=1 outzone_id=9 source_mac=00:50:56:85:f6:47 dest_mac=c8:4f:86:fc:00:0d bridge_name= l3_protocol=IPv4 source_ip=172.xxxxxx2 dest_ip=172.xxxxxx5
    l4_protocol=TCP source_port=56659 dest_port=445 fw_rule_id=5 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=2 hotspot_id=0 hotspotuser_id=0
    hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
    gateway_offset=0 connid=413244928 masterid=0 status=256 state=1, flag0=2748781166632 flags1=72 pbdid_dir0=0 pbrid_dir1=0

    fw_rule_id=5 = droprule

    Interesting fact:

    userauthentication fails for SMB access but if I test the same port 445 with powershell tnc hostname -port 445, my user is authenticated against firewall and TNC succeeds.

    tnc hostname -port 445

    ComputerName     : hostname
    RemoteAddress    : 172.xxxxxxx5
    RemotePort       : 445
    InterfaceAlias   : Ethernet0
    SourceAddress    : 172.xxxxxxx2
    TcpTestSucceeded : True

    user is logged in conntrack

    [NEW] proto=tcp      proto-no=6 timeout=120 state=SYN_SENT orig-src=172.xxxxxx2 orig-dst=172.xxxxxx5 orig-sport=56665 orig-dport=445 [UNREPLIED] reply-src=172.xxxxxx5 reply-dst=172.xxxxxx2
    reply-sport=445 reply-dport=56665 id=189458624 masterid=0 devin=lag0.222 devout=lag0 nseid=16818180 ips=13 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=2 fwid=66 natid=0 fw_action=1 bwid=0 appid=0
    appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=9 devinindex=43 devoutindex=28 hb_src=8 hb_dst=8 flags0=0x80008200028 flags1=0x30000800000 flagvalues=3,5,21,27,43,87,104,105
    catid=0 user=153 luserid=4452 usergp=6 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:00:0d src_mac=00:50:56:85:f6:47 startstamp=1638443160 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0
    ipspid=0 diffserv=0 loindex=28 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=18147 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5063 sessionidrev=14592
    session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
     [UPDATE]...
     [UPDATE]...
     [UPDATE]...
     [UPDATE]...
    [DESTROY]...

  • captured 6060 traffic on the firewall.

    on the left side you see TNC 445, right side SMB 445

    left side: personal user authenticated and reported to the XG, right side: SYSTEM user reported to the XG

  • Just wondering, is your Server IP currently authenticated with something else? So is the LAN IP of the service created on firewall via something else? Like Clientless users or something else? 

    __________________________________________________________________________________________________________________

  • no, all only local TS sessions

    5 currently.

    extract from

    sqlite_client 0 6061 1 "select * from tblliveuser";

    which is the same as can bee seen from GUI Current activities>Live Users

    Suche "172.x.x.xx2" (5 Treffer in 1 Dateien von 1 gesucht)
      new 1 (5 Treffer)
    	Line 17: 4232,296,aaaaaaaaaa@domain.dc,aaaaaaaaaa@domain.dc,aaaaaaaaaa,172.x.x.xx2-6,6,1584032,1664867,1,1,1,1,1,0,0,2021-09-28,,11,,5374,23617,0,0,0,,,0
    	Line 18: 4243,17,bbbbbbbbb@domain.dc,bbbbbbbbb@domain.dc,bbbbbbbbb,172.x.x.xx2-4,1,1584986,1664867,1,1,1,1,1,0,0,2019-09-16,,11,,2803,13460,0,0,0,,,0
    	Line 78: 4452,153,cccccccccccccc@domain.dc,cccccccccccccc@domain.dc,cccccccccccccc,172.x.x.xx2-7,6,1655441,1664867,1,1,1,1,1,0,0,2020-06-26,,11,,15979,206975,0,0,0,,,0
    	Line 88: 4475,313,ddddddddddddd@domain.dc,ddddddddddddd@domain.dc,ddddddddddddd,172.x.x.xx2-8,1,1659621,1664867,1,1,1,1,1,0,0,2021-11-25,,11,,0,0,0,0,0,,,0
    	Line 91: 4481,10,eeeeeeeee@domain.dc,eeeeeeeee@domain.dc,eeeeeeeee,172.x.x.xx2-9,6,1660582,1664867,1,1,1,1,1,0,0,2019-08-27,,11,,4472,13367,0,0,0,,,0
    

  • if I tail the log

     tail /log/access_server.log

    This is what I get, from the time on when I try to access the SMB share from the terminalserver.

    MESSAGE   Dec 02 14:51:03.459218 [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
    ERROR     Dec 02 14:51:05.505035 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
    ERROR     Dec 02 14:51:05.508223 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
    ERROR     Dec 02 14:51:05.508254 [access_server]: check_auth_result: Authentication Failed
    ERROR     Dec 02 14:51:05.509987 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
    ERROR     Dec 02 14:51:05.512829 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
    ERROR     Dec 02 14:51:05.512863 [access_server]: check_auth_result: Authentication Failed
    ERROR     Dec 02 14:51:06.515173 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
    ERROR     Dec 02 14:51:06.518397 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=system)') USER not found
    ERROR     Dec 02 14:51:06.518432 [access_server]: check_auth_result: Authentication Failed
    ERROR     Dec 02 14:51:08.774754 [ADS_AUTH]: adsauth_authenticate_user: '1st_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
    ERROR     Dec 02 14:51:08.777990 [ADS_AUTH]: adsauth_authenticate_user: '2nd_domaincontrollerIP:389':(filter: '(sAMAccountName=network service)') USER not found
    ERROR     Dec 02 14:51:08.778033 [access_server]: check_auth_result: Authentication Failed
    

    can be seen , that a real username is not logged.