How to allow clients to authenticate on STAS over a IpSec VPN

Hi everyone, I really need some help. I've already tried some KBs but no luck.

I'm having some trouble configuring my branch office users to connect to my Active Directory Server on the head office site.

I have already set up IPSec VPN from Head Office (Sophos XG 115) to Branch Office (Sophos XG 105 without license).

I have already followed the KBs: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationAllowSTASOverVPN/index.html#introduction 

https://support.sophos.com/support/s/article/KB-000035839?language=en_US 

What is happening: 

By the time I login in the computer on the branch office (using a domain user), Sophos Firewall at Head Office gets the IP from Sophos Firewall Branch Office and not the IP from the workstation. After logging in, the browser pops up the login page from sophos firewall from Head Office. I can log through it normally, but the transparent authentication won't work.properly.

Sophos Firewall on the Head Office site: 192.168.1.1

Sophos Firewall on the Branch Office site: 192.168.5.1

Workstation on the Branch Office site: 192.168.5.20

Domain controller: 192.168.1.11

For the Head Office network users, it is everything ok with STAS. I`ve already set up the Servers, Services and STAS tab below like my Head Office Firewall. 

Head Office Sophos Firewall: 

Here it should be 192.168.5.20.

What can I do so Sophos Firewall gets the correct IP 192.168.5.20 from the workstation on Branch Office site?

Thank you guys.  



Edited TAGs
[edited by: emmosophos at 7:45 PM (GMT -7) on 7 Jul 2022]

Top Replies

Parents Reply
  • Hi 

    I'm aware of that since last year. I want to set this because the BO has only 4 computers and Sophos XGS 87 is expensive compared to Sophos XG 85. I don't want to make a high investiment in a hardware to use only for 4 computers in the branch office. Do you get it?

    As I have a licensed Sophos XG 115 with verson (SFOS 19.0.0 GA-Build317) on Head Office I would like to change this scenario like I said before.

    I want the Branch Office users getting internet access over IPSec VPN Tunnel from Head Office. This is happing now, however only through captive portal. If possible I'd like to make it work through CAA at least. That'll work very well for me.

    Thanks & Regards

Children