This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow clients to authenticate on STAS over a IpSec VPN

Hi everyone, I really need some help. I've already tried some KBs but no luck.

I'm having some trouble configuring my branch office users to connect to my Active Directory Server on the head office site.

I have already set up IPSec VPN from Head Office (Sophos XG 115) to Branch Office (Sophos XG 105 without license).

I have already followed the KBs: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationAllowSTASOverVPN/index.html#introduction 

https://support.sophos.com/support/s/article/KB-000035839?language=en_US 

What is happening: 

By the time I login in the computer on the branch office (using a domain user), Sophos Firewall at Head Office gets the IP from Sophos Firewall Branch Office and not the IP from the workstation. After logging in, the browser pops up the login page from sophos firewall from Head Office. I can log through it normally, but the transparent authentication won't work.properly.

Sophos Firewall on the Head Office site: 192.168.1.1

Sophos Firewall on the Branch Office site: 192.168.5.1

Workstation on the Branch Office site: 192.168.5.20

Domain controller: 192.168.1.11

For the Head Office network users, it is everything ok with STAS. I`ve already set up the Servers, Services and STAS tab below like my Head Office Firewall. 

Head Office Sophos Firewall: 

Here it should be 192.168.5.20.

What can I do so Sophos Firewall gets the correct IP 192.168.5.20 from the workstation on Branch Office site?

Thank you guys.  



This thread was automatically locked due to age.
Parents
  • Hi techblue

    Thank you for reaching out to the community, On STAS you can verify under "Sophos Appliance" Field edit and check whether "Enable Subnet based filter" is applied or not as per the below snapshot reference 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hi

    I did like the snapshot I've just sent, but nothing has changed. The HO Firewall keeps picking the user IP 192.168.1.1 :/

    What else should I review? 

    This is really driving me crazy.


    Thank you.

  • SFOS 17.5.17 MR-17-Build837

  • Would suggest get this thoroughly investigated with Sophos support !!

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • between SFOS 17.5.17 MR-17-Build837 is declared EoL 30-NOV-2021* 

    *SFOS 17.5 MR16 is supported and SFOS 17.5 MR17 is maintained for XG 85(w) and XG 105(w) until these hardware models go End-of-Life.
    XG 85(w)/XG 105(w) Lifecycle and Migration Exclusion - https://partnernews.sophos.com/en-us/2021/08/products/xg-85w-xg-105w-lifecycle-and-migration-exclusion/

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi 

    I'm aware of that since last year. I want to set this because the BO has only 4 computers and Sophos XGS 87 is expensive compared to Sophos XG 85. I don't want to make a high investiment in a hardware to use only for 4 computers in the branch office. Do you get it?

    As I have a licensed Sophos XG 115 with verson (SFOS 19.0.0 GA-Build317) on Head Office I would like to change this scenario like I said before.

    I want the Branch Office users getting internet access over IPSec VPN Tunnel from Head Office. This is happing now, however only through captive portal. If possible I'd like to make it work through CAA at least. That'll work very well for me.

    Thanks & Regards

  • Hello ,

    I understand. But after August 17, 2022 (this is the end of support date) you'll no longer be able to get the support assistance. 
    So, just wanted to ensure you have the right information. 

    And regarding the CAA, what is the error you are receiving?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I see. Thank you for the information.

    In regards to CAA, I don't receiving any error. The CAA connects correctly in BO and the user appears in "Current Activties". However it doesn't get internet conection from HO. It is like the HO's firewall won't "see" this connection coming from BO. Understand me?

    Does it work or should I missing some configuration?

    What do I need to do so Branch Office's Firewall will send CAA user information to HO? I need to match user in the firewall rule because I have more than one web policy for the users.

    Thanks & Regards.

  • Hey , So you mean user authenticates fine it just does not get internet access right ? So the IPsec is full tunnel or limited to the LAN subnets ? And do you have a rule in place in HO VPN to WAN ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 'll share with you the settings.

    This is my BO:

    192.168.1.11 is my Active Directory

    192.168.5.1 is my Branch Office firewall's gateway

    192.168.5.20 is the workstation 

    192.168.1.1= Head Office Firewall's IP

    Now the Head Office settings:

    STAS on Active Directory. Version 2.5.1.0

      

    So, I've sent all the settings so you could check.

    Thank you.

  • hey , So you do have a full IPsec tunnel as the local network mentioned is any but I do not see any FW rule "VPN to WAN" Can you create one rule and for VPN to WAN and check if the user gets internet ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I have a VPN to WAN rule, as I showed you before:

    Does it need to be also in Branch Office? 

    The user gets internet access if I don't check "match known users" in the rule. If I leave FULL ACCESS with no authentication and no web policy it works fine. However, I need to redirect each user for the correct rule, so I need them to be authenticated somehow.

    Thank you

Reply
  • I have a VPN to WAN rule, as I showed you before:

    Does it need to be also in Branch Office? 

    The user gets internet access if I don't check "match known users" in the rule. If I leave FULL ACCESS with no authentication and no web policy it works fine. However, I need to redirect each user for the correct rule, so I need them to be authenticated somehow.

    Thank you

Children