Hi everyone, I really need some help. I've already tried some KBs but no luck.
I'm having some trouble configuring my branch office users to connect to my Active Directory Server on the head office site.
I have already set up IPSec VPN from Head Office (Sophos XG 115) to Branch Office (Sophos XG 105 without license).
I have already followed the KBs: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationAllowSTASOverVPN/index.html#introduction
https://support.sophos.com/support/s/article/KB-000035839?language=en_US
What is happening:
By the time I login in the computer on the branch office (using a domain user), Sophos Firewall at Head Office gets the IP from Sophos Firewall Branch Office and not the IP from the workstation. After logging in, the browser pops up the login page from sophos firewall from Head Office. I can log through it normally, but the transparent authentication won't work.properly.
Sophos Firewall on the Head Office site: 192.168.1.1
Sophos Firewall on the Branch Office site: 192.168.5.1
Workstation on the Branch Office site: 192.168.5.20
Domain controller: 192.168.1.11
For the Head Office network users, it is everything ok with STAS. I`ve already set up the Servers, Services and STAS tab below like my Head Office Firewall.
Head Office Sophos Firewall:
Here it should be 192.168.5.20.
What can I do so Sophos Firewall gets the correct IP 192.168.5.20 from the workstation on Branch Office site?
Thank you guys.
Hello techblue,Thank you for reaching out to the community, is client auth for VPN zone enabled under the administration > device access ?
Hi techblue
Thank you for reaching out to the community, On STAS you can verify under "Sophos Appliance" Field edit and check whether "Enable Subnet based filter" is applied or not as per the below snapshot reference
Thanks and Regards
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
Hi Bharat J
I did like the snapshot I've just sent, but nothing has changed. The HO Firewall keeps picking the user IP 192.168.1.1 :/
What else should I review?
This is really driving me crazy.
Thank you.
Hey techblue, So you mean user authenticates fine it just does not get internet access right ? So the IPsec is full tunnel or limited to the LAN subnets ? And do you have a rule in place in HO VPN to WAN ?
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
'll share with you the settings.
This is my BO:
192.168.1.11 is my Active Directory
192.168.5.1 is my Branch Office firewall's gateway
192.168.5.20 is the workstation
192.168.1.1= Head Office Firewall's IP
Now the Head Office settings:
STAS on Active Directory. Version 2.5.1.0
So, I've sent all the settings so you could check.
hey techblue, So you do have a full IPsec tunnel as the local network mentioned is any but I do not see any FW rule "VPN to WAN" Can you create one rule and for VPN to WAN and check if the user gets internet ?
I have a VPN to WAN rule, as I showed you before:
Does it need to be also in Branch Office?
The user gets internet access if I don't check "match known users" in the rule. If I leave FULL ACCESS with no authentication and no web policy it works fine. However, I need to redirect each user for the correct rule, so I need them to be authenticated somehow.
Thank you
On the BO it would be LAN TO VPN !! =================================Then after try to ping to global DNS 8.8.8.8 and try capturing the via GUI packet capture !! Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_USCan you share the output from both the HO and Bo so that we can learn about the FW/NAT rule it hits on both the sides !!
Hi techblue,
As per snapshot under Sophos Appliance, you are not getting BO Sophos IP on STAS suite on general tab suspecting issue with firmware you are running as it is end of life
You can use Sophos RED to connect to your Branch office below is the link to get details of the device :
https://www.sophos.com/en-us/products/next-gen-firewall/tech-specs#SDRED
I think you didn't check the snapshots I've sent you. There is a LAN to VPN rule on Branch Office.
Package capture on BO. The workstation is pinging 8.8.8.8
On HO:
Packet capture from the host 192.168.5.20
Apologies techblue,Can you show us the violation status on HO screenshot What's causing the violation, there must be a reason if you scroll it to right...
You can apply match user on LAN-VPN rule and check
Where I can find it?