I was curious about the way Authentication Client works. You remember previous version of that? (Cyberoam Generic Authentication Client)? In that version, clients where able to change the IP address of Cyberoam in the setting. So, any change in the appliance side was equal to a change in client side as well.
But, In Sophos XGS series you can download the MSI or exe version of AC and install it on clients. But there is not way to change the setting on the client side. So any change in the IP address of appliance results to downloading the new AC version from the firewall and deploying that to the client. Is that right?
But in an strange case, I changed the IP address of firewall but AC could communicate with that! Even in case of changing the appliance installing the new Certificate was not required.
I am a little confused.
Hi Memorycard ,This CAA (Client Authentication agent) workflow normally execute LAN side where Sophos Firewall act as gateway. Based upon default configuration Authentication client try to connect 220.127.116.11 on port 9922 which known by Sophos Firewall.Sophos Firewall has CA certificate which imported at client side. In case of Sophos Firewall Firmware upgrade, this CA certificate also migrate to new XG firmware so no need to install CA again at client side.There is similar discussion: community.sophos.com/.../337781
Hello and thanks for replying. currently my pc and sophos are in a broadcast domain. But, what if the firewall and clients are connect through a layer 3 network (switches and routers between them)?
I mean, how can I change 18.104.22.168 and th3 port? I want to set a specific static IP from my Layer 3 desing and rebuild CAA and deploy it to clients. The best solution is using a FQDN address to the firewall. In this scenario, Changing the IP doesn't affect the CAA. We can also use web client but it has problems like incompatibility with MAC binding. Btw, does Web client work when there is a layer 3 distance between firewall and client?
It should work if CAA request reach to Firewall (direct or via layer 3 network without NAT). There is no option to change IP address in CAA client. (Except linux CAA client which takes text file as input: https://support.sophos.com/support/s/article/KB-000035617?language=en_US)
Yes. MAC binding has not supported with Web Client.
Hello and thanks again for replying.
a series of questions :)))
1. should we insall a new version of CAA when ever we change the interface IP of sophos FW? I think wheb we download the CAA from the firewall, it consists the last IP configurations on the firewall. It's the same form exe and msi file.
2. The certificate that is supposed to be imported to client's pc is a selfsigned certificate which belongs to FW and is not valid. It's expires after a long period. So the date is not the matter, but its validity is! Is it possible to bind another certificate to CAA which doesn't need to be imported?(A valid one).
The certificate problem matters in the case of web filtering case, when we o
want to show an alert to the user (Access denied), but because the certificate validity, users see an insecure page which should proceed to see the costumized message.
1. CAA use default IP address 22.214.171.124. It is not depend upon SFOS IP configuration so no need to install CAA again on client side.2. CAA client use self signed CA certificate and not work with any other certificate. A CA which imported at client side has valid for long period. A certificate which available in SFOS has auto regenerate upon expiry.
But 126.96.36.199 is not routable in a layer 3 network. So, which address is used by the CAA on client side to contact with sophos?
what happen if we change the appliance ip after a while? How we can notify clients to use new address?
it's seems all certificates on all sophos appliances is the same. We restored configuration to a new sophos but client cloud contact without any need to install any certificate(the previous one worked!)
As I mentioned above, CAA client don't have option to configure IP address (except linux CAA client). Yes, Client import CA, not certificate. Client work with same CA after firmware upgrade.
so, what happens when we change the IP of appliance? it used to be x.y z.1, now it's w.w.w.5
Client try to connect magicip (188.8.131.52) so it doesn't impact if appliance IP change. SFOS has taken care this IP(184.108.40.206) and Port(9922) for CAA workflow.Note: 1. Single Broadcast domain: Traffic reach to Firewall so no external configuration require.2. Other case, Layer 3 device need to configure route (dynamic/static) so client reach to Firewall and vice-versa (regular IP + magicIP without NAT)Client -> Layer3 device (magicIP traffic forward without Source NAT) -> SFOSSFOS -> Layer3 device -> Client If we use NAT in Layer3 device, SFOS can't differentiate more than one client behind Layer3 device.