Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 4276 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How does AC work?

Memorycard

Hello everyone, 

I was curious about the way Authentication Client works. You remember previous version of that? (Cyberoam Generic Authentication Client)? In that version, clients where able to change the IP address of Cyberoam in the setting. So, any change in the appliance side was equal to a change in client side as well. 

But, In Sophos XGS series you can download the MSI or exe version of AC and install it on clients. But there is not way to change the setting on the client side. So any change in the IP address of appliance results to downloading the new AC version from the firewall and deploying that to the client. Is that right?

But in an strange case, I changed the IP address of firewall but AC could communicate with that! Even in case of changing the appliance installing the new Certificate was not required.

I am a little confused.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  ,
    This CAA (Client Authentication agent) workflow normally execute LAN side where Sophos Firewall act as gateway. Based upon default configuration Authentication client try to connect 1.2.3.4 on port 9922 which known by Sophos Firewall.
    Sophos Firewall has CA certificate which imported at client side. In case of Sophos Firewall Firmware upgrade, this CA certificate also migrate to new XG firmware so no need to install CA again at client side.

    There is similar discussion: community.sophos.com/.../337781

  • 0 in reply to Bhavik24

    Hello and thanks for replying. currently my pc and sophos are in a broadcast domain. But, what if the firewall and clients are connect through a layer 3 network (switches and routers between them)?

    I mean, how can I change 1.2.3.4 and th3 port? I want to set a specific  static IP from my Layer 3 desing and rebuild CAA and deploy it to clients. The best solution is using a FQDN address to the firewall. In this scenario, Changing the IP doesn't affect the CAA. We can also use web client but it has problems like incompatibility with MAC binding. Btw, does Web client work when there is a layer 3 distance between firewall and client?

  • 0 in reply to Memorycard

    It should work if CAA request reach to Firewall (direct or via layer 3 network without NAT). There is no option to change IP address in CAA client. (Except linux CAA client which takes text file as input: https://support.sophos.com/support/s/article/KB-000035617?language=en_US)

    Yes. MAC binding has not supported with Web Client.  

  • 0 in reply to Bhavik24

    Hello and thanks again for replying. 

    a series of questions :)))

    1. should we insall a new version of CAA when ever we change the interface IP of sophos FW? I think wheb we download the CAA from the firewall, it consists the last IP configurations on the firewall. It's the same form exe and msi file.

    2. The certificate that is supposed to be imported to client's pc is a selfsigned certificate which belongs to FW and is not valid. It's expires after a long period. So the date is not the matter, but its validity is! Is it possible to bind another certificate to CAA which doesn't need to be imported?(A valid one). 

    The certificate problem matters in the case of web filtering case, when we o

    want to show an alert to the user (Access denied), but because the certificate validity, users see an insecure page which should proceed to see the costumized message.

  • 0 in reply to Memorycard

    1. CAA use default IP address 1.2.3.4. It is not depend upon SFOS IP configuration so no need to install CAA again on client side.
    2. CAA client use self signed CA certificate and not work with any other certificate. A CA which imported at client side has valid for long period. A certificate which available in SFOS has auto regenerate upon expiry.

Reply
  • 0 in reply to Memorycard

    1. CAA use default IP address 1.2.3.4. It is not depend upon SFOS IP configuration so no need to install CAA again on client side.
    2. CAA client use self signed CA certificate and not work with any other certificate. A CA which imported at client side has valid for long period. A certificate which available in SFOS has auto regenerate upon expiry.

Children
  • 0 in reply to Bhavik24

    But 1.2.3.4 is not routable in a layer 3 network. So, which address is used by the CAA on client side to contact with sophos? 

    what happen if we change the appliance ip after a while? How we can notify clients to use new address? 

    it's seems all certificates on all sophos appliances is the same. We restored configuration to a new sophos but client cloud contact without any need to install any certificate(the previous one worked!)

  • 0 in reply to Memorycard

    As I mentioned above, CAA client don't have option to configure IP address (except linux CAA client). 
    Yes, Client import CA, not certificate. Client work with same CA after firmware upgrade.

  • 0 in reply to Bhavik24

    so, what happens when we change the IP of appliance? it used to be x.y z.1, now it's w.w.w.5

  • 0 in reply to Bhavik24

    so, what happens when we change the IP of appliance? it used to be x.y z.1, now it's w.w.w.5

  • 0 in reply to Memorycard

    Client try to connect magicip (1.2.3.4) so it doesn't impact if appliance IP change. SFOS has taken care this IP(1.2.3.4) and Port(9922) for CAA workflow.
    Note: 
    1. Single Broadcast domain: Traffic reach to Firewall so no external configuration require.
    2. Other case, Layer 3 device need to configure route (dynamic/static) so client reach to Firewall and vice-versa (regular IP + magicIP without NAT)
    Client -> Layer3 device (magicIP traffic forward without Source NAT) -> SFOS
    SFOS -> Layer3 device -> Client 
    If we use NAT in Layer3 device, SFOS can't differentiate more than one client behind Layer3 device.

Unfiltered HTML