Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Communication between DC's with STAS for SSO... NEED HELP!

Jarrod Goetz

WARNING... Amature looking for guidance. :-)

Environment:

  • Standard network Windows Network
  • 2 Active Directory Domain Controllers (for redundancy: BOTH Server 2008 R2)
    • DC 1: 10.130.210.40  (FSMO Roles: PDC, RID pool master, Infrastructure master)
    • DC 2: 10.130.210.41  (FSMO Roles: Schema master, Domain naming master)
  • Sophos XG 230: 10.130.210.112
  • Windows 7 and Windows 10 workstations

 

SO, I have been struggling to get my new Sophos XG 230 off the ground (as far as SSO Clientless Authentication).  After DAYS of messing around with this... I think I am starting to aleast hone in on some of my issues.

Observed Problem: Users will get added to the "Live Connections" screen... but then within minutes drop off. (Lock or Logoff and the user will be back on, and everything starts to work again... for a few minutes).

Where I THINK the problem exists:  Communication between the 2 DC's running "Sophos Transparent Authentication Suite" (I know documentation shows one DC should have one "Suite", and the other "Agent".  But I have tried both ways, and I don't think that is my problem.

NOTICED ISSUES: Under the "Advanced" tab on the STAS Suite, some of the test FAIL:

Test Connectivity: Sophos (XG appliance): Successful

STAS Agent: From DC1 to DC1: Success

STAS Agent: From DC1 to DC2: FAILURE

STAS Collector: From DC1 to DC1 (or DC2 to DC2): Success

STAS Collector: From DC1 to DC2: Failure

ALSO:

If I try and use the "Configuration Sync" to copy information between the 2 DC's... They both show FAILURE:

-------------------------------

So I am "THINKING" my issue is communication between the two DC's (as far as STAS needs):

I know the literature states to open TCP/UDP ports: 6677, 5566, 6060

I even found this reply to a similar issue:

Question/HELP:

I am FAR from a Server/Network expert (I wear to many hats(jobs) here to get GOOD at anything).  But this is what I did to "Open Ports" for these needed connections (PLEASE correct my errors).

STEPS:

  • ON BOTH DC's (Adminitrative Tools>Windows Firewall with Advanced Security):
  • Inbound Rules: "New Rule"
    • Select "Port"
    • "Specific local ports":  TCP: 5566
    • "Allow the connection"
    • "When does the rule apply?"  I selected "Domain" and "Private"... I did not check "Public"?  (Not sure what I should have used here?)  Would like to keep things SECURE!
    • Gave it a name and "Finish".

After this I repeated it w/ - Inbound: UDP:6677

Then I configured: "Outbound Rules"

I did this on BOTH DC's... but STILL can not communicate between the two (as far as testing like above: w/ STAS "Test Connectivity".

NOTE: I can PING between the DC's w/ no problem

 

I TRULY appreciate any help on configuring this... I am starting to run short on time on getting this into production, and am SO LOST!

 

THANKS to ANYONE who can help!



This thread was automatically locked due to age.
Unfiltered HTML