3CX DLL-Sideloading attack: What you need to know
Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
Sophos Transparent Authentication Suite (STAS) enables users to automatically log into Sophos Firewall when logging on Windows AD workstation.
STAS requires software installation on AD severs only, and no need to install any software on workstation.
This article provides best practices to configure STAS on Sophos Firewall v18.5 and v19.0.
The configuration example provided in the article is quite simple, but it explains how STAS works.
It covers Windows AD GPO and Windows Firewall rules needed for STAS, and also provides basic troubleshooting guides.
If you notice any errors in the article or improvements can be made, please let me know.
Here is the table of contents for preview.
See the 2 part video on STAS below:
STAS is to authenticate users on workstations, not servers.
STAS consists of an agent and a collector.
The agent monitors AD domain controller for user logon event, which is Windows Event ID 4768, and sends it to the collector UDP port 5566 (#1, and #2 in diagram logon.type2.png)
The collector analyses the logon event, and sends it to Sophos firewall UDP port 6060, if a user isn’t an existing STAS live user. (#3, and #4 in diagram logon.type2.png)
Sophos Firewall lookups the username in AD domain controller to retrieve group, email address, and more details of the user. (#5 in diagram logon.type2.png)
Then the user will be displayed on Sophos Firewall as STAS live user. (#6 in diagram logon.type2.png)
User detected in such way is known as STAS logon type 2.
The collector can also help Sophos Firewall to get user logged on an AD workstation.
For example, Sophos Firewall doesn't have live user on an AD workstation, but firewall rule requires user authentication for traffic from the AD workstation. (#1, and #2 in diagram logon.type1.png)
In such situation, Sophos Firewall sends a query to the collector UDP port 6677, asking for username on the workstation. (#3 in diagram logon.type1.png)
The collector talks to the workstation via methods defined in Workstation Polling Method, such as WMI. (#4 in diagram logon.type1.png)
Workstation replies with username in WMI,
then the collector records the live user, (#5 in diagram logon.type1.png) and sends it back to Sophos Firewall on UDP port 6060
Sophos Firewall lookups the username in AD domain controller to retrieve group, email address, and more details of the user. (#6 in diagram logon.type1.png)
Then the user will be displayed on Sophos Firewall as STAS live user. (#7 in diagram logon.type1.png)
User detected in such way is known as STAS logon type 1.
STA Agent and Collector support to change the default communication ports.
UDP port 6060 on Sophos Firewall for STAS cannot be changed.
[ Note: Member server is a computer that runs an operating system in the Windows Server family, belongs to a domain, and is not a domain controller. ]
For AD domain with 1 DC, my recommendation is
For AD domain with 2 DC, my recommendation is:
Sophos Firewall v17.5 and later supports 12,288 live users, by default.
That can be verified as below
The limitation can be lifted with the Device Console command with the following command, but make sure your Sophos Firewall is up to sizing.system auth max-live-users set <8192-32768>
STAS can only detect users on AD domain workstation.
If a workstation is not a member of the AD domain, STAS won't be able to detect live user on it.
In such a scenario, Sophos Client Authentication Agent is the solution. Details of Client Authentication Agent is available at https://support.sophos.com/support/s/article/KB-000038465
Traffic between AD workstation, STA Agent/Collector and Sophos Firewall must be routed/switched, not NATed, because original IP address is needed for STAS to work.
STAS application requires GUI to work. Windows Server core edition has no GUI enviroment installed by default, so STAS won't work on it.
Kevin Kuphal has provided a workaround:
You can run STAS on a member server and point it at a Windows Core domain controller and it will work just fine.
You can find out AD NetBIOS Name, FQDN, and Search DN as described below.
In this example, FQDN is tao.xg, and NetBIOS name is TAOXG
Search DN is required when we configure the authentication server on the Sophos Firewall.
To find out Search DN, run the command dsquery user in Windows CMD, as shown below.
C:\Users\Administrator>dsquery user"CN=Administrator,CN=Users,DC=tao,DC=xg""CN=Guest,CN=Users,DC=tao,DC=xg""CN=krbtgt,CN=Users,DC=tao,DC=xg""CN=One User,OU=ABP Users,DC=tao,DC=xg""CN=Two User,CN=Users,DC=tao,DC=xg""CN=AD Admin,CN=Users,DC=tao,DC=xg""CN=User Super,CN=Users,DC=tao,DC=xg"C:\Users\Administrator>
Search DN for "Two User" is "CN=Users,DC=tao,DC=xg"Search DN for "One User" is "OU=ABP Users,DC=tao,DC=xg"
Later, we’ll configure search DN "DC=tao,DC=xg" in the authentication server on Sophos Firewall.
Log on to Sophos Firewall webadmin, go to Administration > Device access, enable "Client Authentication" on the zone where STA Collector and user workstation locate. In this example, it’s the LAN zone.
We need to configure Windows AD DC as an authentication server on Sophos Firewall, so that Sophos Firewall can fetch group and other information of STAS live user from AD DC.
Sophos Firewall Online Help: Configure Active Directory authentication
Log on to the Sophos Firewall webadmin, go to Authentication > Servers, click on the "Add" button. Configure authentication server as below
-Server Type: Active Directory -Server Name: any name for the AD DC -Server IP: IP address of the AD DC -Connection security: SSL/TLS, by default -Port: 636, default TCP port for LDAP service on SSL/TLS
[ Note: To enable SSL on Windows LDAP service, just need to generate a CA on AD DC, reboot DC, DC would automatically assign the CA to LDAP service, and accept LDAP traffic on TCP port 636. Details in the section "10. Appendix > a) Enable SSL on Windows LDAP service ]
-NetBIOS Domain: TAOXG, as discovered above-ADS username: an AD user with AD administrator privilege -Password: password of ADS username -Display Name Attribute: leave it blank. If you need to use another AD attribute for Name, please refer to Microsoft KBA docs.microsoft.com/.../attributes-all -Email Address Attribute: mail, by default. If you need to use other AD attribute for Email, please refer to Microsoft KBA docs.microsoft.com/.../attributes-all -Domain Name: tao.xg, as discovered above. -Search Queries: "DC=tao,DC=xg" as discovered above.
Once the configuration is completed, click "Test connection" to make sure the Sophos Firewall can communicate with AD DC via LDAP.
This step is optional, however, it’s recommended to import AD user groups, to simplify user management on the Sophos Firewall.
To apply firewall rule on specific AD user groups, those AD user groups need to be imported into the Sophos Firewall.
Go to Authentication > Server, click the "Import" icon next to an AD server, as shown below
Set Base DN to "DC=tao,DC=xg"
Check the desired groups
Set common policies for those Groups. Normally we leave it as default during the initial setup.
Click on Next to import the group.
Go to Authentication > Groups, verify the AD group has been imported, as shown below
Go to the Sophos Firewall webadmin > Authentication > Services, choose the Windows AD DC as the first server for "Firewall Authentication Methods", as shown below.
Go to Sophos Firewall webadmin > Authentication > STAS, turn on "Enable Sophos Transparent Authentication Suite", and then click "Activate STAS" button, as shown below
Change default settings,
Next step is to add STAS server.
Click the "Add new collector button", and add the IP address of the STAS server. In this example, it is 192.168.20.5
Collector Port can be checked on STAS Suite> General tab > Listening to the Sophos appliance on Port, as shown below
Make sure Firewall rule on AD workstation allows incoming WMI.
Action: Allow the connection
Once group policy is updated, you can continue to the next step to verify audit policy settings were applied correctly.
You can also wait for the group policy to be updated as per the Windows schedule.
C:\WINDOWS\system32>auditpol.exe /get /category:"Logon/Logoff"System audit policyCategory/Subcategory SettingLogon/Logoff Logon Success and Failure Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing User / Device Claims No Auditing Group Membership No Auditing C:\WINDOWS\system32>auditpol.exe /get /category:"Account Logon"System audit policyCategory/Subcategory SettingAccount Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service Success and Failure Credential Validation No AuditingC:\WINDOWS\system32>
Event ID 4768 is for user logon.
If AD DC doesn't generate event ID 4768 in Windows Event Viewer, the STA Agent cannot detect any user logon activity.
Once event ID 4768 is generated, STA Agent forwards that information to the STA Collector UDP port 5566.
Please check Windows Event Viewer to make sure Event ID 4768 is generated when a user logs on a workstation.
The following screenshot shows user1 logged on AD domain tao.xg from workstation 192.168.20.19.
Sophos KBA for STAS https://support.sophos.com/support/s/article/KB-000035732
Latest STAS can be downloaded from Sophos Firewall webadmin > Authentication > Client downloads, as below
In this example, STA Agent was installed on a Windows AD DC 192.168.20.5. STA Collector was installed on a member server 192.168.20.9.
Please install STAS by right click on installation file > 'Run as administrator' to prevent any potential permission issue on Windows.
For STA Agent, choose "STA Agent"
For STA Collector, choose "STA Collector"
Enter Windows AD administrator credentials, as shown below. The account is needed to
It is not necessary to be administrator, but it must be a member of group Domain Admins.
Open STAS on domain controller 192.168.20.5.
1) In "General" tab, put in NETBIOS name of AD domain, together with Fully Qualified Domain Name
And then click on Start button to start agent
2) Wait for Current Status of STA Agent to be "Start"
If STA agent cannot be started, please double check Administrator Credentials, NetBIOS Name, and Fully Qualified Domain Name.
3) Go to "STA Agent" tab, and specify the subnet where all Windows AD users belong to, as shown below.
"STA Agent Mode": EVENTLOG is recommended."Domain Controller IP": It is only needed when STA Agent is installed on a member server. It must be blank if STA Agent is installed on an AD DC. Otherwise, STA Agent can't read local Windows Event logs.“Monitor Networks”: 192.168.20.0/24 for the example"Collector List": In the example , it is 192.168.20.9"Domain Controller Polling" is available for configuration if STA Agent Mode is set to NETAPI. In the example, I set STA Agent Mode to be EVENTLOG, therefore, no need to configure the option.
Remember to click on "OK" to save configuration on STA agent.
Open STAS on member server 192.168.20.9.
In "General" tab, put in NetBIOS Name and Fully Qualified Domain Name of AD domain.
Go to "STA Collector" tab,
Go to "Exclusion List",
1) In "Login User Exclusion List": we put in any background service accounts, for example trendupd, trendupd2, OktaService, and more, depending on software installed on workstation.
That prevents STAS live user to be logged off when a background service account logs in to start background tasks.
Note:- "Login User Exclusion List" only supports "username", and doesn't support "email@example.com", nor "domain\username".- Username in "Login User Exclusion List" is case insensitive.
2) In "Login IP Address/Network Exclusion List", add IP addresses of any server, for example Citrix terminal server, Microsoft RDS server, DNS server, web server, to prevent frequent user logon/logoff.
The reason is STAS is to authentication users on workstation, not servers.
In the example, I put IP address of DNS server and web server into Login IP Address Exclusion List.
The following is recommended, in case STAS troubleshooting is needed.
STAS log files, stas.log, and stas.log1, are located on the Windows server installed with STAS in the directory of C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite, by default.
stas.log and stas.log1 get rotated at every 25 MB (or as defined by Log File Size).
Remember to click on "OK" to save configuration.
We have completed configuration of STA Collector.
Click "Start" to start STAS service.
Once STAS and Sophos Firewall establishe communication, the IP address of the Sophos Firewall is displayed on the "General" tab, as below
Sometimes, STAS service might fail to be started, with the error "Failed: Cannot start service: STAS". Please refer to section "8. Troubleshooting > g) STAS service did not start due to a logon failure" for solution.
SSH to Sophos Firewall as admin, and go to 5. Device Management > 3. Advanced Shell, and run the following command grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail
SFVUNL_SO01_SFOS 18.0.4 MR-4# grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail DEBUG Feb 08 16:00:36.719168 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:06.733092 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:36.748435 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:06.753870 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:36.754746 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:06.770399 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:36.784307 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:04:06.799499 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 MESSAGE Feb 09 11:01:29.423157 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 MESSAGE Feb 09 11:08:30.094186 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 SFVUNL_SO01_SFOS 18.0.4 MR-4#
If STA Collector and STA Agent are installed on different servers,
If STA Collector and STA Agent are installed on the same Windows server, create Windows Firewall rules on the Windows server, to allow
Ports needed by STAS is described in section "1. How STAS works > d) Summary of ports"
Windows Firewall rules are applied on network profile (Domain, Private, Public). Make sure above Windows Firewall rules are applied to correct network profile.
To make STAS works without problem, STA Collector has to communicate with all workstations via the workstation poll method.
In above configuration, we configured STA Collector to use WMI as workstation polling method.
We need verify STA Collector can communicate with any AD workstation via WMI:
It should be successful. Otherwise, please check Windows GPO configuration for wmi in section "5. Configure Windows AD GPO > b) Allow inbound WMI on AD computers"
To troubleshoot wmi issue, please refer to
user1 re-logged on AD workstation 192.168.20.19 after STAS was setup
On STA collector, open STAS, go to Advanced > Show Live Users, there was the live user.
On Sophos Firewall webadmin, Current Activity > Live Users also showed the live user
Create a firewall rule to allow users in IT group to access Internet
Now, 192.168.20.19 can access Internet
Sophos Firewall webadmin > Current activities > Live connections > Live connections for: Username shows live connection of firstname.lastname@example.org
Firewall rule traffic stats also confirmed traffic from 192.168.20.19 was generated by the user in the IT group and hit the firewall rule.
When STA Collector cannot communicate with Sophos Firewall, STAS "General" tab doesn't show the Sophos Firewall IP address.
In case STA Collector doesn't detect any live user
If Sophos Firewall doesn't show any live user, but STAS shows live users, make sure
STAS can detect live user on AD workstation, however, it removes live user after a while.
Firewall webadmin GUI > Current Activity > Live Users show some STAS live users, but not all of them. Some STAS live users are missed on Sophos Firewall.
Please also check if Sophos Firewall reaches STAS server via static route. Details in section "9. Known issues".
If STAS service fails to start with "Fatal Error: The service did not start due to a logon failure.", make sure the account for STAS is a member of AD group "Domain Admins".
You can update the account for STAS in the "General" tab, as below
If the above doesn't fix the issue, please try the following:
1) Go to Windows Service, find "Sophos Transparent Authentication Suite". Right click on it, and click on "Properties"
2) Go to "Log On" tab, and enter AD Domain admin account and password again.
3) Go back to STAS, click on "Start" button, and now STAS should Start.
a) Dead entry timeout: must be 0, otherwise STAS stops working (applies to STAS v184.108.40.206 and earlier)
b) When Sophos Firewall reaches STAS server via a static route, Sophos Firewall cannot communicate with STAS server after reboot/boot-up.
Symptom: Sophos Firewall doesn't send packets to STAS server UDP port 6677 to actively query live user on workstations. Sophos Firewall can only passively receive live user information from STAS server.
Workaround: Manually restart authentication service after firewall reboot/boot-up.- in Advanced Shell, please run the command "service access_server:restart -ds nosync", or- in webadmin GUI, go to "System service" > "Services", and then Restart "Authentication" service, as below [ Note: This bug (NC-84910) will be fixed in Sophos Firewall OS v18.5 MR5. ]
Note: If you need technical support to enable SSL on Windows LDAP service, please seek help from Microsoft.
In Server Manager, Add Roles and Features
Select "Role-based or feature-based installation"
Add role of "Active Directory Certificate Services"
Click on "Next", install "Certificate Authority"
Once the installation is complete, in Server Manager, click on "Notifications" > Post-deployment Configuration > Configure Active Directory Certificate Services
In "AD CS Configuration", click Next to continue
Choose "Enterprise CA"
Choose "Root CA"
"Create a new private key"
Key length: at least 2048
Hash algorithm: SHA256 or higher, don't choose SHA1/MD5...
Input essential information for the CA
Click on "Configure" to generate root CA.
Now, restart the DC, and Windows automatically enables SSL on LDAP service.
2022-08-10, updated section "2. Limitation" with "d) Windows server core edition is not supported". Thanks to Kevin Kuphal.
2022-07-18, updated section "2. Limitation" with "c) NAT is not supported". Thanks to David Raj Suntharesan.
2022-05-04, major updates:
2021-10-06, minor change, renamed "XG firewall" to "Sophos Firewall"
2021-08-13, updated section "Configure Exclusion List"
2021-07-23, added section "9. Known issues"
2021-01-29, updated ToC.
2021-01-25, converted from PDF to HTML by emmosophos. Thank you.
2021-01-15, first edition
I would like to see information about
- having multiple Agents and Collectors - best practise (e.g. 4 DC in a domain: 4 agents, 2 collectors? Must we set up every collector on every agent?)
- Using more than one collector in a collector group - how can we make sure that in case of any device failing redundancy applies?
- Using a XG cluster: do we have to set up the native IPs of the XG in the collector or the cluster one?
Note, it will be update it within 2 weeks.
- when there are 4 DC in a domain, I recommend on 2 DC, install STA Suite (Agent + Collector)on the other 2 DC, install STA Agent, and configure them to serve those 2 STA Collectorson XG firewall, put those 2 STA Collectors into same Collector group, since they are in same AD domain
- to check which collector communicates with XG firewall,
Details in section "6. Install and configure STAS > g) Start STAS"
- need to put XG firewall interface IP, not HA peer administration IP, into STA Collector
This is a much better and more thorough article than the official guide, which fails to mention entering the audit settings in the default domain policy. It only suggests putting these setting on the DCs with the collector installed. Thanks!
Hi Paul, thanks for taking the time to share your feedback!
Which official guide are you referring to? I'd like to follow up with our product documentation team to have this updated.
Excellent Guide Thank you!
Very great manual, it's useful, thanks for this
Every other guide. There are around 15?
for example in no one is described, who is doing WMI polling. agent or collector?
Question about this setup:
Does the STAS Agent support installation on Windows Core?
If not, I presume I need to use the member server installation of 2.5. Do I install an agent only on the member server if I have a collector installed on DC3? Also, how do I handle the two Core DCs. Do I have to have a 1:1 relationship between member servers and DCs if I'm not installing the agent/collector on the Core DC?
Does my setup have to be:
Nice Howto. Thanks.
But... running STAS as Domain Admin - really? I think it's a security risk.
Does anyone know if this works with Admin tiering?