Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
This article provides best practices to configure STAS on Sophos Firewall v17.5.x and v18.0.x.
The configuration example provided in the article is quite simple, but it explains how STAS works.
It covers Windows AD GPO and Windows Firewall rules needed for STAS, and also provides basic troubleshooting guides.
If you notice any errors in the article or improvements can be made, please let me know.
Here is the table of contents for preview.
Sophos Transparent Authentication Suite (STAS) can authenticate users without any agent installed workstation. This article describes how to deploy STAS.
STAS is to authenticate users on workstations, not servers.
STA agent detects user logon events by monitoring Event ID 4768 in Windows Event Viewer
Once the STA agent detects Event ID 4768, it forwards that information to the STA collector UDP port 5566.
STA collector analyses the information, and forward it to Sophos Firewall UDP port 6060 if a user isn’t an existing STAS live user.
Sophos Firewall requires AD DC for STAS authentication; Once it receives user logon information from STA collector, Sophos Firewall communicates with AD DC to fetch group and other information of the user.
If Sophos Firewall receives traffic from a workstation without a live user, and the traffic hits a firewall rule requiring user identity, Sophos Firewall would query STA collector for the live user on that workstation, by sending packets to STA collector UDP port 6677.
STA Agent and Collector support change of the default communication port.
UDP port 6060 on Sophos Firewall for STAS cannot be changed.
For example, there are 4 DC in an AD domain, my recommendation is:
Sophos Firewall v17.5 and later supports 12,288 live users, by default.
That can be verified as below
The limitation can be lifted with the Device Console commandsystem auth max-live-users set <8192-32768>but make sure your Sophos Firewall is up to sizing.
STAS can only detect users on AD domain computers.
If a computer is not a member of the AD domain, STAS won't be able to detect live user on it.
In such a scenario, Sophos Client Authentication Agent is the solution. Details of Client Authentication Agent is available at https://support.sophos.com/support/s/article/KB-000038465
You can find out AD NetBIOS Name, FQDN, and Search DN as described below.
In this example, FQDN is tao.xg, and NetBIOS name is TAOXG
Search DN is required when we configure the authentication server on the Sophos Firewall.
To find out Search DN, run the command dsquery user in Windows CMD, as shown below.
C:\Users\Administrator>dsquery user"CN=Administrator,CN=Users,DC=tao,DC=xg""CN=Guest,CN=Users,DC=tao,DC=xg""CN=krbtgt,CN=Users,DC=tao,DC=xg""CN=One User,OU=ABP Users,DC=tao,DC=xg""CN=Two User,CN=Users,DC=tao,DC=xg""CN=AD Admin,CN=Users,DC=tao,DC=xg""CN=User Super,CN=Users,DC=tao,DC=xg"C:\Users\Administrator>
Search DN for "Two User" is "CN=Users,DC=tao,DC=xg"Search DN for "One User" is "OU=ABP Users,DC=tao,DC=xg"
Later, we’ll configure search DN "DC=tao,DC=xg" in the authentication server on Sophos Firewall.
Log on to Sophos Firewall webadmin, go to Administration > Device access, enable "Client Authentication" on the zone where the STAS server is located. In this example, it’s the LAN zone.
We need to configure Windows AD DC as an authentication server on Sophos Firewall, so that Sophos Firewall can fetch group information of STAS live user from AD DC.
Sophos KBA for reference: https://support.sophos.com/support/s/article/KB-000035731
Log on to the Sophos Firewall web admin, go to Authentication > Servers, click on the "Add" button. Configure authentication server as below
-Server Type: Active Directory -Server Name: any name for the AD DC -Server IP: IP address of the AD DC -Connection security: SSL/TLS, by default -Port: 636, default TCP port for LDAP service on SSL/TLS
[Note: To enable SSL on Windows LDAP service, just need to generate a CA on AD DC, reboot DC, DC would automatically assign the CA to LDAP service, and accept LDAP traffic on TCP port 636. Details in the section "10. Appendix > a) Enable SSL on Windows LDAP service
-NetBIOS Domain: TAOXG, as discovered above-ADS username: an AD user with AD administrator privilege -Password: password of ADS username -Display Name Attribute: leave it blank. If you need to use another AD attribute for Name, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203 -Email Address Attribute: mail, by default. If you need to use other AD attribute for Email, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203 -Domain Name: tao.xg, as discovered above. -Search Queries: "DC=tao,DC=xg" as discovered above.
Once the configuration is completed, click "Test connection" to make sure the Sophos Firewall can communicate with AD DC via LDAP.
Go to the Sophos Firewall web admin > Authentication > Services, choose the Windows AD DC as the first server for "Firewall Authentication Methods", as shown below.
This step is optional, however, it’s recommended to import AD user groups, to simplify user management on the Sophos Firewall.
To apply firewall rule on specific AD user groups, those AD user groups need to be imported into the Sophos Firewall.
Sophos KBA "How to import Active Directory OUs and groups", https://support.sophos.com/support/s/article/KB-000035736
Go to Authentication > Server, click the "Import" icon next to an AD server, as shown below
Set Base DN to DC=tao,DC=xg
Check the desired groups
Set common policies for those Groups. Normally we leave it as default during the initial setup.
Click on Next to import the group.
Go to Authentication > Groups, verify the AD group has been imported, as shown below
Go to Sophos Firewall webadmin > Authentication > STAS, turn on "Enable Sophos Transparent Authentication Suite", and then click "Activate STAS" button, as shown below
Change default settings,
Note: Details about "Restrict client traffic during identity probe" can be found in section "Drop timeout in Learning Mode" of Sophos KBA https://support.sophos.com/support/s/article/KB-000035730
Next step is to add STAS server.
Click the "Add new collector button", and add the IP address of the STAS server. In this example, it is 192.168.20.5
Collector Port can be checked on STAS Suite> General tab > Listening to the Sophos appliance on Port, as shown below
Make sure Firewall rule on computers allowed incoming WMI (DCOM RPC). Microsoft KBA, https://docs.microsoft.com/en-us/windows/desktop/wmisdk/connecting-to-wmi-remotely-starting-with-vista
Check WMI-In and DCOM-In
Action: Allow the connection
Once group policy is updated, you can continue to the next step to verify audit policy settings were applied correctly.
You can also wait for the group policy to be updated as per the Windows schedule.
C:\WINDOWS\system32>auditpol.exe /get /category:"Logon/Logoff"System audit policyCategory/Subcategory SettingLogon/Logoff Logon Success and Failure Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing User / Device Claims No Auditing Group Membership No Auditing C:\WINDOWS\system32>auditpol.exe /get /category:"Account Logon"System audit policyCategory/Subcategory SettingAccount Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service Success and Failure Credential Validation No AuditingC:\WINDOWS\system32>
Event ID 4768 is for user logon.
If AD DC doesn't generate event ID 4768 in Windows Event Viewer, the STA agent cannot detect any user logon activity.
Once event ID 4768 is generated, STA agent forwards that information to the STA collector UDP port 5566.
Please check Windows Event Viewer to make sure Event ID 4768 is generated when a user logs on a workstation.
The following screenshot shows user1 logged on AD domain tao.xg from computer 192.168.3.15
Sophos KBA for STAS https://support.sophos.com/support/s/article/KB-000035732
Latest STAS can be downloaded from Sophos Firewall webadmin > Authentication > Client downloads, as below
In this example, STAS suite was installed on a Windows AD DC 192.168.20.5.
Please install STAS by right click on installation file > 'Run as administrator' to prevent any potential permission issue on Windows.
Enter Windows AD administrator credentials, as shown below. The account is needed to
If you can't use the administrator account, you can use another account that is a member of Domain Admins.
Specify the subnet where all Windows AD users belong to, as shown below.
"Domain Controller IP" must be blank if STA agent is installed on an AD DC. Otherwise, STA agent can't read local Windows Event logs Monitor Networks: 192.168.20.0/24
Go to "Exclusion List",
1. add background service accounts (such as SophosUpdateMgr, SophosManagement, and accounts used by any Antivirus pattern updater) into "Login User Exclusion List", to prevent STAS live user to be logged off when a background service account logs in.
Note:- "Login User Exclusion List" only supports "username", and doesn't support "firstname.lastname@example.org", nor "domain\username".- Username in "Login User Exclusion List" is case insensitive.
2. add Citrix terminal server, Microsoft RDS server, DNS server, and any other server into "Login IP Address/Network Exclusion List", as below
The following is recommended, in case STAS troubleshooting is needed.
STAS log files, stas.log, and stas.log1, are located on the Windows server installed with STAS in the directory of C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite, by default.
stas.log and stas.log1 get rotated at every 25 MB (or as defined by Log File Size).
If STA Collector and STA Agent are installed on the same Windows server, create Windows Firewall rules on the Windows server, to allow
If STA Collector and STA Agent are installed on different servers,
Ports needed by STAS is described in section "1. How STAS works > d) Summary of ports"
Windows Firewall rules are applied on network profile (Domain, Private, Public). Make sure above Windows Firewall rules are applied to correct network profile.
Click the "Start" button on the "General" tab to start the STAS service.
Once STAS and Sophos Firewall establishe communication, the IP address of the Sophos Firewall is displayed on the "General" tab, as below
SSH to Sophos Firewall as admin, and go to 5. Device Management > 3. Advanced Shell, and run the following command grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail
SFVUNL_SO01_SFOS 18.0.4 MR-4# grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail DEBUG Feb 08 16:00:36.719168 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:06.733092 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:36.748435 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:06.753870 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:36.754746 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:06.770399 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:36.784307 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:04:06.799499 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 MESSAGE Feb 09 11:01:29.423157 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 MESSAGE Feb 09 11:08:30.094186 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 SFVUNL_SO01_SFOS 18.0.4 MR-4#
To make STAS works without problem, STA Collector has to communicate with all workstations via the workstation poll method.
In above configuration, we configured STA Collector to use WMI as workstation polling method.
We need verify STA Collector can communicate with any AD workstation via WMI.
It can be done in STAS > Advanced > Troubleshooting > STAS Polling Utilities > WMI Verification, as below
It should be successful. Otherwise, please follow section "5. Configure Windows AD GPO > b) Allow inbound WMI on AD computers"
user1 logged on AD computer 192.168.20.15 after STAS was setup
Go to STAS > Advanced > Show Live Users, there was the live user.
firewall webadmin GUI > Current Activity > Live Users also showed the live user
Create a firewall rule to allow users in IT group to access servers in DMZ zone, 192.168.3.0/24
Now, 192.168.20.15 can ping DMZ server 192.168.3.9
Sophos Firewall web admin > Current activities > Live connections > Live connections for: Username shows live connection of email@example.com
Firewall rule traffic stats also confirmed traffic from 192.168.20.15 was generated by the user in the IT group and hit the firewall rule.
When the Sophos Firewall can't communicate with STA Collector, STAS "General" tab doesn't show the Sophos Firewall IP address.
In case STAS doesn't detect any live user
If Sophos Firewall doesn't show any live user, but STAS shows live users, make sure
STAS can detect live user on AD computers, however, it removes live user after a while.
Firewall webadmin GUI > Current Activity > Live Users show some STAS live users, but not all.
Some STAS live users are missed on Sophos Firewall.
Check if Sophos Firewall reaches STAS server via static route. Details in section "9. Known issues".
If STAS service fails to start and the following error is displayed, make sure the account for STAS is a member of AD group "Domain Admins".
You can update the account for STAS in the "General" tab, as below
a) Dead entry timeout: must be 0, otherwise STAS stops working (applies to STAS v184.108.40.206 and earlier)
b) When Sophos Firewall reaches STAS server via a static route, Sophos Firewall cannot communicate with STAS server after reboot/boot-up.
Symptom: Sophos Firewall doesn't send packets to STAS server UDP port 6677 to actively query live user on workstations. Sophos Firewall can only passively receive live user information from STAS server.
Workaround: Manually restart authentication service after firewall reboot/boot-up.- in Advanced Shell, please run the command "service access_server:restart -ds nosync", or- in webadmin GUI, go to "System service" > "Services", and then Restart "Authentication" service, as below Note: This bug (NC-72664) is fixed in Sophos Firewall firmware v18.5 MR2.
Note: If you need technical support to enable SSL on Windows LDAP service, please seek help from Microsoft.
In Server Manager, Add Roles and Features
Select "Role-based or feature-based installation"
Add role of "Active Directory Certificate Services"
Click on "Next", install "Certificate Authority"
Once the installation is complete, in Server Manager, click on "Notifications" > Post-deployment Configuration > Configure Active Directory Certificate Services
In "AD CS Configuration", click Next to continue
Choose "Enterprise CA"
Choose "Root CA"
"Create a new private key"
Key length: at least 2048
Hash algorithm: SHA256 or higher, don't choose SHA1/MD5...
Input essential information for the CA
Click on "Configure" to generate root CA.
Now, restart the DC, and Windows automatically enables SSL on LDAP service.
2021-10-06, minor change, renamed "XG firewall" to "Sophos Firewall"
2021-08-13, updated section "Configure Exclusion List"
2021-07-23, added section "9. Known issues"
2021-01-29, updated ToC.
2021-01-25, converted from PDF to HTML by emmosophos. Thank you.
2021-01-15, first edition
- when there are 4 DC in a domain, I recommend on 2 DC, install STA Suite (Agent + Collector)on the other 2 DC, install STA Agent, and configure them to serve those 2 STA Colle…
I would like to see information about
- having multiple Agents and Collectors - best practise (e.g. 4 DC in a domain: 4 agents, 2 collectors? Must we set up every collector on every agent?)
- Using more than one collector in a collector group - how can we make sure that in case of any device failing redundancy applies?
- Using a XG cluster: do we have to set up the native IPs of the XG in the collector or the cluster one?
Note, it will be update it within 2 weeks.
- when there are 4 DC in a domain, I recommend on 2 DC, install STA Suite (Agent + Collector)on the other 2 DC, install STA Agent, and configure them to serve those 2 STA Collectorson XG firewall, put those 2 STA Collectors into same Collector group, since they are in same AD domain
- to check which collector communicates with XG firewall,
Details in section "6. Install and configure STAS > g) Start STAS"
- need to put XG firewall interface IP, not HA peer administration IP, into STA Collector
This is a much better and more thorough article than the official guide, which fails to mention entering the audit settings in the default domain policy. It only suggests putting these setting on the DCs with the collector installed. Thanks!
Hi Paul, thanks for taking the time to share your feedback!
Which official guide are you referring to? I'd like to follow up with our product documentation team to have this updated.
Excellent Guide Thank you!
Very great manual, it's useful, thanks for this
Every other guide. There are around 15?
for example in no one is described, who is doing WMI polling. agent or collector?
Question about this setup:
Does the STAS Agent support installation on Windows Core?
If not, I presume I need to use the member server installation of 2.5. Do I install an agent only on the member server if I have a collector installed on DC3? Also, how do I handle the two Core DCs. Do I have to have a 1:1 relationship between member servers and DCs if I'm not installing the agent/collector on the Core DC?
Does my setup have to be: