Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
This article provides best practices to configure STAS on XG firewall v17.5.x and v18.0.x.
The configuration example provided in the article is quite simple, but it explains how STAS works.
It covers Windows AD GPO and Windows Firewall rules needed for STAS, and also provides sows AD DC, OS is Windowme basic troubleshooting guides.
If you notice any errors in the article or improvements can be made, please let me know.
Here is the table of contents for preview.
Sophos Transparent Authentication Suite (STAS) can authenticate users without any agent installed workstation. This article describes how to deploy STAS.
STAS is to authenticate users on workstations, not servers.
STA agent detects user logon events by monitoring Event ID 4768 in Windows Event Viewer
Once the STA agent detects Event ID 4768, it forwards that information to the STA collector UDP port 5566.
STA collector analyses the information, and forward it to XG firewall UDP port 6060 if a user isn’t an existing STAS live user.
XG firewall requires AD DC for STAS authentication; Once it receives user logon information from STA collector, XG firewall communicates with AD DC to fetch group and other information of the user.
If XG firewall receives traffic from a workstation without a live user, and the traffic hits a firewall rule requiring user identity, XG firewall would query STA collector for the live user on that workstation, by sending packets to STA collector UDP port 6677.
STA Agent and Collector support change of the default communication port.
UDP port 6060 on XG firewall for STAS cannot be changed.
For example, there are 4 DC in an AD domain, my recommendation is:
XG Firewall v17.5 and later supports 12,288 live users, by default.
That can be verified as below
The limitation can be lifted with the Device Console commandsystem auth max-live-users set <8192-32768>but make sure your XG firewall is up to sizing.
STAS can only detect users on AD domain computers.
If a computer is not a member of the AD domain, STAS won't be able to detect live user on it.
In such a scenario, Sophos Client Authentication Agent is the solution. Details of Client Authentication Agent is available at https://support.sophos.com/support/s/article/KB-000038465
You can find out AD NetBIOS Name, FQDN, and Search DN as described below.
In this example, FQDN is tao.xg, and NetBIOS name is TAOXG
Search DN is required when we configure the authentication server on the XG firewall.
To find out Search DN, run the command dsquery user in Windows CMD, as shown below.
C:\Users\Administrator>dsquery user"CN=Administrator,CN=Users,DC=tao,DC=xg""CN=Guest,CN=Users,DC=tao,DC=xg""CN=krbtgt,CN=Users,DC=tao,DC=xg""CN=One User,OU=ABP Users,DC=tao,DC=xg""CN=Two User,CN=Users,DC=tao,DC=xg""CN=AD Admin,CN=Users,DC=tao,DC=xg""CN=User Super,CN=Users,DC=tao,DC=xg"C:\Users\Administrator>
Search DN for "Two User" is "CN=Users,DC=tao,DC=xg"Search DN for "One User" is "OU=ABP Users,DC=tao,DC=xg"
Later, we’ll configure search DN "DC=tao,DC=xg" in the authentication server on XG firewall.
Log on to XG firewall webadmin, go to Administration > Device access, enable "Client Authentication" on the zone where the STAS server is located. In this example, it’s the LAN zone.
We need to configure Windows AD DC as an authentication server on XG.
Sophos KBA for reference: https://support.sophos.com/support/s/article/KB-000035731
Log on to the XG firewall web admin, go to Authentication > Servers, click on the "Add" button. Configure authentication server as below
-Server Type: Active Directory -Server Name: any name for the AD DC -Server IP: IP address of the AD DC -Connection security: SSL/TLS, by default -Port: 636, default TCP port for LDAP service on SSL/TLS
[Note: To enable SSL on Windows LDAP service, just need to generate a CA on AD DC, reboot DC, DC would automatically assign the CA to LDAP service, and accept LDAP traffic on TCP port 636. Details in the section "10. Appendix > a) Enable SSL on Windows LDAP service
-NetBIOS Domain: TAOXG, as discovered above-ADS username: an AD user with AD administrator privilege -Password: password of ADS username -Display Name Attribute: leave it blank. If you need to use another AD attribute for Name, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203 -Email Address Attribute: mail, by default. If you need to use other AD attribute for Email, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203 -Domain Name: tao.xg, as discovered above. -Search Queries: "DC=tao,DC=xg" as discovered above.
Once the configuration is completed, click "Test connection" to make sure the XG firewall can communicate with AD DC via LDAP.
Go to the XG firewall web admin > Authentication > Services, choose the Windows AD DC as the first server for "Firewall Authentication Methods", as shown below.
This step is optional, however, it’s recommended to import AD user groups, to simplify user management on the XG firewall.
To apply firewall rule on specific AD user groups, those AD user groups need to be imported into the XG firewall.
Sophos KBA "How to import Active Directory OUs and groups", https://support.sophos.com/support/s/article/KB-000035736
Go to Authentication > Server, click the "Import" icon next to an AD server, as shown below
Set Base DN to DC=tao,DC=xg
Check the desired groups
Set common policies for those Groups. Normally we leave it as default during the initial setup.
Click on Next to import the group.
Go to Authentication > Groups, verify the AD group has been imported, as shown below
Go to XG firewall webadmin > Authentication > STAS, turn on "Enable Sophos Transparent Authentication Suite", and then click "Activate STAS" button, as shown below
Change default settings,
Note: Details about "Restrict client traffic during identity probe" can be found in section "Drop timeout in Learning Mode" of Sophos KBA https://support.sophos.com/support/s/article/KB-000035730
Next step is to add STAS server.
Click the "Add new collector button", and add the IP address of the STAS server. In this example, it is 192.168.20.5
Collector Port can be checked on STAS Suite> General tab > Listening to the Sophos appliance on Port, as shown below
Make sure Firewall rule on computers allowed incoming WMI (DCOM RPC). Microsoft KBA, https://docs.microsoft.com/en-us/windows/desktop/wmisdk/connecting-to-wmi-remotely-starting-with-vista
Check WMI-In and DCOM-In
Action: Allow the connection
Once group policy is updated, you can continue to the next step to verify audit policy settings were applied correctly.
You can also wait for the group policy to be updated as per the Windows schedule.
C:\WINDOWS\system32>auditpol.exe /get /category:"Logon/Logoff"System audit policyCategory/Subcategory SettingLogon/Logoff Logon Success and Failure Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing User / Device Claims No Auditing Group Membership No Auditing C:\WINDOWS\system32>auditpol.exe /get /category:"Account Logon"System audit policyCategory/Subcategory SettingAccount Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service Success and Failure Credential Validation No AuditingC:\WINDOWS\system32>
Event ID 4768 is for user logon.
If AD DC doesn't generate event ID 4768 in Windows Event Viewer, the STA agent cannot detect any user logon activity.
Once event ID 4768 is generated, STA agent forwards that information to the STA collector UDP port 5566.
Please check Windows Event Viewer to make sure Event ID 4768 is generated when a user logs on a workstation.
The following screenshot shows user1 logged on AD domain tao.xg from computer 192.168.3.15
Sophos KBA for STAS https://support.sophos.com/support/s/article/KB-000035732
Latest STAS can be downloaded from XG firewall webadmin > Authentication > Client downloads, as below
In this example, STAS suite was installed on a Windows AD DC 192.168.20.5.
Please install STAS by right click on installation file > 'Run as administrator' to prevent any potential permission issue on Windows.
Enter Windows AD administrator credentials, as shown below. The account is needed to
If you can't use the administrator account, you can use another account that is a member of Domain Admins.
Specify the subnet where all Windows AD users belong to, as shown below.
"Domain Controller IP" must be blank if STA agent is installed on an AD DC. Otherwise, STA agent can't read local Windows Event logs Monitor Networks: 192.168.20.0/24
Go to "Exclusion List", add background service accounts (such as SophosUpdateMgr, SophosManagement, and accounts used by any Antivirus pattern updater) into "Login User Exclusion List", to prevent STAS live user to be logged off when a background service account logs in.
Note: "Login User Exclusion List" only supports "username", and doesn't support "email@example.com", nor "domain\username".
On STA collector, add Citrix (or any other) terminal servers into "Login IP Address/Network Exclusion List", as below
The following is recommended, in case STAS troubleshooting is needed.
STAS log files, stas.log, and stas.log1, are located on the Windows server installed with STAS in the directory of C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite, by default.
stas.log and stas.log1 get rotated at every 25 MB (or as defined by Log File Size).
If STA Collector and STA Agent are installed on the same Windows server, create Windows Firewall rules on the Windows server, to allow
If STA Collector and STA Agent are installed on different servers,
Ports needed by STAS is described in section "1. How STAS works > d) Summary of ports"
Windows Firewall rules are applied on network profile (Domain, Private, Public). Make sure above Windows Firewall rules are applied to correct network profile.
Click the "Start" button on the "General" tab to start the STAS service.
Once STAS and XG firewall establishe communication, the IP address of the XG firewall is displayed on the "General" tab, as below
SSH to XG firewall as admin, and go to 5. Device Management > 3. Advanced Shell, and run the following command grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail
SFVUNL_SO01_SFOS 18.0.4 MR-4# grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail DEBUG Feb 08 16:00:36.719168 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:06.733092 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:01:36.748435 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:06.753870 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:02:36.754746 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:06.770399 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:03:36.784307 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 DEBUG Feb 08 16:04:06.799499 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5 MESSAGE Feb 09 11:01:29.423157 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 MESSAGE Feb 09 11:08:30.094186 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5 SFVUNL_SO01_SFOS 18.0.4 MR-4#
To make STAS works without problem, STA Collector has to communicate with all workstations via the workstation poll method.
In above configuration, we configured STA Collector to use WMI as workstation polling method.
We need verify STA Collector can communicate with any AD workstation via WMI.
It can be done in STAS > Advanced > Troubleshooting > STAS Polling Utilities > WMI Verification, as below
It should be successful. Otherwise, please follow section "5. Configure Windows AD GPO > b) Allow inbound WMI on AD computers"
user1 logged on AD computer 192.168.20.15 after STAS was setup
Go to STAS > Advanced > Show Live Users, there was the live user.
XG webadmin > Current Activity > Live Users also showed the live user
Create a firewall rule to allow users in IT group to access servers in DMZ zone, 192.168.3.0/24
Now, 192.168.20.15 can ping DMZ server 192.168.3.9
XG firewall web admin > Current activities > Live connections > Live connections for: Username shows live connection of firstname.lastname@example.org
Firewall rule traffic stats also confirmed traffic from 192.168.20.15 was generated by the user in the IT group and hit the firewall rule.
When the XG firewall can't communicate with STA Collector, STAS "General" tab doesn't show the XG firewall IP address.
In case STAS doesn't detect any live user
If XG firewall doesn't show any live user, but STAS shows live users, make sure
STAS can detect live user on AD computers, however, it removes live user after a while.
XG webadmin > Current Activity > Live Users show some STAS live users, but not all.
Some STAS live users are missed on XG firewall.
Check if XG firewall reaches STAS server via static route. Details in section "9. Known issues".
If STAS service fails to start and the following error is displayed, make sure the account for STAS is a member of AD group "Domain Admins".
You can update the account for STAS in the "General" tab, as below
a) Dead entry timeout: must be 0, otherwise STAS stops working (applies to STAS v22.214.171.124 and earlier)
b) When XG firewall reaches STAS server via a static route, XG firewall cannot communicate with STAS server after reboot/boot-up.
Symptom: XG firewall doesn't send packets to STAS server UDP port 6677 to actively query live user on workstations. XG firewall can only passively receive live user information from STAS server.
Workaround: Manually restart authentication service after firewall reboot/boot-up.- in Advanced Shell, please run the command "service access_server:restart -ds nosync", or- in webadmin GUI, go to "System service" > "Services", and then Restart "Authentication" service, as below
Note: the bug is expected to be fixed in Sophos Firewall firmware v18.5 MR2. (release date is N/A yet.)
Note: If you need technical support to enable SSL on Windows LDAP service, please seek help from Microsoft.
In Server Manager, Add Roles and Features
Select "Role-based or feature-based installation"
Add role of "Active Directory Certificate Services"
Click on "Next", install "Certificate Authority"
Once the installation is complete, in Server Manager, click on "Notifications" > Post-deployment Configuration > Configure Active Directory Certificate Services
In "AD CS Configuration", click Next to continue
Choose "Enterprise CA"
Choose "Root CA"
"Create a new private key"
Key length: at least 2048
Hash algorithm: SHA256 or higher, don't choose SHA1/MD5...
Input essential information for the CA
Click on "Configure" to generate root CA.
Now, restart the DC, and Windows automatically enables SSL on LDAP service.
2021-07-23, added section "9. Known issues"
2021-01-29, updated ToC.
2021-01-25, converted from PDF to HTML by emmosophos. Thank you.
2021-01-15, first edition
- when there are 4 DC in a domain, I recommend on 2 DC, install STA Suite (Agent + Collector)on the other 2 DC, install STA Agent, and configure them to serve those 2 STA Colle…
This is a much better and more thorough article than the official guide, which fails to mention entering the audit settings in the default domain policy. It only suggests putting these setting on the DCs with the collector installed. Thanks!
Hi Paul, thanks for taking the time to share your feedback!
Which official guide are you referring to? I'd like to follow up with our product documentation team to have this updated.