Sophos XG firewall: Best practice for STAS

Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.


This article provides best practices to configure STAS on XG firewall v17.5.x and v18.0.x.

The configuration example provided in the article is quite simple, but it explains how STAS works.

It covers Windows AD GPO and Windows Firewall rules needed for STAS, and also provides sows AD DC, OS is Windowme basic troubleshooting guides.

If you notice any errors in the article or improvements can be made, please let me know.

Here is the table of contents for preview.

Table of Contents


Sophos Transparent Authentication Suite (STAS) can authenticate users without any agent installed workstation. This article describes how to deploy STAS.

1. How STAS works

STAS is to authenticate users on workstations, not servers.

STA agent detects user logon events by monitoring Event ID 4768 in Windows Event Viewer

Once the STA agent detects Event ID 4768, it forwards that information to the STA collector UDP port 5566.

STA collector analyses the information, and forward it to XG firewall UDP port 6060 if a user isn’t an existing STAS live user.

XG firewall requires AD DC for STAS authentication; Once it receives user logon information from STA collector, XG firewall communicates with AD DC to fetch group and other information of the user.

If XG firewall receives traffic from a workstation without a live user, and the traffic hits a firewall rule requiring user identity, XG firewall would query STA collector for the live user on that workstation, by sending packets to STA collector UDP port 6677.

STA Agent and Collector support change of the default communication port.

UDP port 6060 on XG firewall for STAS cannot be changed.

a) Deploy STA Agent and STA Collector

  • STA Agent and collector can be installed on the same or different Windows server.
  • STA Agent can serve single or multiple STA collectors.
  • STA Collector can serve single or multiple XG firewalls

b) STA Collector group on XG firewall

  • XG firewall can have multiple STA Collectors in a single Collector group but it communicates only with the primary collector in the Collector group. The primary collector is the one on top of the list.
  • If the primary collector doesn't respond, XG firewall will communicate with the 2nd collector.
  • STA Collectors for the same AD domain must be configured in the same Collector group.
  • When there are multiple AD domains, need to create a Collector group for each AD domain.

c) Deployment example

For example, there are 4 DC in an AD domain, my recommendation is:

  • on 2 DC, install STA Suite (Agent + Collector)
  • on the other 2 DC, install STA Agent, and configure them to serve those 2 STA Collectors
  • configure STA Collectors to serve XG firewall
  • on XG firewall, put those 2 STA Collectors into same Collector group, since they are in same AD domain

d) Summary of ports

  • STA Collector open TCP port 5566 for STA Agent to upload user logon information
  • STA Collector open UDP port 6677 for XG firewall to connect
  • XG firewall open UDP port 6060 for STA Collectors to connect
  • UDP port 50001 is used for Test connection from STA collector to STA Agent,
  • UDP port 6060 is used for Test connection from STA collector to Sophos XG firewall.

2. Limitation

a) Max number of live users

XG Firewall v17.5 and later supports 12,288 live users, by default.

That can be verified as below

  • Log on XG firewall SSH terminal as admin. Once authenticated, you will be presented with the Sophos Firewall console menu.
  • Go to 5. Device Management > 3. Advanced Shell, and run the following commands
    cish
    system auth max-live-users show

The limitation can be lifted with the Device Console command
system auth max-live-users set <8192-32768>
but make sure your XG firewall is up to sizing.

b) Computers must be in AD domain

STAS can only detect users on AD domain computers.

If a computer is not a member of the AD domain, STAS won't be able to detect live user on it.

In such a scenario, Sophos Client Authentication Agent is the solution. Details of Client Authentication Agent is available at https://support.sophos.com/support/s/article/KB-000038465

3. Test environment

a) Network Topology

  • 192.168.20.5 is Windows AD DC, OS is Windows 2012 R2.
    STAS will be installed on AD DC, 192.168.20.5
  • 192.168.20.15 is Windows AD domain workstation
  • 192.168.20.254 is XG firewall LAN interface IP
  • 192.168.3.252 is XG firewall DMZ interface IP.
  • 192.168.3.9 is a server in DMZ zone, 192.168.3.0/24

b) Find out the NetBios Name, FQDN, and Search DN

You can find out AD NetBIOS Name, FQDN, and Search DN as described below.

  • Log in to your Windows AD DC as a user with Administrative privileges.
  • Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
  • Right Click on the required domain and go to the Properties

In this example, FQDN is tao.xg, and NetBIOS name is TAOXG

Search DN is required when we configure the authentication server on the XG firewall.

To find out Search DN, run the command dsquery user in Windows CMD, as shown below.

C:\Users\Administrator>dsquery user
"CN=Administrator,CN=Users,DC=tao,DC=xg"
"CN=Guest,CN=Users,DC=tao,DC=xg"
"CN=krbtgt,CN=Users,DC=tao,DC=xg"
"CN=One User,OU=ABP Users,DC=tao,DC=xg"
"CN=Two User,CN=Users,DC=tao,DC=xg"
"CN=AD Admin,CN=Users,DC=tao,DC=xg"
"CN=User Super,CN=Users,DC=tao,DC=xg"
C:\Users\Administrator>

Search DN for "Two User" is "CN=Users,DC=tao,DC=xg"
Search DN for "One User" is "OU=ABP Users,DC=tao,DC=xg"

Later, we’ll configure search DN "DC=tao,DC=xg" in the authentication server on XG firewall.

4. Configure XG firewall

a) Enable Client Authentication in Device Access

Log on to XG firewall webadmin, go to Administration > Device access, enable "Client Authentication" on the zone where the STAS server is located. In this example, it’s the LAN zone.

b) Configure authentication server

1) Authentication Server

We need to configure Windows AD DC as an authentication server on XG.

Sophos KBA for reference: https://support.sophos.com/support/s/article/KB-000035731

Log on to the XG firewall web admin, go to Authentication > Servers, click on the "Add" button.
Configure authentication server as below

-Server Type: Active Directory
-Server Name: any name for the AD DC
-Server IP: IP address of the AD DC
-Connection security: SSL/TLS, by default
-Port: 636, default TCP port for LDAP service on SSL/TLS

[Note: To enable SSL on Windows LDAP service, just need to generate a CA on AD DC, reboot DC, DC would automatically assign the CA to LDAP service, and accept LDAP traffic on TCP port 636. Details in the section "10. Appendix > a) Enable SSL on Windows LDAP service

-NetBIOS Domain: TAOXG, as discovered above
-ADS username: an AD user with AD administrator privilege
-Password: password of ADS username
-Display Name Attribute: leave it blank. If you need to use another AD attribute for Name, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203
-Email Address Attribute: mail, by default. If you need to use other AD attribute for Email, please refer to Microsoft KBA https://support.microsoft.com/en-us/kb/257203
-Domain Name: tao.xg, as discovered above.
-Search Queries: "DC=tao,DC=xg" as discovered above.

Once the configuration is completed, click "Test connection" to make sure the XG firewall can communicate with AD DC via LDAP.

2) Authentication Service

Go to the XG firewall web admin > Authentication > Services, choose the Windows AD DC as the first server for "Firewall Authentication Methods", as shown below.

3) Import AD user group

This step is optional, however, it’s recommended to import AD user groups, to simplify user management on the XG firewall.

To apply firewall rule on specific AD user groups, those AD user groups need to be imported into the XG firewall.

Sophos KBA "How to import Active Directory OUs and groups", https://support.sophos.com/support/s/article/KB-000035736

Go to Authentication > Server, click the "Import" icon next to an AD server, as shown below

Set Base DN to DC=tao,DC=xg

Check the desired groups

Set common policies for those Groups. Normally we leave it as default during the initial setup.

Click on Next to import the group.

Go to Authentication > Groups, verify the AD group has been imported, as shown below

c) Enable STAS

Go to XG firewall webadmin > Authentication > STAS, turn on "Enable Sophos Transparent Authentication Suite", and then click "Activate STAS" button, as shown below

Change default settings,

  • Identity probe time-out: 3 seconds
  • Restrict client traffic during identity probe: No
  • Enable user inactivity: enabled

Note: Details about "Restrict client traffic during identity probe" can be found in section "Drop timeout in Learning Mode" of Sophos KBA https://support.sophos.com/support/s/article/KB-000035730

Next step is to add STAS server.

Click the "Add new collector button", and add the IP address of the STAS server. In this example, it is 192.168.20.5

Collector Port can be checked on STAS Suite> General tab > Listening to the Sophos appliance on Port, as shown below

5. Configure Windows AD GPO

a) Enable audit logon events on AD computers

  1. Log on to Windows AD DC as a member of the Administrators group.
  2. Open Administrative Tools, and then click Group Policy Management.
  3. In the console tree, open Forest: YOUR_FOREST > Domains > YOUR_DOMAIN_NAME, right-click on Default Domain Policy, and then click Edit.
    [Note: You can also edit other group policy as needed.]
  4. In Group Policy Management Editor, open Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.
  5. Double-click on Audit account logon events, and enable "Define these policy settings: Success and Failure"
  6. Open Computer Configuration > Policies > Windows Settings > Security Settings > Advanced audit policy configuration > Audit Policies > Account Logon
  7. Double-click on Audit Kerberos Authentication Service, and enable "Configure the following audit events: Success and Failure"
  8. open Computer Configuration > Policies > Windows Settings > Security Settings > Advanced audit policy configuration > Audit Policies > Logon/Logoff
  9. Double-click on Audit Logon, and enable "Configure the following audit events: Success and Failure."

b) Allow inbound WMI on AD computers

Make sure Firewall rule on computers allowed incoming WMI (DCOM RPC).
Microsoft KBA, https://docs.microsoft.com/en-us/windows/desktop/wmisdk/connecting-to-wmi-remotely-starting-with-vista

  1. Log on to Windows AD DC as a member of the Administrators
  2. Open Administrative Tools, and then click Group Policy Management.
  3. In the console tree, open Forest: YOUR_FOREST > Domains > YOUR_DOMAIN_NAME, right-click on Default Domain Policy, and then click Edit.
    [Note: You can also edit other group policy as needed.]
  4. In Group Policy Management Editor, open Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security, right-click on Inbound Rules > New Rules
  5. set Rule Type to "Predefined: Windows Management Instrumentation (WMI)"

Check WMI-In and DCOM-In

Action: Allow the connection

c) Update Group Policy settings

  1. On an AD computer, click Start, point to All Programs, click Accessories, right-click on Command Prompt, and then click "Run as administrator".
  2. If the User Account Control dialog box appears, click Yes to continue.
  3. Type
    gpupdate /force
    and then press ENTER.

Once group policy is updated, you can continue to the next step to verify audit policy settings were applied correctly.

You can also wait for the group policy to be updated as per the Windows schedule.

d) Verify audit logon events were applied correctly

  1. On AD computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If the User Account Control dialog box appears, click Yes to continue.
  3. Run the following 2 commands.
    auditpol.exe /get /category:"Logon/Logoff"
    auditpol.exe /get /category:"Account Logon"
  4. Make sure Success and Failure is enabled for "Logon" and "Kerberos Authentication Service", as below
    C:\WINDOWS\system32>auditpol.exe /get /category:"Logon/Logoff"
    System audit policy
    Category/Subcategory                      Setting
    Logon/Logoff
      Logon                                   Success and Failure
      Logoff                                  No Auditing

      Account Lockout                         No Auditing
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           No Auditing
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   No Auditing
      User / Device Claims                    No Auditing
      Group Membership                        No Auditing
     

    C:\WINDOWS\system32>auditpol.exe /get /category:"Account Logon"
    System audit policy
    Category/Subcategory                      Setting
    Account Logon
      Kerberos Service Ticket Operations      No Auditing
      Other Account Logon Events              No Auditing
      Kerberos Authentication Service         Success and Failure
      Credential Validation                   No Auditing

    C:\WINDOWS\system32>

e) Verify event ID 4768 was generated for user logon

Event ID 4768 is for user logon.

If AD DC doesn't generate event ID 4768 in Windows Event Viewer, the STA agent cannot detect any user logon activity.

Once event ID 4768 is generated, STA agent forwards that information to the STA collector UDP port 5566.

Please check Windows Event Viewer to make sure Event ID 4768 is generated when a user logs on a workstation.

The following screenshot shows user1 logged on AD domain tao.xg from computer 192.168.3.15

6. Install and configure STAS

a) Install STAS

Sophos KBA for STAS https://support.sophos.com/support/s/article/KB-000035732

Latest STAS can be downloaded from XG firewall webadmin > Authentication > Client downloads, as below

In this example, STAS suite was installed on a Windows AD DC 192.168.20.5.

Please install STAS by right click on installation file > 'Run as administrator' to prevent any potential permission issue on Windows.

Enter Windows AD administrator credentials, as shown below. The account is needed to

  • query Windows Event Viewer for Event ID 4768
  • start/stop "Sophos Transparent Authentication Suite" service, and
  • send Windows WMI query to all AD computers to perform workstation polling

If you can't use the administrator account, you can use another account that is a member of Domain Admins.

b) Configure STA Agent

Specify the subnet where all Windows AD users belong to, as shown below.

"Domain Controller IP" must be blank if STA agent is installed on an AD DC. Otherwise, STA agent can't read local Windows Event logs
Monitor Networks: 192.168.20.0/24

c) Configure STA Collector

  • Set "Sophos Appliances" to the internal IP address of the XG firewall, 192.168.20.254. If XG firewall is in HA, please use interface IP address, not HA peer administration IP.
  • Workstation Polling Method: WMI is recommended
  • Enable Logoff Detection: checked
  • Detection Method: Workstation polling
  • Dead entry timeout: must be 0. Details in section "9. Known issues".

d) Configure Exclusion List

Go to "Exclusion List", add background service accounts (such as SophosUpdateMgr, SophosManagement, and accounts used by any Antivirus pattern updater) into "Login User Exclusion List", to prevent STAS live user to be logged off when a background service account logs in.

Note: "Login User Exclusion List" only supports "username", and doesn't support "username@domain.com", nor "domain\username".

On STA collector, add Citrix (or any other) terminal servers into "Login IP Address/Network Exclusion List", as below

e) Advanced

The following is recommended, in case STAS troubleshooting is needed.

  • STAS log file size: 25
  • Log level: Debug
  • Reduce log: disable

STAS log files, stas.log, and stas.log1, are located on the Windows server installed with STAS in the directory of C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite, by default.

stas.log and stas.log1 get rotated at every 25 MB (or as defined by Log File Size).

f) Create Windows Firewall rules to allow STAS traffic

If STA Collector and STA Agent are installed on the same Windows server, create Windows Firewall rules on the Windows server, to allow

  • inbound traffic to TCP port 5566, and UDP port 6677
  • outbound traffic to UDP port 6060

If STA Collector and STA Agent are installed on different servers,

  • create Windows Firewall rules on STA Collector, to allow
    • inbound traffic to TCP port 5566, UDP port 6677, and UDP port 50001
    • outbound traffic to UDP port 6060
  • create Windows Firewall rules on STA Agent, to allow
    • outbound traffic to TCP port 5566 and UDP port 50001

Ports needed by STAS is described in section "1. How STAS works > d) Summary of ports"

Windows Firewall rules are applied on network profile (Domain, Private, Public). Make sure above Windows Firewall rules are applied to correct network profile.

g) Start STAS

Click the "Start" button on the "General" tab to start the STAS service.

Once STAS and XG firewall establishe communication, the IP address of the XG firewall is displayed on the "General" tab, as below

Note:

  • When there are multiple STA collectors in the same collector group, XG firewall only communicates with the STA collector on the top of list, and only that STA collector can establish communication with XG firewall, and only that STA collector can dispaly IP address of XG firewall in General tab.
  • To find out which STA collector is communicating with XG firewall,
    • go to STAS > General tab, check if it has XG firewall IP address displayed. If yes, it is the STA Collector communicating with XG firewall, or
    • check backend logs in XG firewall SSH terminal,

      SSH to XG firewall as admin, and go to 5. Device Management > 3. Advanced Shell, and run the following command
      grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail

      The sample output below shows XG firewall has been communicating with STA Collector 192.168.20.5 since 16:00 8 Feb
      SFVUNL_SO01_SFOS 18.0.4 MR-4# grep "CTA LIVE Received from\|sending CTA_IS_ACTIVE" /log/access_server.log | tail 
      DEBUG Feb 08 16:00:36.719168 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:01:06.733092 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:01:36.748435 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:02:06.753870 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:02:36.754746 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:03:06.770399 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:03:36.784307 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      DEBUG Feb 08 16:04:06.799499 [access_server]: process_cta_live: CTA LIVE Received from 192.168.20.5
      MESSAGE Feb 09 11:01:29.423157 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5
      MESSAGE Feb 09 11:08:30.094186 [access_server]: process_cta_live: sending CTA_IS_ACTIVE 192.168.20.5
      SFVUNL_SO01_SFOS 18.0.4 MR-4#

h) Verify workstation poll method

To make STAS works without problem, STA Collector has to communicate with all workstations via the workstation poll method.

In above configuration, we configured STA Collector to use WMI as workstation polling method.

We need verify STA Collector can communicate with any AD workstation via WMI.

It can be done in STAS > Advanced > Troubleshooting > STAS Polling Utilities > WMI Verification, as below

It should be successful. Otherwise, please follow section "5. Configure Windows AD GPO > b) Allow inbound WMI on AD computers"

7. Verify STAS is working

a) check STAS live users

user1 logged on AD computer 192.168.20.15 after STAS was setup

Go to STAS > Advanced > Show Live Users, there was the live user.

XG webadmin > Current Activity > Live Users also showed the live user

b) create a firewall rule for user group

Create a firewall rule to allow users in IT group to access servers in DMZ zone, 192.168.3.0/24

Now, 192.168.20.15 can ping DMZ server 192.168.3.9

XG firewall web admin > Current activities > Live connections > Live connections for: Username shows live connection of user1@tao.xg

Firewall rule traffic stats also confirmed traffic from 192.168.20.15 was generated by the user in the IT group and hit the firewall rule.

8. Troubleshooting

a) STAS shows no XG firewall IP address

When the XG firewall can't communicate with STA Collector, STAS "General" tab doesn't show the XG firewall IP address.

Make sure

c) STAS shows no live user

In case STAS doesn't detect any live user

Make sure

  • STAS is started


  • STAS and XG firewall established communication

  • Event ID 4768 is generated in Windows Event Viewer when an AD user logs on an AD workstation.
  • STAS was installed by right click on installation file > Run as administrator

c) XG firewall has no STAS live user, although STAS has them

If XG firewall doesn't show any live user, but STAS shows live users, make sure

  • Windows Firewall rule on STAS server is configured properly, as per section " Install and configure STAS > f) Create Windows Firewall rules to allow STAS traffic"
  • XG firewall has "Client Authentication" enabled on the zone where the STAS server is located.
  • Authentication service on XG firewall is running. It can be verified onable Sophos Transparent Authenticationn XG firewall web admin > System services > Services, as below
  • Check if XG firewall reaches STAS server via static route. Details in section "9. Known issues"

d) STAS keeps removing live user

STAS can detect live user on AD computers, however, it removes live user after a while.

Make sure

e) XG firewall has one more STAS live users missing

XG webadmin > Current Activity > Live Users show some STAS live users, but not all.

Some STAS live users are missed on XG firewall.

Make sure

Check if XG firewall reaches STAS server via static route. Details in section "9. Known issues".

f) Group policy of audit logon events is not updated on AD computer

g) STAS service did not start due to a logon failure

If STAS service fails to start and the following error is displayed, make sure the account for STAS is a member of AD group "Domain Admins".

You can update the account for STAS in the "General" tab, as below

9. Known issues

a) Dead entry timeout: must be 0, otherwise STAS stops working (applies to STAS v2.5.1.0 and earlier)

b) When XG firewall reaches STAS server via a static route, XG firewall cannot communicate with STAS server after reboot/boot-up. 

Symptom: XG firewall doesn't send packets to STAS server UDP port 6677 to actively query live user on workstations. XG firewall can only passively receive live user information from STAS server.

Workaround: Manually restart authentication service after firewall reboot/boot-up.
- in Advanced Shell, please run the command "service access_server:restart -ds nosync", or
- in webadmin GUI, go to "System service" > "Services", and then Restart "Authentication" service, as below

Note: the bug is expected to be fixed in Sophos Firewall firmware v18.5 MR2. (release date is N/A yet.)

10. Appendix

a) Enable SSL on Windows LDAP service

Note: If you need technical support to enable SSL on Windows LDAP service, please seek help from Microsoft.

In Server Manager, Add Roles and Features

Select "Role-based or feature-based installation"

Add role of "Active Directory Certificate Services"

Click on "Next", install "Certificate Authority"

Install

Once the installation is complete, in Server Manager, click on "Notifications" > Post-deployment Configuration > Configure Active Directory Certificate Services

In "AD CS Configuration", click Next to continue

Choose "Enterprise CA"

Choose "Root CA"

"Create a new private key"

Key length: at least 2048

Hash algorithm: SHA256 or higher, don't choose SHA1/MD5...

Input essential information for the CA

Click on "Configure" to generate root CA.

Now, restart the DC, and Windows automatically enables SSL on LDAP service.

11. Edition History

2021-07-23, added section "9. Known issues"

2021-02-10

  • added section "1. How STAS works > c) Deployment example"
  • updated section "6. Install and configure STAS > c) Configure STA Collector"
  • updated section "6. Install and configure STAS > g) Start STAS"
  • added section "8. Troubleshooting > e) XG firewall has one more STAS live users missing"
  • updated ToC

2021-01-29, updated ToC.

2021-01-25, converted from PDF to HTML by emmosophos. Thank you.

2021-01-19

  • updated section "3. Test environment > a) Network Topology"
  • added section "7. Verify STAS is working > b. create firewall rule for user group "
  • updated section "8. Troubleshooting "

2021-01-15, first edition



added section "9. Known issues"
[edited by: taowang at 11:41 PM (GMT -7) on 22 Jul 2021]
Parents
  • This is a much better and more thorough article than the official guide, which fails to mention entering the audit settings in the default domain policy. It only suggests putting these setting on the DCs with the collector installed.

    Thanks!

Reply
  • This is a much better and more thorough article than the official guide, which fails to mention entering the audit settings in the default domain policy. It only suggests putting these setting on the DCs with the collector installed.

    Thanks!

Children