Sophos Firewall: SATC with Sophos Server Protection Step by Step Guide

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview 

Sophos Authentication for Thin client (*SATC) with Sophos Server Protection enables Sophos Firewall to authenticate users accessing a server or remote desktop.SATC is included with Sophos Server Protection in Sophos Central. It's part of Sophos Central Server Core Agent and is available with any Server Protection license in Sophos Central. Currently, SATC with Sophos Server Protection only supports Windows Remote Desktop Services.You must download the Windows Server installer from Sophos Central. The installers that you can download would depend on the licenses you have.

Sophos Firewall controls those authenticated users using a session-based approach via an identity-based firewall rule providing more granular access controls per user group.

*Note: SATC functionality is only supported on Windows Server 2016 and requires a Core Agent of 2022.2 and higher.

What To Do

Follow the steps below to set up new SATC client integration with Sophos Server Protection:

For full details on enabling SATC with Sophos Central Server Protection see this help document: SATC with Sophos Server Protection.

The steps below walk through the setup:

Turn off tamper protection for server protection. Note the current settings before you turn off tamper protection, as you need to change these back once SATC is activated.
On the server, open a command-line console/Power Shell. Add new parameter Satc PendDuration Ms in SATC, run the following command to turn on SatcPendDurationMs parameter 
command: - reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SatcPendDurationMs /t REG_DWORD /d 300

NOTE: We are updating the pend duration only when there is network latency
Please ensure to reboot the Terminal Server once changes are applied.
Lastly, check the windows registry to confirm the changes under: HKLM\Software\Sophos\Sophos Network Threat Protection\Application 
If you face any issues or need further assistance with this, kindly reach out to our Sophos Support team - support.sophos.com

Updated Disclaimer
[edited by: Erick Jan at 9:07 AM (GMT -7) on 17 Apr 2023]

Top Replies

Vivek Jagad over 1 year ago in reply to Yogesh Patil1 +2

Hey Yogesh Patil1 , The 2022.2.x version of the Server agent moves the SATC functionality out of IPS and into the Core product. We are due to release that to IT next week and start the Server release…

Yogesh Patil1 over 1 year ago

Is this feature still under EARLY ACCESS PROGRAM (BETA), it is full of bugs, as we have tried to install on one of our client production Windows server 2019 , it was a nightmare Sophos Server Protection was using 99% CPU, had to remove it...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vivek Jagad over 1 year ago in reply to Yogesh Patil1

Yup Yogesh Patil1 that's true it is still in early access programs. You can log a service request if you are having troubles with it. And support can help you investigate further to narrow down the situation.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Yogesh Patil1 over 1 year ago in reply to Vivek Jagad

Thank you for the reply...

I have tried to provide access to Sophos support it took me a month case to escalate to the Global Support team, they have tried to provide me support many times, i have also spent around 10+ hours with for the remote support to diagnose the issue but, not done.. finally i have to uninstall the Sophos server protection, as it was high on server resources.

Sophos as already discontinued the old SATC client, and the new solution is provided in full of bugs... what exactly does Sophos expect from the customers, to provide them with our production servers for their own research and developments?

It is almost 1+ year Sophos has announced end of support or OLD SATC and new solution still in BETA...

Looking forward to get some ETA announcement for the final and proper solution...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vivek Jagad over 1 year ago in reply to Yogesh Patil1

Hey Yogesh Patil1,

The 2022.2.x version of the Server agent moves the SATC functionality out of IPS and into the Core product.

We are due to release that to IT next week and start the Server release towards the end of July.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel
adn77 over 1 year ago

Hi Vivek Jagad and thank you for the most useful information provided.

I have been on a support case regarding SATC in RDS Server 2019 for almost two months now. After having read the article for the hundredth time I followed your suggestion to check for the SophosNetfilter.exe - which in our case is not running. It should have been easy for the support to figure that out

We are enrolled in EAP, although the versions differ slightly:

Core Agent 2.20.13 BETA

Sophos Intercept X 2021.3.1.11 BETA

Server Protection 10.8.11.4 BETA

Managed Threat Response 2.3.0.68

XDR 2.20.13 BETA

"The 2022.2.x version of the Server agent moves the SATC functionality out of IPS and into the Core product."

Will this still be in the context of EAP? By "Core product" you're referring to Intercept X?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vivek Jagad over 1 year ago in reply to adn77

Thank you Alexander Noack

I am glad this information was useful to you !!

That's for sure that you'll see a difference in version as because our dev team releases updates and that is fine !!

It may no longer be a context of EAP once it is in Core product, and I am still awaiting response from the internal dev team. So as soon as I receive an update, will post it here !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel
Youness KHALDOUNE over 1 year ago

Hey,
Can you please tell me what is the ip address "192.168.97.181" that you added as a value for Windows Registry key : SatcDestinationAddr for ?

Thanks !
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
adn77 over 1 year ago in reply to Youness KHALDOUNE

That would be the Sophos appliance
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
adn77 over 1 year ago in reply to Vivek Jagad

Regarding the EAP context:

We now have version 2022.2.1.9 BETA rolled out to our servers enrolled in EAP.
All other server still have the previous version.

Since it is still not working for us - I am trying to tell the Sophos Support, that according to your guide, there should be a SophosNetFilter.exe (which we don't have).

Is this still true for the latest release?

Thank you!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Deon Seymour1 over 1 year ago

Has anyone actually got this to work yet? I've been through the same process three times in two weeks and get stuck at the same point everyone seems to be - no SophosNetFilter.exe process.

Support have had me just through all the hoops thinking I haven't been following the guides, even had me reinstall and Clear-the-local-update-cache-and-force-an-update as per article KB-000036449.

Directors are not happy a working Utility was dropped and replaced with a buggy non working beta that is an additional cost to the firewall.

What are the choices for customers who do not want to go to central - they just lose SATC now?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Core Agent	2.20.13 BETA
Sophos Intercept X	2021.3.1.11 BETA
Server Protection	10.8.11.4 BETA
Managed Threat Response	2.3.0.68
XDR	2.20.13 BETA