STAS issue with multiple DC's & collectors

Hey Louis.

I think that's actually how ir behaves and you workaround is actually how it should be setup when using multilple collectors. When multiple collectors are used, UTM will use the one that replied faster and only go "down the list" if that collector stops reponding.

But, since STAS docummention as a little scarced yet and my insight is based on observation, I'll let someone with more knowledge on the theme confirm this.

Regards,

Giovani

Yes, looking at this, it seems that a STAS collector can service multiple UTM's but if you put a collector on each DC, you have to be careful that when the UTM looks for a collector, it doesn't jump to another eg UTM 1 goes to collector 1 on DC1, UTM 2 goes to collector 3 on DC3. If the STAS Suite on DC3 is pointing to the primary collector on DC1 and DC1 goes down, you lose the collector.

The answer is to put collectors on all the DC's but again, you have to be care. A single timeout on the first collector on a UTM will cause the UTM to select the next collector eg collector 2. That collectors agent will be pointing elsewhere eg at Collector 1 which has now gone down.

I think the answer might be to map the agent to the same order as which the collectors are specified in the UTM eg they all point to collector 1. If collector 1 goes down, they all point to collector 2 and so forth.

The documentation is a little scarce and doesn't really highlight the pitfalls etc.

Early days yet but I seem to have 2x UTM's synced across 4x DC's. Logs appear to be matching although I do get the old "child XXXX is running too long. Terminating child" warning and the user that is logged in the logs doesn't show up on the UTM.

ON DC1: On the front tab of the STAS suite, under Sophos appliances being served, it shows UTM A & UTM B.
ON DC2: On the front tab of the STAS suite, under Sophos appliances being served, it shows 0 UTM's.
ON DC3: On the front tab of the STAS suite, under Sophos appliances being served, it shows UTM A.
ON DC4: On the front tab of the STAS suite, under Sophos appliances being served, it shows 0 UTM's.

Now above, I can understand DC1 as STAS is serving both UTM's as DC1 is first in the list for STAS servers on the UTM's
I can understand DC2 & DC4 as both are not the primary STAS Server ie it is DC1

I can't understand DC3 as that appears to be serving UTM A by itself. I don't think it should do this??

Hi,

I have earned some experience with stas and I know that sophos does not know 100%, how this product actually works. Last november I configured STAS for the first time, but never got it running as needed. Sophos says, "sorry in this moment the product does not meet your requirements". 

My requirements, sorted by priority:

1.) User/IP Adress Mapping on the utm is not part of cluster sync and doesn´t even survive a reboot. After a reboot the utm will have an empty user list. Most urgent problem--> not usable in a productive environment.
2.) When using 2x STAS Suite, Users will appear on utm shortly after login event. But they will dissapear after 10minutes. It doesn´t matter, if logoff detection is enabled or not. There are very few users in the utm, while there are lots more active/logged in.
3.) STAS Agent uses undocumented Port 50001. This can conflict with MS DNS Service random ports. There is a workarround, but not in the documentation. -->Very bad!
4.) RDP session cannot be verified by wmi-detection, rdp users are not supported. RDP Users will initially appear in the collector list, but will then disappear
5.) There is no full documentation, that fits totally the current behaviour of the software.

But back to your question: I don´t know, how the failover/backup process works. I can imagine, that the utm decides which collector to use (perhaps based upon the collector list in utm?!). But you can test it, simply stop the STAS service and you will see, what happens then. With two collectors, you can observe, that the next collector will start to serve the utm.

Does all of your "logged-in" Users stay in users authentication list on the utm? Did you configure Logoff detection? What are your settings? I could observe, that with full suites installed on more than 1 DC, the users appear on the utm only for a short time. Even when I configured the other STAS Collector in both Agents. The problem that I had with two suites installed was, that the users dissapeared from the users list after a certain time, even with logoff detection disabled.

Then I removed the collector from one DC and the users list is now, as it should be. But... There a still all these bugs....

Hi,

my users do stay in the list. I have logoff detection enabled and set at 2 hours. It appears to work. Logons to our RDP servers are also showing.

I agree that it is a little random as is my post above. I'm not sure how the UTM selects what STAS it wants. I would have thought it would go on the order of the list in the UTM, work it's way down when STAS fails and constantly poll the failed one until it comes back online at which time it would switch back.

Documentation not great by any standards either and the whole thing does seem a little hickledy pickeldy to me too. I'll keep plodding on. Maybe 9.5 will have the improvements?

Hi,

Louis-M said:

my users do stay in the list. I have logoff detection enabled and set at 2 hours. It appears to work. Logons to our RDP servers are also showing.

 

Interesting. Whats your Detection Interval? Does your RDP sessions (assuming, that they are still active and no logoff has taken place)  stay active, longer than the detection interval? Did you monitor this for a specific user? Im asking because in my installation, rdp users will vanish after the the detection takes place. That behaviour fits to the official sophos statement:

This is a answer regarding RDP from a sophos 3rd level engineer:

3. Are RDP sessions supported? Should users connecting via RDP get authenticated and how do they get de-authenticated.
Configured logoff detection seems to log off the users after the Configured time. It seems the workstation polling doesn't work for RDP sessions.
Is this the case or not?

RDP sessions are not supported. I tested this locally. This could be an improvement for STAS v3. Reason is that the collector basially uses a WMI query.

Regards

Sebastian

There are also some open Tickets for this topic:

NUTM-7045  Design questions about STAS
NUTM-7447 [STAS] user list differs from the expected list of users as shown on the collector. 

You are quite right. As our users came back today, I could look at it a bit more.

1. We do have users that are in the UTM list from yesterday logged onto one of our RDP servers

2. The list does not match up at all with the current sessions or idle sessions on the RDP server

So, very hit and miss.

I've tinkered only a bit with STAS, but I can say it's still rather unpredictable and borderline unusable at the moment. For example, I have an entry on my "Online Users" list that shows:

Noticed the "Active Directory Users"? For some reason this user is being mapped as this, instead of the username. For the life of me I cannot get this specific user to map to it's IP address. STAS and aua.log show the user is correctly mapped to it's IP address, but WebAdmin just won't reflect this. Go figure.

Anyhow, I've hit the same pitfalls as you. Multiple STAS working as collectors and reporting their entries to one another showed unpredictable results to me. I ended up having to use a single collector and agents on the other DCs. Since trere's no documentation whatsoever that tells us what we can and cannot do (even from Cyberoam, that it's from STAS is originally from), it's been a lot of hit an miss. And I do agree that if you have a high available environment with two or more DCs STAS should be able to run on a high available multiple collectors setup, and allowing collectors to act as collectors and agents ate the same time would be a neat way of doing so. But it does not appear to work, at least it wasn't a few months back when I got similar results as yours. Based on Louis report, however, it appears that this might have changed. I'll try to test it again next week. 

As for RDP, STAS is not the tool for this. You see, STAS maps an user to an IP address based on login entries from DCs. On a RDP server you have multiple users sharing the same IP, so STAS goes haywire. If another user logs in using the same IP as another logged in user, STAS appears to just delete both entries. Sophos does have an solution for this called SATC, but it appears that it's only available to XG and have not been ported to UTM yet. Considering they ported STAS, SATC should be in the roadmap.

As a workaround you would need to create a "regular" Web Protection profile using Standard or Transparent mode with AD SSO authentication exclusively matching your RDS server IP address and place it above the profile using STAS. That way remote users accessing your environment through RDS would be authenticated using SSO, as the profile would be restricted to your RDS server IP address and would be matched before the STAS profile, and everyone else would be authenticated using STAS.

Regards - Giovani

Out of interest, is there any log on the UTM for SSO authentications? I can't see it.