Whilst testing STAS, we came across some anomaly's where not all users were getting logged.
The setup:
4 x DC's over 4 different sites. All DC's entered into the UTM under STAS with all DC's having the full STAS Suite installed and running.
All of the STAS collectors/agents were up and running and all tested. The reason the whole suite was installed is for resilience and failover eg incase 1 DC failed.
The Issue:
looking through the logs, the UTM only queried the first STAS/DC server in it's list. It did not work it's way down the list as we would have expected. Therefore, it would only log the authentications that were done on this DC. This resulted on authentications on the other STAS/DC servers being missed.
It appears that only if the connection fails to the first STAS/DC server in the list, that the next server will be tried for authentication.
The workaround:
Specify the first STAS/DC server in the STAS Collectors on each of the other servers.
This appeared to work and now all users are authenticated. It does however, still leave the question of if the first DC fails, who then becomes the collector?
I am going to add other collector IP's into the agents as Sophos state that only the first collector in the list gets the authentications so I am hoping that if that collector fails, it will try the next collector in the list and so forth.
This thread was automatically locked due to age.
