Who here has struggled getting STAS working?

AzRoN said:

Initially my assumption for STAS would be that it would strictly be used for the Web Protection module only.

I haven't found time yet to play with 9.4 Beta, but if this is true then what is the point of including STAS in UTM9 anyway ?
SSO was working perfectly with Web Filtering just with joining the UTM into Active Directory domain.

AzRoN said:

Initially my assumption for STAS would be that it would strictly be used for the Web Protection module only.

I haven't found time yet to play with 9.4 Beta, but if this is true then what is the point of including STAS in UTM9 anyway ?
SSO was working perfectly with Web Filtering just with joining the UTM into Active Directory domain.

Hi vilic,

we can use STAS for user based firewall policys. I'll test this in near future. Unfortunatley, it seems that STAS just working with active directory joined computers.

Regards

mod

mod2402 said:

....Unfortunatley, it seems that STAS just working with active directory joined computers.

Yes, that is expected behavior, because this feature was taken from Cyberoam where agent on domain controller monitor event log for successful login events and reports it back to the appliance.

I was just wandering what do you see in a firewall rule when you try to add a source, are there also normal user objects or just like before user only network objects:

It's the same as before. But I think just the user 2 IP Mapping is made on the DC with STAS.

I'll test it if I've time.

Hi mod2402,

STAS is supported only with ActiveDirectory, Therefore it will not work with computers that are not member of an ActiveDirectory domain.

Greetings

Holger

What did I do wrong here ?

1. STAS enabled on UTM, installed and configured on DC. I can see live users in STAS tool:

2. In UTM Client Authentication log there is information about successful login, and two user objects are automatically created:

2016:03:26-08:38:17 utm2 argos[13752]: [handle_transparent_sso_request]: Received login sso request: username vilic, ip_address 192.168.9.99, domain_name lab.local
2016:03:26-08:38:18 utm2 argos[13752]: [auth_aua_recv]: User vilic authenticated [REF_DefaultAdirectoryUserGroup]

3. But...there is no Online clients listed under STAS status page, and there is no resolved IP for User Network objects:

Hi vilic,

just to be no the same page. You mean that the user isn't listed in Definitions & Users >> Client Authentication under the tab "Global" right?

If you authenticate a user via STAS as described in your first two points with those log lines, the user should appear in the tab "Global" as described above until a logoff is detected from the STAS collector. Did the user ever showed up there or did the user disappear while you are still logged in?

Can you reproduce this behavior?

Regarding the picture in your third point:

The IP addresses won't be displayed there for performance reasons. It is a bit confusing but the UTM would be really slow with a lot of users logging in / out. So this is expected and you will see the same behavior with Client Authentication (SAA) too.

/Daniel

Unknown said:

just to be no the same page. You mean that the user isn't listed in Definitions & Users >> Client Authentication under the tab "Global" right?

Yes, that was the problem. After some time and several logoff/logon they started to appear.

Hey guys,

Sorry to resurect an old thread. I was also wondering why use STAS when joining the UTM to an Active Directory domain works pretty well in the first place. Does the STAS agent work better in some way?

Thanks

Hi Anthony,

your question sound like a general misunderstanding of STAS behaviour. Let my try to clarify.

Joining AD gives you the ability to use SSO with AD backend users.

STAS gives you the ability to use authenticated users in you policies, without the need to install CAA (Client authentication agent). STAS (Sophos Transparent Authentication Suite), gets information of users that are logged in to workstations, that are a member of AD. That's all.

You can install authentication agent on client, or you can use STAS instead, if you are not able or willing to install authentication agent on your clients.

If you are using STAS, the STAS collector should be able to PING your workstations and also to query your workstations via WMI.

 Hope that I understood your question correct and that my answer is helpful.

Greetings

Holger

Hi Holger,

Thank you for getting back to me. I might have not expressed myself correctly.

HolgerLehn said:

Joining AD gives you the ability to use SSO with AD backend users.

From what I understand, joining AD gives you the ability to import users (by prefetching them in Authentication Services -> Advanced -> Prefetch Directory Users) which then create an object in the UTM and allows them to be used in Web Filtering policies. 

HolgerLehn said:

STAS gives you the ability to use authenticated users in you policies, without the need to install CAA 

Does STAS only create user objects in the UTM so that they can be used in Web Filtering policies? What is the point if they can already be prefteched the Prefetch Directory Users utility?

There might in fact be something I misunderstand. If that is the case, can you clarify both options to me and give an example of a situation where on would be preferable to the other?

Thank you