STAS not working

XG115, 17.5 MR-13.

Branch Office router ( currently) with IPSec VPN to Main Office ( working.

DCs are at Main Office on and .72.

STAS Suite installed on and .27, both with user lists populated. Windows FIrewall exceptions for TCP/5566, TCP/27015, UDP/6677 and UDP/50001 in place.

STAS diagnostic for connection to XG succeeds.

At the BO XG, AD auth set up and working as per OUs and Groups imported. Can log on to captive portal with AD creds and AD account will be added to the Users list. 

Output from CLI follows:

console> system auth cta show
CTA Status : enable
CTA Collector : enable
Unauth-Traffic Drop Time: 120 sec
Collector IP : Collector Port : Collector Group
------------------------------------------------------------ : 6677 : 1 : 6677 : 1
VPN Source Network : VPN Source Netmask
----------------------------------------- :

console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : on
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
Strict ICMP Tracking : off
ICMP Error Message : allow
IPv6 Unknown Extension Header : deny

Bypass Stateful Firewall
Source Genmask Destination Genmask

NAT policy for system originated traffic
Destination Network Destination Netmask Interface SNAT IP does not appear in either STAS as a served appliance.

STAS log on both STAS's shows 

MSG [0x1cf8] 8/12/2020 16:38:58 : SSO_client_update_heartbeat: cr_node: is_active:0

TCPDUMP 'PORT 6677' does not show any connections.

I opened Sophos ticket 10036103 for this. Support did not do ANY of the diagnostics I've reported above, much of which I've learned by lurking on forum posts here. Instead, he focused exclusively on the captive portal--while use of the captive portal is the reason I want to use STAS in the first place! So after a useless 2 hour call, I told him to close the ticket. My take was he did not know anything about STAS and meticulously avoided dealing with it.

Where do I go from here?

BTW, this used to work (with both Cyberoam CRs and Sophos XGs against CTAS). Then all but the main office CR stopped working with CTAS, and I don't think the 2 Sophos have ever worked with STAS. I do not know exactly when this happened or what changed at that time.