XG115, 17.5 MR-13.
Branch Office router (172.16.16.16 currently) with IPSec VPN to Main Office (192.168.1.1) working.
DCs are at Main Office on 192.168.1.12 and .72.
STAS Suite installed on 192.168.1.20 and .27, both with user lists populated. Windows FIrewall exceptions for TCP/5566, TCP/27015, UDP/6677 and UDP/50001 in place.
STAS diagnostic for connection to XG succeeds.
At the BO XG, AD auth set up and working as per https://community.sophos.com/kb/en-us/123154. OUs and Groups imported. Can log on to captive portal with AD creds and AD account will be added to the Users list.
Output from CLI follows:
console> system auth cta show CTA Status : enable CTA Collector : enable Unauth-Traffic Drop Time: 120 sec ============================================================ Collector IP : Collector Port : Collector Group ------------------------------------------------------------ 192.168.1.20 : 6677 : 1 192.168.1.27 : 6677 : 1 ========================================= VPN Source Network : VPN Source Netmask ----------------------------------------- 172.16.16.0 : 255.255.255.0
console> show advanced-firewall Strict Policy : on FtpBounce Prevention : control Tcp Conn. Establishment Idle Timeout : 10800 UDP Timeout Stream : 60 Fragmented Traffic Policy : allow Midstream Connection Pickup : off TCP Seq Checking : on TCP Window Scaling : on TCP Appropriate Byte Count : on TCP Selective Acknowledgements : on TCP Forward RTO-Recovery[F-RTO] : off TCP TIMESTAMPS : off Strict ICMP Tracking : off ICMP Error Message : allow IPv6 Unknown Extension Header : deny
Bypass Stateful Firewall ------------------------ Source Genmask Destination Genmask
NAT policy for system originated traffic --------------------- Destination Network Destination Netmask Interface SNAT IP 192.168.1.12 255.255.255.255 172.16.16.16 192.168.1.72 255.255.255.255 172.16.16.16 192.168.1.20 255.255.255.255 172.16.16.16 192.168.1.27 255.255.255.255 172.16.16.16
172.16.16.16 does not appear in either STAS as a served appliance.
STAS log on both STAS's shows
MSG [0x1cf8] 8/12/2020 16:38:58 : SSO_client_update_heartbeat: cr_node:172.16.16.16 is_active:0
TCPDUMP 'PORT 6677' does not show any connections.
I opened Sophos ticket 10036103 for this. Support did not do ANY of the diagnostics I've reported above, much of which I've learned by lurking on forum posts here. Instead, he focused exclusively on the captive portal--while use of the captive portal is the reason I want to use STAS in the first place! So after a useless 2 hour call, I told him to close the ticket. My take was he did not know anything about STAS and meticulously avoided dealing with it.
Where do I go from here?
BTW, this used to work (with both Cyberoam CRs and Sophos XGs against CTAS). Then all but the main office CR stopped working with CTAS, and I don't think the 2 Sophos have ever worked with STAS. I do not know exactly when this happened or what changed at that time.
Hi IT IT7
Apologies for the inconvenience caused.
Could you please ensure that the Client Authentication for the VPN Zone is enabled?
Go to Administration > Device Access, under the Local Service ACL section, enable Client Authentication for the VPN Zone.
Community Support Engineer, Support & Services| Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'Verify Answer' button
Thanks for your reply. Client Auth is enabled for the VPN zone.
Thank you for the update.
If client authentication is enabled for the VPN zone and system routes are added on the BO, the BO firewall should be able to communicate to the HO firewall for authentication.
I would like you to double-check the configuration with the following KBA: Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN.
Thanks for the reply. Double-, triple-, quadruple-checked that article. And against my own documentation that combines your 3 or 4 articles into one.
Please look at the output from--
system auth cta show
--in my original post. I just discovered I left one out. Here's the last--
console> system ipsec_route show tunnelname host/network netmask TPI_Corporate 192.168.1.12 255.255.255.255 TPI_Corporate 192.168.1.72 255.255.255.255 TPI_Corporate 192.168.1.20 255.255.255.255 TPI_Corporate 192.168.1.27 255.255.255.255
Everything's there, as near as I can tell. Can you see anything missing?
Could you please disable STAS on the BO if it is enabled?
Thanks for your reply.
If you mean Authentication/STAS/Enable STAS, yes, it is enabled. But I'm not seeing where you're heading with this. Won't disabling it prevent STAS from ever working??
If users are going to be authenticated on the HO, then you do not have to have STAS enabled in the branch office. You can re-enable STAS if requirement changes in the future.
Thanks for the reply.
I don't understand "authenticated on the HO".
The HO router is a Cyberoam CR35iNG on CTAS. Are you saying the BO router will delegate authentication to the MO router? For example, I can set up per-Group web filtering at the BO and the BO router will know to use the user's group membership as seen by CTAS on the MO router?
Hello IT IT7,
We reached out to the engineer that was handling the case to create a new case (10051438) so he could work with you again, I see in the ticket that you requested to reach out on Monday, please provide if possible in the ticket a small network diagram, and what specifically you want to achieve.