How to configure SATC on Sophos Firewall
In this article we explain how to set up Sophos Authentication For Thin Client (SATC) to detect users on a remote desktop or Citrix server and notify the Firewall.
- Sophos Firewall with SFOS 16.5 or higher
- License: Base-Firewall
- Mode: Gateway
- Windows Server 2008 R2 or later
- Windows Terminal Server 2008 R2 or newer
What is SATC?
Since several clients are hidden behind one IP address on a remote desktop or Citrix server, it is necessary to be able to read the individual sessions. Otherwise the different users cannot be transmitted to the firewall. This is exactly what SATC is needed for. The SATC software is installed on the terminal server, whereupon the registered users can be reported to the firewall.
How SATC works
- The user “Tony Stark” logs on to a terminal server.
- SATC registers the logged in user and sends the info incl. UserID to the XG Firewall (Port 1210).
- The Sophos Firewall now knows the user “Tony Stark” and maps the UserID with the user name.
1. Adding Active Directory Server to the Sophos firewall
Before we install the SATC Suite on the ADS, the ADS must first be added to the Sophos Firewall. How this is done is described in a separate guide: How to integrate Sophos Firewall with Active Directory
2. Download and install SATC Client
Once the Active Directory server is linked to the Sophos Firewall, we can now download the SATC client. To do this, log on to your Sophos Firewall (SFOS) as an administrator and go to the
Authentication page from the menu. Then click on the three dots in the top right-hand corner of the tab navigation and select
Client downloads from the drop-down menu.
You can download the required Sophos Authentication For Thin Client (SATC) installation file from the Single sign-on section.
Then run the satc.exe on the Active Directory Server and follow the installation wizard.
3. STAC Client Configuration
After the installation you have to make some configurations on the STAC client. Under the
Sophos Setting tab, enter the IP address of the Sophos Firewall and confirm the change by clicking
In the tab
Exclusion List you can specify the users that should not be reported to the firewall. This could be the
SYSTEM User or the
4. Transfer IP of the terminal server to the Firewall
At the moment, the Firewall has no idea that users are already being transmitted to it. There is also no entry on the graphical user interface where you could enter this IP of the terminal server. This last step has to be done via the CLI:
console> system auth thin-client add citrix-ip 10.10.10.20