First Buy or Renewal

Were we able to help you with this tutorial? Then consider us for the next Renewal. 😎
We sell licenses for all Sophos Firewalls worldwide!

To the Products

How to configure SATC on Sophos Firewall

In this article we explain how to set up Sophos Authentication For Thin Client (SATC) to detect users on a remote desktop or Citrix server and notify the Firewall.


  • Sophos Firewall with SFOS 16.5 or higher
  • License: Base-Firewall
  • Mode: Gateway
  • Windows Server 2008 R2 or later
  • Windows Terminal Server 2008 R2 or newer

What is SATC?

Since several clients are hidden behind one IP address on a remote desktop or Citrix server, it is necessary to be able to read the individual sessions. Otherwise the different users cannot be transmitted to the firewall. This is exactly what SATC is needed for. The SATC software is installed on the terminal server, whereupon the registered users can be reported to the firewall.

How SATC works

  1. The user “Tony Stark” logs on to a terminal server.
  2. SATC registers the logged in user and sends the info incl. UserID to the XG Firewall (Port 1210).
  3. The Sophos Firewall now knows the user “Tony Stark” and maps the UserID with the user name.

1. Adding Active Directory Server to the Sophos firewall

Before we install the SATC Suite on the ADS, the ADS must first be added to the Sophos Firewall. How this is done is described in a separate guide: How to integrate Sophos Firewall with Active Directory

2. Download and install SATC Client

Once the Active Directory server is linked to the Sophos Firewall, we can now download the SATC client. To do this, log on to your Sophos Firewall (SFOS) as an administrator and go to the Authentication page from the menu. Then click on the three dots in the top right-hand corner of the tab navigation and select Client downloads from the drop-down menu.

Client downloads dropdown menu on Sophos Firewall (SFOS)

You can download the required Sophos Authentication For Thin Client (SATC) installation file from the Single sign-on section.

Download Sophos Authentication For Thin Client

Then run the satc.exe on the Active Directory Server and follow the installation wizard.

3. STAC Client Configuration

After the installation you have to make some configurations on the STAC client. Under the Sophos Setting tab, enter the IP address of the Sophos Firewall and confirm the change by clicking Update.

Sophos Authentication For Thin Client settings

In the tab Exclusion List you can specify the users that should not be reported to the firewall. This could be the SYSTEM User or the Administrator.

Sophos Authentication For Thin Client exception list

4. Transfer IP of the terminal server to the Firewall

At the moment, the Firewall has no idea that users are already being transmitted to it. There is also no entry on the graphical user interface where you could enter this IP of the terminal server. This last step has to be done via the CLI:

console> system auth thin-client add citrix-ip