Skip to content
Avanet

Set up STAS on a Sophos Firewall (SFOS)

Sophos Firewall

This article shows how to set up STAS (Sophos Transparent Authentication Suite) on a Sophos Firewall.

Important first: Only the STA Agent must run on a domain controller. The STA Collector can be installed on the same system, but in larger environments it can also run separately on another Windows system. This separation often makes STAS installations more robust and easier to maintain.

STAS is mainly intended for classic Windows clients in an Active Directory domain. If multiple users share the same source IP, for example on Remote Desktop Servers or Citrix systems, the design must be planned differently. In those cases, SATC or another authentication method is usually more suitable than classic STAS.

Requirements

  • Sophos Firewall with SFOS 16.5 or later
  • License: Base Firewall
  • Mode: Gateway
  • Windows Server 2008 R2 or later
  • Active Directory with reachable domain controllers
  • Windows clients are members of the AD domain
  • No NAT between clients, STA Collector and Sophos Firewall
  • Client Authentication is allowed in Device access for the affected zones

What is STAS?

STAS stands for Sophos Transparent Authentication Suite. The suite sends login information from Active Directory to the Sophos Firewall so that users or groups can be used in firewall rules.

The two main components are:

  • STA Agent: This agent monitors user authentication requests on an Active Directory domain controller and sends this information to the STA Collector.
  • STA Collector: Collects user authentication information from the STA Agent and forwards it to the Sophos Firewall.

How does STAS work?

  1. A user signs in to a workstation and Active Directory allows the login.
  2. The domain controller writes the login events to the Security Event Log.
  3. The STAS Agent monitors the log for these events.
  4. The STAS Collector informs the Sophos Firewall about the login.
  5. The Sophos Firewall updates its Live Users and can assign traffic to the matching firewall rule.

In practice there are two important detection methods:

  • Logon detection through the Event Log: The STA Agent detects a login event on the domain controller and sends it to the collector.
  • Workstation polling: If the firewall does not yet know a Live User for an IP address, it can query the collector. Depending on the configuration, the collector then checks the client through WMI or Registry Read Access.

For this to work cleanly, the firewall must see the real client IP. If NAT is placed between the client, collector and firewall, STAS cannot reliably map users to a source IP.

Video Tutorial

Sophos Firewall v21: STAS network setup and overview
Sophos Firewall v21: STAS installation and configuration

1. Configure ADS settings

STAS works by monitoring the Active Directory log and telling the firewall which users log in or log out. For this to work, these events must be logged.

Info: The following settings must be configured on every Active Directory server on which the STA Agent is installed.

Before the installation, also note the domain’s NetBIOS name, FQDN and Search DN. These values are needed later in the Sophos Firewall and in the STAS configuration. If the Search DN is wrong or the LDAP query is too broad, group resolution and user mapping often only work partially.

Enable audit account logon events

Open Local Security Policy on the Active Directory server. It can be found in the Windows Administrative Tools (secpol.msc). Then open Audit account logon events under Security Settings > Local Policies > Audit Policy.

Audit account logon events policy

Then enable the options Success and Failure and confirm the changes with OK.

Audit account logon events - Audit these attempts

Start the STAS service with a dedicated user

If the STAS service should be started with a dedicated user, also open Log on as a service in Local Security Policy under Security Settings > Local Policies > User Rights Assignment.

Log on as a service

Then select Add User or Group and add the required user.

Log on as a service properties

Sophos uses an AD administrator account in many examples because STAS reads event logs on the domain controller, must start and stop the service and, depending on the polling method, sends WMI queries to clients. In production environments, the account used should be clearly documented, protected and tested in advance. If a dedicated service account is used, these exact permissions must work reliably.

Open ADS ports

The required ports must be reachable between the domain controller, collector, clients and Sophos Firewall. The typical basis is:

  • STA Collector > Sophos Firewall (UDP 6060)
  • Sophos Firewall > STA Collector (UDP 6677)
  • STA Agent > STA Collector (TCP 5566)

The following ports only need to be enabled if these methods are actually used:

Workstation polling method (WMI) or Registry Read Access:

  • Outbound TCP 135
  • Outbound TCP 445

Logoff Detection Ping:

  • Outbound ICMP

STAS Collector Test:

  • Inbound/outbound UDP 50001

STAS Configuration Sync:

  • Inbound/outbound TCP 27015

Note: RPC, RPC Locator, DCOM and WMI services should also be enabled on clients for WMI/Registry Read Access.

2. Add the Active Directory server on the firewall

After Active Directory has been prepared under point 1, it can be added on the Sophos Firewall. In WebAdmin, open Authentication > Servers and create a new server with Add.

Add Active Directory server on the firewall

The individual fields are described in detail in the separate guide Add Active Directory to Sophos Firewall.

3. Download the STAS tool

Next, prepare the Windows system on which STAS will be installed. The STA Suite is downloaded directly from the Sophos Firewall. In WebAdmin, open Authentication and select Client downloads from the menu at the top right.

Client downloads drop-down menu on the Sophos Firewall (SFOS)

The required Sophos Transparent Authentication Suite (STAS) is available for download in the Single Sign-on section.

Download Sophos Transparent Authentication Suite

4. Install SSO Suite

Run the downloaded STAS.exe and start the installer. During the installation, a selection window with several setup variants appears:

STAS type of setup

By default, SSO Suite can remain selected, which installs all components on the same system. If the agent and collector should run separately, adjust the selection accordingly. With multiple domain controllers, an STA Agent is required on each relevant domain controller, but usually only one STA Collector is needed.

The installation should be started with Run as administrator so that Windows permissions do not interfere unnecessarily during installation.

The service account is also defined during installation. In production environments, it should be clearly documented which account is used, which permissions it has and how password changes are planned.

5. Configure STAS

After installation, the STA Suite must still be configured. The following steps cover the relevant settings.

STAS General

In the General tab, the user for the service can be adjusted afterwards. Above all, check whether the NetBIOS name and FQDN are entered correctly.

General STAS settings

STA Agent

In the STA Agent tab, these points are particularly relevant:

  • STA Agent Mode: If the agent and collector run on the same system, EVENTLOG is the typical starting point.
  • Specify the networks to be monitored: Enter all networks in which the clients are located.
  • Domain Controller IP: Only set this if the STA Agent is not installed directly on the domain controller. If the agent runs on the domain controller itself, this field normally remains empty.
  • Collector List: Enter the collector systems to which the agent sends its information.
STA Agent configuration

STA Collector

In the STA Collector tab, these points are particularly relevant:

  • Sophos Appliance: Enter the IP address of the Sophos Appliance.
  • Workstation Polling Method: WMI is the typical starting point, Registry Read Access is an alternative for suitable Windows environments.
  • Enable Logoff Detection: Logoff detection should be planned deliberately. It should not apply differently in several places at the same time.
  • Dead entry timeout: This value should be set deliberately and tested with the STAS version in use. In older STAS versions, there were cases where a value other than 0 caused problems.
STA Collector configuration

If the Sophos Firewall runs as an HA cluster, use the internal interface IP of the firewall in the collector, not a separate peer administration address.

Exclusion List

The Exclusion List is important so that technical accounts do not distort user mapping. Typical candidates are service accounts, update services, backup agents or monitoring accounts that sign in to clients in the background.

Without an Exclusion List, a real user can disappear from the Live User status because a service account becomes active on the same client shortly afterwards. Therefore, at least these accounts should be checked:

  • Service accounts for software deployment, backup, monitoring or endpoint tools
  • Administrator and installation accounts that should not count as normal user traffic
  • Server IPs, network devices and systems on which STAS should not expect normal workstation users

To validate signed-in users, there are two options under Workstation Polling Method: the default WMI verification or, alternatively, Registry Read Access. In both cases, a service must run on the client.

WMI:

  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator

Registry Read Access:

  • Remote Registry

The STA Collector must be able to access the clients. If Windows Firewall is active on the clients, access must match the selected polling methods.

New-NetFirewallRule -DisplayName "Sophos STAS Collector WMI" -Direction Inbound -RemoteAddress 10.10.10.10 -Action Allow -Profile Domain

The command is only intended as a template. In a production environment, profile, source IP, destination ports and group policies should match the selected polling method cleanly.

Collector groups and redundancy

For small environments, one collector is often enough. In larger environments, collector groups should be planned deliberately:

  • A separate collector group should be used for each AD domain.
  • Multiple collectors in the same group increase resilience.
  • The Sophos Firewall normally contacts the first collector in the group and switches to the next one if it fails.
  • One STA Agent can serve multiple collectors.
  • One STA Collector can serve multiple Sophos Firewalls.

With multiple domain controllers, it is useful to run an STA Agent on each relevant domain controller and plan at least two collectors for redundancy. It is important that all agents know the intended collectors and that the firewall has these collectors configured in the matching group.

6. Enable STAS on the Sophos Firewall

Once everything has been prepared up to this point, the Sophos Firewall can receive data from the collector.

In WebAdmin, open Authentication > STAS, enable STAS and then enter the collector or collector group with the matching IP address.

STAS settings on the Sophos Firewall (SFOS)

If the setup works, the signed-in users appear on the dashboard and in the Live Viewer under Authentication.

Live User view on the SFOS dashboard

If no users appear here, do not start by looking at the firewall rules. First, the Event Log, STA Agent, STA Collector, collector group and Device Access must be correct.

7. Create a firewall rule

Once the tests are successful, firewall rules can be created with users or groups from Active Directory. The example below shows a rule that allows RDP traffic for an administrator.

Firewall rule for an administrator to access the internet through RDP

Further topics

After the basic configuration, two operational topics usually remain: troubleshooting and the limits of classic STAS environments.

Troubleshooting

If logins are not imported correctly, first check the Event Log on the domain controller, reachability between agent and collector and the Live Users on the firewall. For transition phases, the firewall allows unauthenticated traffic for a short time by default. This value can be checked or adjusted through the CLI if needed:

system auth cta unauth-traffic drop-period

Typical checks:

  • Is a matching security event generated on the domain controller when the user logs in?
  • Is the STA Agent running and does it show the expected status?
  • Is the STA Collector reachable and does it know the Sophos Firewall?
  • Is UDP 6060 to the firewall and UDP 6677 back to the collector allowed?
  • Does WMI or Registry Read Access to the clients work?
  • Are technical accounts listed in the Exclusion List?
  • Is Client Authentication allowed in Device access for the right zone?
  • Is there NAT between client, collector and firewall?

Sophos Authentication For Thin Client (SATC)

Classic STAS works well for normal single-user clients. In Remote Desktop Server, terminal server or Citrix environments, however, this approach is often not sufficient because multiple users share one source IP. In such cases, check whether SATC or another suitable SSO method is the better choice.

SATC maps users in terminal server environments differently from STAS and is therefore not simply a replacement for every client, but its own design topic. Before switching, it should be clear which servers are affected, which user groups work through them and which firewall rules really need to be user-based.

Larger environments

This guide showed the standard variant. In larger environments with multiple domain controllers, subnets or domains, the role of agent, collector, polling and fallback rules should be planned deliberately instead of only applying the basic settings.

Further documentation