This article shows how to set up STAS (Sophos Transparent Authentication Suite) on a Sophos Firewall using the SFOS. In this guide, the STA Suite installed on the Active Directory server.
- Sophos Firewall with SFOS 16.5 or higher
- License: Base firewall
- Mode: Gateway
- Windows Server 2008 R2 or newer
What is STAS?
STAS is called "Sophos Transparent Authentication Suite". This suite contains two small tools that allow your Sophos Firewall to create firewall rules for your Active Directory users. Here is a short description of the two included programs:
- STA Agent: This agent monitors user authentication requests on an Active Directory domain controller and sends this information to the STA collector.
- STA Collector: Collects the user authentication requests from the STA agent and then sends them to the Sophos Firewall.
How STAS works
- The user "Bruce Banner" logs on to his workstation (172.16.33.100) and Active Directory allows this.
- The domain controller creates a login event to the security audit event log. (ID 4758 or 672)
- The STAS Agent monitors the log for these events.
- The STAS Collector informs the XG Firewall about the login via port 6060 UDP.
- Sophos Firewall updates its live users and maps traffic from 172.16.33.100 with the user "Bruce Banner".
1. make ADS settings
STAS works by monitoring the Active Directory log and telling the firewall which users log on or log off. For this it is important that these events are also logged.
Info: The following settings must be made on each Active Directory server where STA Agent is installed.
Enable audit account logon events
On your Active Directory server open the program
Local Security Policy. This can be found in the Windows Administrative Tools (secpol.msc). Next you have to install the
Audit account logon events open. To do this, as shown in the screenshot below, first switch to
Security Settings > Local Policies > Audit Policy and open the
Audit account logon events.
Then activate the options
Failure and confirm your changes with
Start STAS service with own user
If you want to start the STAS service with your own user, you have to perform the following steps. Otherwise you can skip this step. Switch to the
Local Security Policy to the following path:
Security Settings >
Local Policies >
User Rights Assignment. Then open the option
Log on as a service.
Then click on
Add User or Group and add your user.
Open ADS ports
The Active Directory server should have the following ports open:
- STA Collector > XG Firewall (UDP 6060)
- XG Firewall > STA Collector (UDP 6677)
- STA Agent > STA Collector (TCP 5566)
You only need to enable the following ports if you use these methods:
Workstation Polling Method (WMI) or Registry Read Access:
- Starting from TCP 135
- Starting from TCP 445
Logoff Detection Ping:
- Outgoing ICMP
STAS Collector Test:
- Incoming/Outgoing UDP 50001
STAS Configuration Sync:
- Incoming/Outgoing TCP 27015
Note: RPC, RPC locator, DCOM and WMI services should also be enabled on the clients for WMI/Registry Read Access.
2. add Active Directory server on the firewall
After you have looked under Item 1 prepared the Active Directory with a few settings on STAS, it is now time to add the AD on your Sophos Firewall. To do this, log in to your Sophos Firewall (SFOS) as an administrator and use the menu to switch to the page
Server. Then click on the blue button
Addto add a new server.
In the following instructions we will guide you step by step through all the necessary entries: Add Active Directory to Sophos Firewall
3. download STAS tool
Let's now turn our attention back to the Active Directory server. Here, we will next use the STA Suite which you must first download from your Sophos Firewall. To do this, log in to your Sophos Firewall (SFOS) as an administrator and use the menu to go to the page
Authentication. Then click on the three dots at the top right of the tab navigation and select from the drop-down menu
In the section Single sign-on you will find the required Sophos Transparent Authentication Suite (STAS) download.
Info: You can use the STA Suite also download directly from the Sophos website: UTM Support Downloads
4. install SSO Suite
Now run the downloaded STAS.exe and click through the installer. During the installation, the following window will appear, where you can choose between three different options:
By default you can SSO Suite which will install all components on the Active Directory. However, if you use e.g. the STA Collector or STA Agent on two different systems, then you have to adjust the selection here accordingly. If you have two Active Directory servers, then you need to install the STA Agent, but only one STA Collector. Again, depending on the situation, simply adjust the selection.
During the installation you also have to specify a user with which the service should be installed and started. In this tutorial, I'll just use the domain administrator, since he surely has the necessary permissions. For a productive environment, a specific user created for this purpose would certainly be recommended.
5. configure STAS
After the installation now the STA Suite still need to be configured. We will go into the relevant settings in the following steps.
In the tab General you can still change the user with which the service should be started. Make sure that you enter the correct NetBIOS name and FQDN.
Let's take a look at what you can find under the tab STA Agent everything you need to consider:
- STA Agent ModeFor our example we can select EVENTLOG here, because the STA Collector is installed on the same system as the STA Agent.
- Specify the networks to be monitored: All networks in which the clients are located are specified here.
Let's take a look at what you can find under the tab STA Collector everything you need to consider:
- Sophos Appliance: The IP of the Sophos appliance is specified here.
- Dead entry timeoutThis value is set to 0 hours by default. However, 12 hours would also be appropriate here, so that the clients are automatically logged off after a certain time.
In order to be able to validate logged-in users, there is a section called Workstation Polling Method two options. On the one hand the default selected WMI verification or alternatively Registry Read Access. In both cases, a service must be running on the client.
- Remote Procedure Call (RPC)
- Remote Procedure Call (RPC) Locator
Registry Read Access:
- Remote Registry
The STA Collector must be able to access the clients. If the Windows Firewall is active on a client, you can create a rule via PowerShell:
New-Netfirewall -DisplayName "Sophos STAS Collector". -Direction inbound -RemoteAddress 10.10.10.10
6. enable STAS on the Sophos firewall
If you have followed these instructions up to this point, data is already being sent from the STA collector to the firewall. In order for the firewall to receive this data, STAS must be enabled on the firewall.
To do this, go to the following page on your Sophos Firewall
STAS and move the top toggle to
ON. So that the firewall knows from which collector it can receive data, you must finally click the blue button
Add new collector and enter the IP address of the system on which you installed the collector.
If you have done everything correctly, you will see the logged in users from your Active Directory server in the dashboard of your firewall and in the Live Viewer under Authentication.
7. create firewall rule
If your tests are all successful, you can now start creating custom firewall rules for specific users or groups that will now be synchronized from your AD to the firewall. For example, in the screenshot below we have created a rule that allows the administrator to access the Internet using RDP (3389).
You have now done it and successfully set up STAS on your Sophos Firewall. You will then find more information that may be of interest to you at this point.
It takes time for the Active Directory server to transmit the users to the firewall. To prevent the firewall from blocking this traffic in the meantime, unauthenticated traffic is allowed for 120 seconds by default. If you want to adjust this value manually, you can do this via the CLI:
system auth cta unauth-traffic drop-period <seconds>
Sophos Authentication For Thin Client (SATC)
STAS is good if you have all single clients in your network. However, as soon as you have a Remote Desktop Server or Citrix this does not work. Here you need the Server Protection.
In this tutorial we have explained the general standard variant of how STAS can be set up. However, there are of course also special cases, where perhaps several Active Directory servers, subnets and domains are used. In such a case we are of course happy to offer our support. Just contact us with a corresponding request. 👍