First Buy or Renewal

Were we able to help you with this tutorial? Then consider us for the next Renewal. 😎
We sell licenses for all Sophos Firewalls worldwide!

To the Products

How to configure STAS on Sophos Firewall

This article shows how to set up STAS (Sophos Transparent Authentication Suite) on a Sophos firewall using SFOS. This guide installs the STA Suite on the Active Directory server.

Requirements

  • Sophos Firewall with SFOS 16.5 or higher
  • License: Base-Firewall
  • Mode: Gateway
  • Windows Server 2008 R2 or later

What is STAS?

STAS means “Sophos Transparent Authentication Suite”. This suite includes two small tools that allow your Sophos Firewall to create firewall rules for your Active Directory users. Here is a brief description of the two programs included:

  • STA Agent: This agent monitors user authentication requests on an Active Directory Domain Controller and sends this information to the STA Collector.
  • STA Collector: Collects the user authentication requests from the STA agent and then sends them to the Sophos Firewall.

How STAS works

  1. The user “Bruce Banner” logs on to his workstation (172.16.33.100) and the Active Directory allows this.
  2. The Domain Controller creates a login event to the Security Audit Eventlog. (ID 4758 or 672)
  3. The STAS agent monitors the log for these events.
  4. The STAS Collector informs the XG Firewall about the login via port 6060 UDP.
  5. Sophos Firewall updates its live users and maps traffic of 172.16.33.100 with user “Bruce Banner”.

1. Setting up the ADS

STAS works by monitoring the Active Directory log and telling the firewall which users are logging in or logging out. For this it is important that these events are also logged.

Info: The following settings must be made on each Active Directory Server on which the STA Agent is installed.

Activate Audit account logon events

On your Active Directory server, open the Local Security Policy program. This can be found in the Windows Administrative Tools (secpol.msc). Next you need to open the Audit account logon events. As shown in the screenshot below, first change to Security Settings > Local Policies > Audit Policy and open the Audit account logon events.

Audit account logon events Policy

Then activate the options Success and Failure and confirm your changes with OK.

Audit account logon events - Audit these attempts

Start STAS Service with your own user

If you want to start the STAS service with your own user, you have to do the following steps. Otherwise you can skip this step. Change to the Local Security Policy on the following path: Security Settings > Local Policies > User Rights Assignment. Then open the Log on as a service option.

Log on as a service

Then click on Add User or Group and add your user.

Log on as a service Properties

Open ADS ports

The Active Directory Server should have the following ports open:

  • STA Collector > XG Firewall (UDP 6060)
  • XG Firewall > STA Collector (UDP 6677)
  • STA Agent > STA Collector (TCP 5566)

You only need to enable the following ports if you are using these methods:

Workstation Polling Methode (WMI) oder Registry Read Access:

  • Outgoing TCP 135
  • Outgoing TCP 445

Logoff Detection Ping:

  • Outgoing ICMP

STAS Collector Test:

  • Incoming/Outgoing UDP 50001

STAS Configuration Sync:

  • Incoming/Outgoing TCP 27015

Note: RPC, RPC locator, DCOM and WMI services should also be enabled on the clients for WMI/Registry Read Access.

2. Adding Active Directory Server to the Firewall

After you have prepared the Active Directory for STAS at step 1 with a few settings, it is time to add the AD on your Sophos Firewall. To do this, log on to your Sophos Firewall (SFOS) as an administrator and go to the Authentication > Servers page from the menu. Then click the blue Add button to add a new server.

Adding Active Directory Server to the Firewall

In the following instructions we will guide you step by step through all the necessary entries: How to integrate Sophos Firewall with Active Directory

3. Download STAS Tool

Let’s turn back to the Active Directory Server. Next, we will install the STA Suite, which you must first download from your Sophos Firewall. To do this, log on to your Sophos Firewall (SFOS) as an administrator and go to the Authentication page from the menu. Then click on the three dots in the top right-hand corner of the tab navigation and select Client downloads from the drop-down menu.

Client downloads dropdown menu on Sophos Firewall (SFOS)

You can download the required Sophos Transparent Authentication Suite (STAS) from the Single sign-on section.

Download Sophos Transparent Authentication Suite

Info: You can also download the STA Suite directly from the Sophos website: UTM Support Downloads

4. Install SSO Suite

Now run the downloaded STAS.exe and click through the installer. During the installation the following window will appear, where you can choose between three different options:

STAS Type of Setup

By default you can leave SSO Suite selected to install all components on the Active Directory. But if you want to install e.g. the STA Collector or STA Agent on two different systems, you have to change the selection here accordingly. If you have two Active Directory Servers, you need the STA Agent on both systems, but only one STA Collector. Here, too, simply adjust the selection according to the situation.

During installation, you will also need to specify a user to install and start the service with. In this tutorial, I’ll just use the domain administrator for the sake of security, as he has the necessary permissions. For a productive environment, a specific user created for this would be recommended.

5. STAS Configuration

After the installation the STA Suite has to be configured. The following steps explain the relevant settings.

STAS General

In the tab General you can change the user with which the service should be started. But make sure that you enter the correct NetBIOS name and FQDN.

General STAS settings

STA Agent

Let’s take a look at what you have to consider under the tab STA Agent:

  • STA Agent Mode: For our example, we can select EVENTLOG because the STA Collector is installed on the same system as the STA Agent.
  • Specify the networks to be monitored: All networks in which the clients are located are specified here.
Configuration of the STA Agent

STA Collector

Let’s have a look at what you have to pay attention to under the tab STA Collector:

  • Sophos Appliance: The IP of the Sophos appliance is specified here.
  • Dead entry timeout: This value is set to 0 hours by default. Here, however, 12 hours would also be appropriate so that the clients are automatically logged out after a certain time.
Configuration of the STA Collector

In order to validate logged in users, there are two options under the heading Workstation Polling Method. On the one hand the default selected WMI verification or alternatively Registry Read Access. In both cases, a service must be executed on the client.

WMI:

  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator

Registry Read Access:

  • Remote Registry

The STA Collector must be able to access the clients. If the Windows Firewall is active on a client, you can create a rule via PowerShell:

New-Netfirewall DisplayName "Sophos STAS Collector" -Direction inbound RemoteAddress 10.10.10.10

6. Enabling STAS on the Sophos Firewall

If you have followed these instructions so far, the STA Collector is already sending data to the firewall. In order for the firewall to accept this data, STAS must still be activated on the Firewall.

On your Sophos Firewall, switch to the Authentication > STAS page and move the top toggle to ON. In order for the Firewall to know which collector it can receive data from, you will need to click on the blue Add new collector button and enter the IP address of the system where you installed the collector.

STAS settings on Sophos Firewall (SFOS)

If you have now done everything correctly, you will see the logged-in users of your Active Directory server in the dashboard of your Firewall and in the Live Viewer under Authentication.

Live User Indication on the SFOS Dashboard.

7. Create Firewall Rule

If all your tests are successful, you can now start creating your own firewall rules for specific users or groups that are now synchronized from your AD to the Firewall. In the screenshot below, for example, we have created a rule that allows the administrator to access the Internet using RDP (3389).

Firewall rule for administrators to access the Internet via RDP.

Further topics

You have now done it and successfully set up STAS on your Sophos Firewall. You will then find more information which may be of interest to you at this point.

Troubleshooting

It takes a while for the Active Directory Server to send the users to the firewall. To prevent the firewall from simply blocking this traffic in the meantime, unauthenticated traffic is allowed for 120 seconds by default. If you want to adjust this value manually, you can do this via the CLI:

system auth cta unauth-traffic drop-period <seconds>

Sophos Authentication For Thin Client (SATC)

STAS is good if you have all the individual clients in your network. However, if you use a Remote Desktop Server or Citrix, it will not work. Since there are several clients behind one IP address, you need to be able to read the sessions. This is where SATC comes in. We will explain this to you in the following article: How to configure SATC on Sophos Firewall.

Larger environments

In this manual, we have explained the general standard variant of how to set up STAS. Of course, there are also special cases where several Active Direcotry servers, subnets and domains may be used. In such cases we are happy to offer our support. Simply contact us with a corresponding request. 👍