Sophos XGS: How to configure user domain authentication using STAS

sophos-day-belgium-whats-cooking-in-sophos-network-security-group-21-638-1

Overview

The article explains how to configure STAS, this is a feature that provides the ability to authenticate users in the internal network automatically just by logging in on the user’s workstation. And there is no need to install SSO on each workstation. Ease to use for end users and higher level of security

Diagram

Các bước cấu hình

Configure ADS
Download STAS
Install STAS on AD
Configure STAS
Add AD server to Sophos XGS to authenticate
Adjust Service configuration to authenticate with AD server
Configure STAS on XGS firewall
Create firewall rule with source identity as group, user to use STAS authentication
Check STAS operation
Check the report interface, monitoring, logging

How to configure

B1: Configure ADS

Configure on AD server

Start -> Administrative Tools -> Local Security Policy to view security settings
Security Settings -> Local Policies -> Audit Policy -> Audit account logon -> Click right click in Audit account logon events -> Choose Properties
Choose Success and Failure -> Click OK

Local Security Policy -> Security Settings -> Local policies -> User Rights Assignment -> Log on as a service -> Right click on Log on as a service -> Choose Properties
Click Add User or Group -> Add user administrator -> Click OK

B2: Download STAS

Login to AD with Administrator account
Log in to Sophos XG’s graphical interface with an Admin account
Authentication -> Click the icon … -> Select Client Download to download the installation file -> Install on AD server
You can download STAS from Client Downloads page or User Portal when logging with Admin account

B3: Install STAS on AD

Install previously downloaded STAS, click Next 4 times -> Click Install
Choose SSO and click Next

Enter username and password for domain administrator account (administrator@domain.com) -> Click Next
Click Finish to complete the installation

B4: Configure STAS

Open STAS by double click in Sophos Transparent Authentication Suite on the desktop
On STA Collector tab
- In Sophos Appliance -> Click Add to add the IP address of the LAN port of Sophos XG
- In Workstation Polling Settings: Choose WMI
- In Logoff Detection Settings and Appliance Port -> Keep the default configuration

-> Click Apply

On STA Agent tab
- In Monitor Networks -> Click Add to add the LAN network you want to authenticate

-> Click Apply

In General tab
- Enter the domain’s NetBIOS
- Enter the domain’s FQDN
- Click Start to start STAS

-> Click Apply -> Click OK

B5: Add AD server to Sophos XGS to authenticate user domain

Configuration on Sophos XG

Authentication -> Server -> Click Add

In Server type: Choose Active Directory
Server name: Enter the server name you want to manage
Server IP/domain: Enter AD’s IP address
Port: 389
NetBIOS domain: Enter AD’s NetBIOS
ADS username: Enter administrator
Password: Enter the password of the administrator account
Connection security: Choose Simple
Display name attribute: Enter a name for the server you want to manage
Email address attribute: Enter the email you want (can be left blank)
Domain name: Enter the domain name
Search queries: Enter the domain name in the query format (VD: dc=vcf,dc=com)