Sophos XG: How to configure user authentication with STAC on Sophos XG firewall


Sophos Authentication for Thin Client (SATC), which allows users to be authenticated when using a Microsoft Remote Desktop server (legacy terminal server). Sophos Firewall controls authenticated users using a session-based approach through an identity-based firewall rule providing granular access controls per user group.

How to configure

  • Login in to Sophos XG by Admin account
  • Go to Authentication -> Choose Client downloads -> Click Sophos Authentication For Thin Client (STAC) to download installation file
Download SATC from web admin console
  • Install installation file which was downloaded before on remote desktop server
  • Click Next
SATC installer first page
  • Choose folder to install STAC -> Click Next
SATC installer, choose installation directory
  • Choose Don’t create a Start Menu folder -> Click Next
SATC installer, choose start menu folder
  • Click Install
SATC installer, confirm settings
  • Open Sophos Authentication for Thin Client software -> On Sophos Setting tab, enter IP local address of Sophos XG -> Click OK
SATC installer, confirm the IP address of XG Firewall
  • Click Finish
SATC installer, finish page
  • Installation complete
SATC: configuration page
  • On Sophos XG -> Access console interface -> On the top right side of web interface, choose admin -> Choose Console
  • Choose 4. Device Console
  • Enter the command: system auth thin-client add citrix-ip <TERMINALSERVERIP>
SATC: add remote desktop server via CLI
  • Backup to web interface of Sophos XG -> Add AD server to Sophos XG
  • Go to Authentication -> Choose Servers -> Click Add -> Configure with parameters -> Click Test connection -> Click Save
Server typeActive directory
Server nameMy_AD_Server
Server IP/domain192.168.1.100
NetBIOS domainsophos
ADS usernameadministrator
Password<AD server password>
Search queriesdc=sophos,dc=com
  • After adding AD server -> Import group on AD server -> Go to Authentication -> Choose Servers -> On server -> Click icon Import
Import AD group
  • On Import group wizard -> Click Start
  • In Base DN: Choose your domain
Import Base DN in the import group wizard
  • Choose groups of AD to import
Select AD groups to import
  • Choose policy for groups
Select common policies for groups
  • Choose primary authentication
  • Go to Authentication -> Choose Services -> In Firewall authentication methods -> Choose your AD and move to the primary -> Click Apply
Authentication servers

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.