Sophos XGS: How to configure user domain authentication using STAS

August 9, 2021 Vincent Sophos 0

Overview

The article explains how to configure STAS, this is a feature that provides the ability to authenticate users in the internal network automatically just by logging in on the user’s workstation. And there is no need to install SSO on each workstation. Ease to use for end users and higher level of security

Diagram

Các bước cấu hình

  • Configure ADS
  • Download STAS
  • Install STAS on AD
  • Configure STAS
  • Add AD server to Sophos XGS to authenticate
  • Adjust Service configuration to authenticate with AD server
  • Configure STAS on XGS firewall
  • Create firewall rule with source identity as group, user to use STAS authentication
  • Check STAS operation
  • Check the report interface, monitoring, logging

How to configure

B1: Configure ADS

Configure on AD server

  • Start -> Administrative Tools -> Local Security Policy to view security settings
  • Security Settings -> Local Policies -> Audit Policy -> Audit account logon -> Click right click in Audit account logon events -> Choose Properties
  • Choose Success and Failure -> Click OK
  • Local Security Policy -> Security Settings -> Local policies -> User Rights Assignment -> Log on as a service -> Right click on Log on as a service -> Choose Properties
  • Click Add User or Group -> Add user administrator -> Click OK

B2: Download STAS

  • Login to AD with Administrator account
  • Log in to Sophos XG’s graphical interface with an Admin account
  • Authentication -> Click the icon -> Select Client Download to download the installation file -> Install on AD server
  • You can download STAS from Client Downloads page or User Portal when logging with Admin account

B3: Install STAS on AD

  • Install previously downloaded STAS, click Next 4 times -> Click Install
  • Choose SSO and click Next
  • Enter username and password for domain administrator account (administrator@domain.com) -> Click Next
  • Click Finish to complete the installation

B4: Configure STAS

  • Open STAS by double click in Sophos Transparent Authentication Suite on the desktop
  • On STA Collector tab
    • In Sophos Appliance -> Click Add to add the IP address of the LAN port of Sophos XG
    • In Workstation Polling Settings: Choose WMI
    • In Logoff Detection Settings and Appliance Port -> Keep the default configuration

-> Click Apply

  • On STA Agent tab
    • In Monitor Networks -> Click Add to add the LAN network you want to authenticate

-> Click Apply

  • In General tab
    • Enter the domain’s NetBIOS
    • Enter the domain’s FQDN
    • Click Start to start STAS

-> Click Apply -> Click OK

B5: Add AD server to Sophos XGS to authenticate user domain

Configuration on Sophos XG

Authentication -> Server -> Click Add

  • In Server type: Choose Active Directory
  • Server name: Enter the server name you want to manage
  • Server IP/domain: Enter AD’s IP address
  • Port: 389
  • NetBIOS domain: Enter AD’s NetBIOS
  • ADS username: Enter administrator
  • Password: Enter the password of the administrator account
  • Connection security: Choose Simple
  • Display name attribute: Enter a name for the server you want to manage
  • Email address attribute: Enter the email you want (can be left blank)
  • Domain name: Enter the domain name
  • Search queries: Enter the domain name in the query format (VD: dc=vcf,dc=com)

-> Click Test connection -> Click Save

B6: Adjust Service configuration for authentication using AD server

Authentication -> Services

In Firewall authentication methods

  • Select your AD and uncheck Local
  • In Default group: Select the OU you want to add

-> Click Apply

B7: Configuring STAS on XGS firewall

  • Authentication -> Turn on STAS by selecting ON and pressing Active STAS
  • Enter AD Server’s IP address in Collector IP -> Click Save

B8: Create firewall rule with source identity as group, user to use STAS authentication

  • STAS -> Click Add Firewall rule to create firewall rules, control user traffic

B9: Check the operation of STAS

  • Create firewall rule LAN to WAN with web policy allowing access to facebook.com but not allowing access to youtube.com
  • Check user login on AD and Sophos XG
  • On the user’s workstation, perform a web visit to check policy

B10: Check the interface of reporting, monitoring, logging

  • Interface of reporting
  • Interface of monitoring
  • Interface of logging

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.