Configuring transparent authentication using STAS

Configure audit policies, assign user rights, and modify firewall settings.

1. On Windows, click the Start button and go to Windows Administrative Tools > Local Security Policy.
2. Go to Local Policies > Audit Policy and open Audit account sign-in events.
3. Select the Success and Failure options and click OK.

   

4. Go to Local Policies > User Rights Assignment and open Log on as a service.
5. If the administrative user who is installing and running STAS is not listed, click Add User or Group, add the user, and click OK.
6. Open ports.
   Configure the Windows firewall and third-party firewalls to allow communication over the following ports:

   • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 and 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (collector test), Inbound/Outbound TCP 27015 (config sync).
   • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

   Note RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.

Download STAS and install it on the Active Directory server.

1. On the firewall, go to Authentication > Client downloads and download Sophos Transparent Authentication Suite (STAS).
2. Move the installer to the Active Directory server.
3. On the Active Directory server, start the installer and click Next.

   

4. Follow the setup wizard to specify destination location and other options. Then, click Install.
5. Select SSO Suite and click Next.

   

6. Type administrator credentials and click Next.
7. Click Finish.

Configure a collector, an agent, and general settings.

1. On the AD server, start STAS, click the STA Collector tab, and specify settings.
   Note For settings not listed here, use the default value.

   Option	Description
   Sophos appliances	192.168.1.251
   Workstation polling method	WMI

   
2. Click the STA Agent tab and specify settings.

   Option	Description
   Specify the networks to be monitored	192.168.1.0/24

3. Click the General tab and specify settings.

   Option	Description
   NetBIOS name	TESTLAB
   Fully qualified domain name	testlab.com

4. Click Apply.
5. Click Start to start the STAS service.

Activate STAS on the firewall and add a new collector. Then, open STAS on the AD server and check to see if the firewall’s IP address appears. Finally, create a firewall rule to control traffic based on user identity.

Before you integrate STAS, go to Authentication > Services and select your AD server as the primary authentication method.

1. On the firewall, go to Authentication > STAS.
2. Turn on Enable Sophos Transparent Authentication Suite and click Activate STAS.

   

3. Click Add new collector and specify settings.

   Option	Description
   Collector IP	192.168.1.10

4. Click Save.
   The firewall attempts to contact STAS on the AD server over UDP 6060.
5. On the AD server, start STAS and click the General tab.
   You should see the firewall’s IP address in the list of Sophos appliances. This indicates that STAS is connected to the firewall.

   

6. Go to Firewall, click + Add firewall rule > User/Network rule, and create an identity-based rule to control the traffic based on user identity.

   

Once users have successfully authenticated to the domain, you can view them as live users on both STAS and the firewall.

1. On STAS, go to Advanced and select Show live users.

   

   

2. In the firewall, go to Current activities > Live users.