Sophos Authentication for Thin Client (SATC)

About Sophos Authentication for Thin Client (SATC).

Sophos Authentication for Thin Client (SATC) allows users of terminal servers, for example, Citrix, to authenticate with Sophos Firewall using Active Directory.

SATC consists of the thin client software, which you install on your terminal server. A firewall rule configured on Sophos Firewall manages the traffic from the server.

SATC assigns each user a user ID, which is associated with the Active Directory (AD) username and allows AD SSO to work in conjunction with Sophos Firewall.

There are limitation to using SATC for authentication, these are described below.

STAS conflicts with SATC

Sophos Transparent Authentication Suite (STAS) provides a solution for clientless SSO. SATC provides SSO on Citrix XenApp and Microsoft Windows Server Remote Desktop Services. Quite often you need to install both STAS and SATC in an organization's network. However, STAS conflicts with SATC, and Sophos Firewall can't obtain the correct user identity on Citrix XenApp and Microsoft Windows Server Remote Desktop Services.

The solution is to exclude the IP addresses of your Citrix XenApp and Microsoft Windows Server Remote Desktop Services in STAS (configured in STAS under Exclusion List > Login IP Address / Network Subnet mask Exclusion List, and Logoff IP Address / Network Subnet mask Exclusion List).

In the example below, 50.50.50.100 is the IP address of the Citrix XenApp server.


SATC exclusion in STAS

Unable to authenticate via SATC when using a Google Chrome browser

Version 84 of Google Chrome, Microsoft Edge, and other Chromium-based browsers don't support the ForceNetworkInProcess feature described in this section.

Google Chrome has made changes to the variations codes, starting with version 72.0.3626.96. According to Google and the Chromium group, their new network service stack specifically imposes restrictions on third-party module injection.

SATC operates through Win32 API code injection. When the SATC client is hooked into the Win32 API network stack to detect the user of each TCP connection for firewall authentication, the user's TCP connection requests that originated from their Chrome browser are no longer detected by the SATC client. Since Chrome no longer uses the Win32 network stack, subsequent TCP connections are not authenticated properly and fail to traverse the firewall.

When users authenticating through SATC try to visit websites using Google Chrome, the captive portal sign-in page shows.

We recommend that you don't update to version 84 of Google Chrome or Microsoft Edge at this time. We also recommend that you consider using Firefox as an alternative browser, as it still functions correctly with the SATC agent.

If you've already updated to Google Chrome 84, you can find out how to roll back to a supported version in this article: Downgrade your Chrome version (Windows).

To work around the issue when using Chrome 84, do as follows:

  1. In a Chrome tab, type: chrome://flags in the address bar, and press the Enter key.
  2. Search for Runs network service in-process.
  3. Switch the setting to Enabled.
  4. You will be able to authenticate via SATC as expected.
Note This workaround doesn't work for Chrome 85 and later versions as the Runs network service in-process option has been removed.

SATC incompatible with endpoint web protection on Windows 2008+

The SATC application for Windows terminal and remote desktop servers is not compatible with Sophos Endpoint Protection web protection features. This is because SATC uses LSP interception for web traffic.

This is a product limitation of SATC.

To work around this issue, turn of web filtering for the terminal server in the endpoint client.

Caution Always inspect web traffic. Ensure that you use web filtering on the firewall if you turn off server web protection. If you aren't using the firewall for inspection, we recommend that you uninstall SATC.

Ensure that you only change policies that apply to the impacted servers. Whenever possible, create a new policy and assign it to the impacted servers.

You can turn off all web protection features on the Sophos server protection client through either the Sophos Central or Enterprise Console interface.

To turn off web protection on Sophos Central, do as folows:

  1. Go to: https://central.sophos.com, and sign in.
  2. Open Server Protection.
  3. Open Configure > Policies.
  4. Select Base Policy - Threat Protection, or the policy that applies to the terminal server.
  5. Open the Settings tab.
  6. Turn off all areas of Real-time scanning - Internet.
  7. In Advanced Security, turn off Detect network traffic to command and control servers.
  8. Click Save.
  9. Open Configure > Policies.
  10. Select Base Policy - Web Control, or the policy that applies to the terminal server.
  11. Open the Settings tab.
  12. Turn off Website Controls.
  13. Click Save.
  14. Restart the terminal server.

How to turn off web protection on Sophos Enterprise Console:

  • Open Sophos Enterprise Console.
  • Expand Anti-virus and HIPS in the Policies area.
  • Open the policy that applies to the terminal server.
  • Click Web Protection.
  • Set both Block access to malicious websites and Content Scanning to Off.
  • If you're using SEC 5.4.0+, clear the check box for Enable file reputation checking, if it's selected.
  • Click OK.
  • Click Sophos Live Protection.
  • Clear the check box for Enable Live Protection, if it's selected.
  • Click OK until all dialogs are closed.
  • Expand Web Control in the Policies area.
  • Open the policy that applies to the terminal server.
  • Clear the check box for Enable Web Control, if it's selected.
  • Click OK.
  • Restart the terminal server.