Set up SATC with Sophos Server Protection

Sophos Authentication for Thin client (SATC) with Sophos Server Protection enables Sophos Firewall to authenticate users accessing a server or remote desktop.


It replaces standalone SATC. When you use Sophos Server Protection, you don't need to install standalone SATC.

Note SATC with Sophos Server Protection only supports Windows Remote Desktop Services.
Note You must download the Windows server installer from Sophos Central. The installers you can see depend on the licenses you have.

To implement SATC authentication with Sophos Server Protection on your terminal servers, you must install the Windows server installer on the terminal server. You must then configure SATC through the server's registry in the following location:

HKLM\Software\Sophos\Sophos Network Threat Protection\Application

You can configure the following options:

Registry value


SendSatcEvents (DWORD)

When present and non-zero, the SATC feature is turned on.

SatcDestinationAddr (STRING)

The IPv4 address of the firewall.

SatcDestinationPort (DWORD)

The port to send the SATC messages to. Default: 6060

SatcExcludedUsers (MULTISTRING)

A list of usernames to exclude. Entries are case-sensitive.

SatcExcludedAddresses (MULTISTRING)

A list of destinations to exclude. No authentication information is sent to the firewall when users connect to these destinations. You can enter destinations in the following formats:

  • IPv4 address
  • IPv4 address:Port
  • *:Port

SatcPendDurationMs (DWORD)

When SATC is turned on and configured to a valid destination, this value controls how long the driver pends outbound IPv4 TCP connections. Defaults to 100ms when not present. Setting this value to zero disables the connection pending. You must enable IPS within Server Protection.

To set up SATC using server protection, do as follows:

Set up SATC on a Windows server through the registry

  1. Sign in to Sophos Central.
  2. Go to Protect devices.
  3. Under Server protection, download the Windows server installer and install it on your terminal server. For more information, see Sophos Server Protection.
    Note The installers you can see on Sophos Central depend on the licenses you have.
  4. Turn off tamper protection for server protection. For more information, see Sophos Endpoint: How to disable Tamper Protection.
    Tip Make a note of the current settings before you turn off tamper protection. You need to change these back once SATC is turned on.
  5. On the server, open a command-line console.
  6. Run the following commands to turn on SATC:
    1. reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SendSatcEvents /t REG_DWORD /d 1
    2. reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SatcDestinationAddr /t REG_SZ /d FIREWALL-IP
    3. reg add "HKLM\Software\Sophos\Sophos Network Threat Protection\Application" /v SatcDestinationPort /t REG_DWORD /d FIREWALL-PORT

    When entering the above commands, replace FIREWALL-IP, and FIREWALL-PORT, with the IP address of Sophos Firewall and the port (default: 6060) that SATC communicates on.

  7. IPS is turned on by default in the server protection policy. For more information, see Server Protection: Default settings.
  8. Turn on tamper protection again.
  9. Restart the terminal server.

Add terminal server IP address on Sophos Firewall

For SATC to authenticate users, you must specify the IP addresses of your terminal servers on Sophos Firewall.
  1. Go to the command-line console of Sophos Firewall and choose option 4. Device Console.
  2. Enter the following command to add the terminal server's IP address:
    system auth thin-client add citrix-ip <TERMINALSERVERIP> Command to enter the IP address
    Replace <TERMINALSERVERIP> in the command with the IP address of your terminal server.
    Note Sophos Firewall 17.0 MR5 ( and later supports up to 192 servers. Previously, only 64 servers were supported. Once the limit is reached, the following error message appears:

    Maximum Thinclient limit reached. Maximum supported Thinclients are 192.

Allow access

Allow access to the terminal server's zone for client authentication by Sophos Firewall. Add a firewall rule to allow the server's traffic. In this example, the terminal server is in the LAN zone.
  1. To allow access to the terminal server's zone, do as follows:
    1. Go to Administration > Device access.
    2. Under Client authentication, select the terminal server's zone.
      Here's an example:

      Access to the terminal server's zone
  2. Allow access for the server's traffic:
    1. Go to Rules and policies > Firewall rules, click Add firewall rule, and then New firewall rule.
    2. Under Source zones, select LAN.
    3. Under Destination zones, select WAN.
      Here's an example:

      Zones in firewall rule
    4. Select Match known users.
    5. Select Use web authentication for unknown users.
    6. Under Users or groups, select the users and groups to whom you want to allow access.
      Here's an example:

      Match users
  3. To see the users who've signed in to the terminal server, go to Current activities > Live users.

    Users are listed with the following details:

    • Client type: Thin client
    • IP address: The terminal server's IP address with a unique session ID for each user.
      Here's an example:
      Live users signed in through STAS