Configuring transparent authentication using STAS

Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). You can integrate STAS in an environment with a single Active Directory server.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Install STAS and configure an agent and a collector.
  • Integrate STAS in the firewall.
  • Verify live users.

Configure system security

Configure audit policies, assign user rights, and modify firewall settings.

  1. On Windows, click the Start button and go to Windows Administrative Tools > Local Security Policy.
  2. Go to Local Policies > Audit Policy and open Audit account sign-in events.
  3. Select the Success and Failure options and click OK.
  4. Go to Local Policies > User Rights Assignment and open Log on as a service.
  5. If the administrative user who is installing and running STAS is not listed, click Add User or Group, add the user, and click OK.
  6. Open ports.
    Configure the Windows firewall and third-party firewalls to allow communication over the following ports:
    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 and 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (collector test), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).
    Note RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.

Install STAS

Download STAS and install it on the Active Directory server.

  1. On the firewall, go to Authentication > Client downloads and download Sophos Transparent Authentication Suite (STAS).
  2. Move the installer to the Active Directory server.
  3. On the Active Directory server, start the installer and click Next.
  4. Follow the setup wizard to specify destination location and other options. Then, click Install.
  5. Select SSO Suite and click Next.
  6. Type administrator credentials and click Next.
  7. Click Finish.

Configure STAS

Configure a collector, an agent, and general settings.

  1. On the AD server, start STAS, click the STA Collector tab, and specify settings.
    Note For settings not listed here, use the default value.
    OptionDescription
    Sophos appliances 192.168.1.251
    Workstation polling method WMI
  2. Click the STA Agent tab and specify settings.
    OptionDescription
    Specify the networks to be monitored 192.168.1.0/24
  3. Click the General tab and specify settings.
    OptionDescription
    NetBIOS name TESTLAB
    Fully qualified domain name testlab.com
  4. Click Apply.
  5. Click Start to start the STAS service.

Integrate STAS with the firewall

Activate STAS on the firewall and add a new collector. Then, open STAS on the AD server and check to see if the firewall’s IP address appears. Finally, create a firewall rule to control traffic based on user identity.

Before you integrate STAS, go to Authentication > Services and select your AD server as the primary authentication method.

  1. On the firewall, go to Authentication > STAS.
  2. Turn on Enable Sophos Transparent Authentication Suite and click Activate STAS.
  3. Click Add new collector and specify settings.
    OptionDescription
    Collector IP 192.168.1.10
  4. Click Save.
    The firewall attempts to contact STAS on the AD server over UDP 6060.
  5. On the AD server, start STAS and click the General tab.
    You should see the firewall’s IP address in the list of Sophos appliances. This indicates that STAS is connected to the firewall.
  6. Go to Firewall, click Add firewall rule > User/Network rule, and create an identity-based rule to control the traffic based on user identity.

Verify live users

Once users have successfully authenticated to the domain, you can view them as live users on both STAS and the firewall.

  1. On STAS, go to Advanced and select Show live users.
  2. In the firewall, go to Current activities > Live users.