Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure transparent authentication using STAS

Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). You can integrate STAS in an environment with a single Active Directory server.

You can download STAS from Authentication > Client downloads. STAS 2.5 and later supports Windows Server 2008R2, 2012R2, 2016, and 2019.

We expect STAS 2.5 and later will work on Windows Server 2022, but it has yet to be tested.

Supported deployment modes:

  • STAS on a domain controller
  • STAS 2.5 and later on a member server

Objectives

When you complete this unit, you'll know how to do the following:

  • Install STAS and configure an agent and a collector.
  • Integrate STAS in the firewall.
  • Verify live users.

Configure the STAS user

Configure the user account that will install and configure STAS. It doesn't have to be an administrator account, but you must configure permissions for the account on the Domain Controller and all endpoint computers.

Permissions on the Domain Controller

To configure the STAS user's permissions on the Domain Controller, do as follows:

  1. Open the Command Prompt and enter dsa.msc to open Active Directory Users and Computers.
  2. Right-click the STAS user and click Properties.
  3. Click Member of and click Add.
  4. Add the user to the Domain Users and Event Log Readers groups.
  5. Click OK when finished.

    STAS user properties showing group membership.

  6. Open File Explorer.

  7. Go to C:\Program Files (x86)\Sophos\
  8. Right-click Sophos Transparent Authentication Suite and click Properties.
  9. Click Security.
  10. Grant Read and Write permissions to the STAS user.
  11. Click OK

    STAS Folder properties showing permissions.

Permissions on all endpoint computers

To configure the STAS user's permissions on all endpoint computers, do as follows:

Tip

You can push these settings out in a GPO. The WMI Control changes require a Powershell or logon script as part of the GPO.

  1. Open the Command Prompt and enter lusrmgr.msc to open Local Users and Groups.
  2. Right-click Remote Desktop Users and click Properties.
  3. Click Add.
  4. Add the STAS user and click OK.

    Remote Desktop Users group properties showing members.

  5. Right-click Distributed COM Users and click Properties.

  6. Click Add.
  7. Add the STAS user and click OK.

    Distributed COM Users group properties showing members.

  8. Open the Command Prompt and enter wmimgmt.msc.

  9. Right-click WMI Control (Local) and click Properties.
  10. Click Security.
  11. Expand Root, click CIMV2, and click Security.
  12. Select the STAS user and make sure they have Execute Methods and Remote Enable permissions.
  13. Click OK.

    WMI management window showing security permissions.

Configure system security

Configure audit policies, assign user rights, and modify firewall settings.

  1. On Windows, click the Start button and go to Windows Administrative Tools > Local Security Policy.
  2. Go to Local Policies > Audit Policy and open Audit account sign-in events.
  3. Select the Success and Failure options and click OK.

    Windows local security setting.

  4. Go to Local Policies > User Rights Assignment and open Log on as a service.

  5. If the administrative user installing and running STAS isn't listed, click Add User or Group, add the user, and click OK.
  6. Configure the Windows Firewall and third-party firewalls to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 and 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (collector test), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note

    RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.

Install STAS

Download STAS and install it on the domain controller or member server.

  1. On the firewall, go to Authentication > Client downloads and download Sophos Transparent Authentication Suite (STAS).
  2. Move the installer to the domain controller or member server.
  3. Start the installer and click Next.

    STAS setup assistant.

  4. Follow the setup wizard to specify the location and other options. Then, click Install.

  5. Select SSO Suite and click Next.

    SSO Suite installs all Sophos SSO Suite components on this machine.

  6. Enter the administrator credentials and click Next.

  7. Click Finish.

Configure STAS

Configure a collector, an agent, and general settings.

Note

For settings not listed here, use the default value.

  1. On the server, start STAS, click the General tab, and specify the following settings.

    Option Value
    NetBIOS name NetBIOS name of the domain you want to monitor
    Fully qualified domain name FQDN of the domain you want to monitor

    Note

    In STAS, the NetBIOS name must be in capital letters.

  2. Click the STA Agent tab and specify the following settings.

    Option Value
    Domain Controller IP The IP address of the domain controller. Leave this blank if you're installing STAS on a domain controller.
    Specify the networks to be monitored The networks you want to monitor. Use the CIDR notation.

    Specify the domain controller and networks to be monitored.

  3. Click the STA Collector tab, and specify the following settings.

    Option Value
    Sophos appliances IP addresses of Sophos Firewall appliances in the network
    Workstation polling method Choose WMI (default) or Registry Read Access

    Specify the IP address and WMI.

  4. Click Apply.

  5. Click Start to start the STAS service.

Integrate STAS with the firewall

Activate STAS on the firewall and add a new collector. Then, open STAS on the server and check to see if the firewall’s IP address appears. Finally, create a firewall rule to control traffic based on user identity.

Before you integrate STAS, go to Authentication > Services and select your AD server as the primary authentication method.

AD server as primary authentication server.

  1. On the firewall, go to Authentication > STAS.
  2. Turn on Enable Sophos Transparent Authentication Suite and click Activate STAS.

    Turn on STAS.

  3. Click Add new collector and specify the following settings.

    Option Value
    Collector IP IP address of your collector
  4. Click Save. The firewall attempts to contact STAS on the server over UDP 6060.

  5. On the server, start STAS and click the General tab. You should see the firewall’s IP address in the list of Sophos appliances. This indicates that STAS is connected to the firewall.

    Firewall's IP address on STAS.

  6. Go to Rules and policies > Firewall rules.

  7. Select IPv4 protocol.
  8. Click Add firewall rule, select New firewall rule, and create a firewall rule. Make sure you specify the user settings.

    Select the user in firewall rule.

  9. Go to Administration > Device Access.

  10. Under Authentication services > Clients, select the checkbox for the required zone.

    Select client authentication zone.

  11. Click Apply.

Verify live users

Once users have successfully authenticated to the domain, you can view them as live users on both STAS and the firewall.

  1. On STAS, go to Advanced and select Show live users.

    Show live users.

    Live users.

  2. In the firewall, go to Current activities > Live users.

    Live users in current activities.

    If some or all STAS users don't appear on Live users, see STAS troubleshooting.

More resources