Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

STAS

Sophos Transparent Authentication Suite (STAS) enables users on a Windows domain to sign in to Sophos Firewall automatically when signing in to Windows. This eliminates the need for multiple sign-ins and for SSO clients on each client device.

STAS consists of an agent and a collector. The agent monitors user authentication requests and sends information to the collector for authentication. The collector collects the user authentication requests from the agent, processes the requests, and then sends them to the firewall for authentication.

Note

Only the agent must run on the domain controller. The collector can be installed on any other machine. Installing the collector on the domain controller may not be advisable due to the volume of traffic that it generates.

To download STAS, go to Authentication > Client downloads.

Note

STAS doesn't support LDAP over SSL/TLS connections for eDirectory.

Sophos Transparent Authentication Suite settings

To configure Sophos Firewall to be used in a STAS deployment, click the On/Off switch of Enable Sophos Transparent Authentication Suite and then click Activate STAS.

STAS quarantine: For incoming traffic, Sophos Firewall sends a request to the STAS agent to check for a user and destination IP address match. If the agent doesn't find a match, Sophos Firewall drops the traffic.

Identity probe time-out: Time Sophos Firewall waits for a response from the agent before it drops the traffic.

Default: 120 seconds

Restrict client traffic during identity probe: - Yes (default): Holds up traffic until the user and destination IP address match is found. - No: Continues to send traffic to the destination IP address during the identity probe.

Enable user inactivity: Turn on to take action when users are inactive.

Inactivity timer: Signs out users after the specified period (in minutes) of inactivity. Users are considered inactive if they don’t transfer the specified volume of data during this period.

Data transfer threshold: Minimum data (in bytes) that users must transfer during the specified period to be considered active.

Collector

The collector collects the user authentication requests from the agent, processes the requests, and then sends them to the firewall for authentication.

To add a collector, click Add new collector.

More resources