Skip to content

Configure transparent authentication using STAS

Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). You can integrate STAS in an environment with a single Active Directory server.

You can download STAS from Authentication > Client downloads. STAS 2.5 and later supports Windows Server 2008R2, 2012R2, 2016, and 2019.

We expect STAS 2.5 and later will work on Windows Server 2022, but it has yet to be tested.

Supported deployment modes:

  • STAS on a domain controller
  • STAS 2.5 and later on a member server

Objectives

When you complete this unit, you'll know how to do the following:

  • Install STAS and configure an agent and a collector.
  • Integrate STAS in the firewall.
  • Verify live users.

Configure system security

Configure audit policies, assign user rights, and modify firewall settings.

  1. On Windows, click the Start button and go to Windows Administrative Tools > Local Security Policy.
  2. Go to Local Policies > Audit Policy and open Audit account sign-in events.
  3. Select the Success and Failure options and click OK.

    Windows local security setting

  4. Go to Local Policies > User Rights Assignment and open Log on as a service.

  5. If the administrative user installing and running STAS isn't listed, click Add User or Group, add the user, and click OK.

    Requirement

    The user who is installing and running STAS must have the following permissions:

    • Member of the Domain Users and Event Log Readers groups.
    • Read and Write permissions for the STAS folder. The default location is C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite.
  6. Open ports.

    Configure the Windows firewall and third-party firewalls to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 and 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (collector test), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note

    RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.

Install STAS

Download STAS and install it on the domain controller or member server.

  1. On the firewall, go to Authentication > Client downloads and download Sophos Transparent Authentication Suite (STAS).
  2. Move the installer to the domain controller or member server.
  3. Start the installer and click Next.

    STAS setup assistant

  4. Follow the setup wizard to specify the location and other options. Then, click Install.

  5. Select SSO Suite and click Next.

    SSO Suite installs all Sophos SSO Suite components on this machine

  6. Enter the administrator credentials and click Next.

  7. Click Finish.

Configure STAS

Configure a collector, an agent, and general settings.

Note

For settings not listed here, use the default value.

  1. On the server, start STAS, click the General tab, and specify the following settings.

    Option Value
    NetBIOS name NetBIOS name of the domain you want to monitor
    Fully qualified domain name FQDN of the domain you want to monitor

    Note

    In STAS, the NetBIOS name must be in capital letters.

  2. Click the STA Agent tab and specify the following settings.

    Option Value
    Domain Controller IP The IP address of the domain controller. Leave this blank if you're installing STAS on a domain controller.
    Specify the networks to be monitored The networks you want to monitor. Use the CIDR notation.

    Specify the domain controller and networks to be monitored

  3. Click the STA Collector tab, and specify the following settings.

    Option Value
    Sophos appliances IP addresses of Sophos Firewall appliances in the network
    Workstation polling method Choose WMI (default) or Registry Read Access

    Specify the IP address and WMI

  4. Click Apply.

  5. Click Start to start the STAS service.

Integrate STAS with the firewall

Activate STAS on the firewall and add a new collector. Then, open STAS on the server and check to see if the firewall’s IP address appears. Finally, create a firewall rule to control traffic based on user identity.

Before you integrate STAS, go to Authentication > Services and select your AD server as the primary authentication method.

AD server as primary authentication server

  1. On the firewall, go to Authentication > STAS.
  2. Turn on Enable Sophos Transparent Authentication Suite and click Activate STAS.

    Turn on STAS

  3. Click Add new collector and specify the following settings.

    Option Value
    Collector IP IP address of your collector
  4. Click Save. The firewall attempts to contact STAS on the server over UDP 6060.

  5. On the server, start STAS and click the General tab. You should see the firewall’s IP address in the list of Sophos appliances. This indicates that STAS is connected to the firewall.

    Firewall's IP address on STAS

  6. Go to Firewall, click Add firewall rule > User/Network rule, and create an identity-based rule to control the traffic based on user identity.

    Select the user in firewall rule

Verify live users

Once users have successfully authenticated to the domain, you can view them as live users on both STAS and the firewall.

  1. On STAS, go to Advanced and select Show live users.

    Show live users

    Live users

  2. In the firewall, go to Current activities > Live users.

    Live users in current activities

    If some or all STAS users don't appear on Live users, see Users unable to sign in through STAS.

More resources