[German]A brief note for administrators who use Sophos Authentication for Thin Clients (SATC) in conjunction with a Chromium 84 browser There will be problems with authentication using SATC and the XG firewall. The recommendation is to prevent updating the Chromium browser and use Firefox as the browser.
This week, the Google Chrome browser was released in version 84 (see Chrome 84.0.4147.89 released) and is now being rolled out step by step. Microsoft has also released a security update for the Chromium Edge Browser 84 (see).
Internet Explorer, Google Chrome and Opera. If the Sophos Firewall Device is being treated as a public URL; Mozilla Firefox; Feedback and contact; Applies to the following Sophos products and versions Sophos Firewall Internet Explorer, Google Chrome and Opera Configure NTLM in Internet Explorer, Google Chrome and Opera by following the steps below. Internet Explorer, Google Chrome and Opera. If the Sophos Firewall Device is being treated as a public URL; Mozilla Firefox; Feedback and contact; Applies to the following Sophos products and versions Sophos Firewall Internet Explorer, Google Chrome and Opera Configure NTLM in Internet Explorer, Google Chrome and Opera by following the steps below. Hello, The original post has been posted under 'Endpoint Security and Control' which is separate from Sophos Home. If your issue is for Sophos Home (Free, Pro, or Premium editions) please post under the Group Free Tools or visit the Sophos Home Support Page.From there you should be able to search for KB Articles that might help with the issues you are seeing.
I also had this issue with several users and at first thought it was the Trusteer Rapport chrome extension. I found googledocs modules in Chrome extensions to be the cause. Once disabled, no more ROP errors. I'm now checking Sophos community for resolution in case other users run into this. Hope this helps! Category: Controlled Applications: Publisher Name: Google: Type: Internet browser: Publisher URL. Try Sophos products for free Download now Download Sophos Home. Free business-grade security for the home. Endpoint Protection. Free 30 Day Trial; Security Solutions.
Authentication issues with SATC and the XG Firewall
German blog reader Bernie refers in this comment to a email distributed to Sophos users (see also this Sophos support article). Here is an excerpt:
Dear Sophos customer,
You are receiving this email because our records show that you are using Sophos Authentication for Thin Clients (SATC).
If your default browser is Mozilla Firefox, there is no need to take action.
Sophos Chromebook User Id App
Version 84 of Google Chrome and other chromium-based browsers is expected to be released on 14 July 2020.
This version will remove a feature that is required to ensure compatibility with SATC.
As a result, authentication with SATC and the XG firewall will no longer be able to correctly identify the user associated with web browsing traffic in Chrome.
This leads to policy and web traffic reporting errors.
Who is affected?
According to Sophos, all XG firewall customers using SATC on thin client deployments running multi-user Windows services such as Windows Remote Desktop or Terminal Services using Chrome or Chromium-based browsers will be affected. The measures recommended by Sophos are:
- Use Mozilla Firefox, this browser is still fully compatible with SATC
- Prevent updating in Google Chrome by disabling automatic updating.
- If you are using the new Microsoft Edge browser, disable automatic updating. The original Microsoft Edge Browser is not affected by this issue.
For more information and links to instructions on how to manage settings in different browsers, see the knowledgebase article. However, Sophos is working on a new approach to authentication to multi-user Windows services, which will be compatible with future versions of Google Chrome and other Chromium-based browsers. The vendor intends to provide information as soon as there is any news on this. Maybe it will help.
Advertising
Sophos Chrome Os
Security company Sophos recommends customers using the Sophos Authentication for Thin Clients, or SATC, to delay the update to the latest version of Google Chrome and Microsoft Edge due to authentication issues.
In a tech support document published earlier this month and spotted by Gunther Born, Sophos says that the problem can be encountered with any browser that is based on Chromium, so the company recommends users to either stick with the previous version or just switch to Firefox.
Sophos Chrome Stack Pivot
“Sophos recommends that customers do not update to version 84 of Google Chrome or Microsoft Edge at this time. Sophos also recommends that customers consider using Firefox as an alternative, as it will still function correctly with the SATC agent,” the security vendor says, adding that a replacement for the current agent is already in the works, and it’s projected to go live later this year.
The workarounds
For now, however, users are recommended to avoid updating their Chromium browsers to the latest versions, and if the update was already installed, to downgrade to version 83 or just switch to Firefox.
Additionally, Sophos says that customers can enable the “Runs network service in-process” flag in Chromium browsers to be able to authenticate via SATC after the update.
“Win32 API code injection is how SATC operates. When a 3rd party SSO firewall client is hooked into the Win32 API network stack to detect the user of each TCP connection for firewall authentication, the user's TCP connection requests that originated from their Chrome browser are no longer detected by the firewall SSO client. Since Chrome no longer uses the Win32 network stack, subsequent TCP connections are not authenticated properly and will fail to traverse the firewall,” Sophos explains.
Sophos Chromebook
Sophos says it’ll share more information on the release date of its SATC agent replacement “as soon as possible.”