Windows Server 2012 R2: Sophos user authentication using heartbeat disabled on RDS servers

Sicherheit (Pexels, allgemeine Nutzung)[German]Brief note for administrators running Windows Server 2012 R2 who rely on Sophos user authentication via Sophos Security Heartbeats. Sophos has distributed an update that silently overrides the feature on Windows Server 2012 R2. A blog reader informed me of this, and I bring it up in the blog as this may interest/tangentially affect some other users.


German blog reader Matthias R. contacted me via email yesterday to let me know about a rather unpleasant experience with Sophos. Matthias wrote to tell me that it was about authentication of terminal server users on Windows Server 2012 R2. Originally, Sophos had a dedicated client, the SATC (Sophos Authentication for Thin Client), which took over this task.

This was software installed on the RDS server that authenticated users. However, Matthias said that because this software never really worked, Sophos made the decision to replace it in favor of Heartbeats, which is implemented in Endpoint Protection.

According to this Sophos document Security Heartbeat is a feature that allows endpoints and firewalls to exchange their integrity status with each other. In this case, Sophos Endpoint Protection is responsible for authentication and communicates with the firewall.

Sophos Heartbeat disabled via update

The above-mentioned solution with Heartbeat also worked for a while, Matthias writes. But now, he says, Sophos has simply silently ended support for Server 2012 R2 without prior notice. According to Matthias, an update that was silently installed in the background removed support for Heartbeats. Matthias writes about this:

So as of now, a lot of our firewall rules that were implemented at the group or user level don't work. This means that the marketing department will suddenly no longer be able to communicate with the Adobe Cloud, special users will no longer be able to do FTP. Or even worse, users who have been completely blocked from accessing the Internet are suddenly able to surf again.

As a result, many of our content filters no longer work, and so on. Many components of our security concept have not been working for months, because the manufacturer has silently disabled features without any communication to the end customer.

What Matthias found particularly unpleasant was the disastrous Sophos support, which probably took months to clarify the situation. Weeks passed before a Sophos technician took pity on the problem. This is unacceptable for such an important issue.


Windows Server 2012 R2 EOL in one year

Matthias is aware that Windows Server 2012 R2 is EOL and will only receive Extended Support. Nevertheless, the Microsoft product will still receive security updates for almost 1 year, and it is therefore legitimate to continue using this product. Still, in his opinion, Sophos can't just silently remove a feature that is vital to terminal servers and thereby throw the security concept into disarray.

Terribe Sophos customer support

Matthias described his experiences and the terrible customer support of the manufacturer Sophos very concretely in his mail: Sophos had inspected this phenomenon with several support engineers. Matthias has easily spent 10 hours with his service provider and together with a Sophos technician analyzing, pulling log files, installing test servers, etc. The whole thing dragged on for months. The whole thing went on for several months.

At the end of the day, I was told that the by-design no longer worked and that Sophos would no longer implement this feature for Windows Server 2012 R2. The reason given was that mainstream support for Windows Server 2012 R2 had expired. Matthias' experience on this is:

So the manufacturer Sophos is shutting down a feature that is elementary for terminal servers without informing the end customer, let alone its own supporters. Even the Sophos technicians and supporters were not informed and analyzed, debugged, inspected log files etc. because they thought it was a bug.

Now, only after several months, the information came that this was technically desired and that it was decided to no longer support the user authentication on Windows Server 2012 R2 via Security Heartbeat.

SSL offloading useless for Sophos XGS firewalls

In addition, Matthias notes that his company bought 2 new Sophos XGS firewalls last year at great expense. The background is that only this new generation supports SSL offloading. According to Sophos, this should offer a significant gain in performance in SSL inspection. The user notes:

Since we now have to switch to a work-around due to the no longer supported scenario, we can no longer use this advertised killer feature, by the way, i.e. we currently have no advantage at all from the investment of the new hardware.

Perhaps this information is of interest to other users in this environment – in any case, thanks to Matthias for the tip. I have already pointed out in other blog posts that Sophos's support is not exemplary – I would like to remind you of the post Sophos fails with timely malware sample analysis, support contact options miserable from September 2021.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *