STAS is broken by Windows remote desktop
We stumbled across a bug in Sophos Transparent Authentication Suite (STAS) running on a Windows domain controller which is used to resolve user identification and permissions. When you open a remote desktop session to another Windows computer on the lan, your machines ip address becomes associated with the login credentials you used for the remote session instead of your own credentials. From that point on the firewall believes all traffic from your pc is coming from that user instead of you. Closing the remote session will not fix it. Only relogging in to your machine will get your ip back to being associated with your user.
Rules and Permissions are affected because they now match on an incorrect username. Activity logging is affected as well for the same reason. Support said they won't treat it as a bug and said to suggest it as a feature request. So I guess the feature request would be to fix the method of identifying users, or come up with a new one, so remote desktop does not break it.
And if anyone wants to check this out, if you use sophos STAS on your domain controller, open it and go to Advanced->Live Users and find your ip address. The username associated with it will be the username you used in the last remote desktop session you opened from your machine. Open another remote session and you will see the username associated with your ip address has again changed to that of this latest remote session. (locking and unlocking your pc will correct it until the next remote desktop session)