Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 12 subscribers
  • Views 4186 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Update Cache Selection

RBGE

Hello,

We've just started the migration from Sophos Enterprise Console to Sophos Central and I just have a quick query regarding the use of Update Cache servers.

tl;dr version: is it possible to manually select a server to be used by endpoints, like was the case with SEC?

I've seen a couple of posts here with similar questions, but am hoping to just clarify a couple of points fully here.  We have 4 sites across our organisation, one being the main head office where the majority of our users and machines are located, and the other three being remote sites in locations with very restricted bandwidth and a small handful of users/computers.  One of these is on a satellite connection, so bandwidth is at a premium.

Network wise, our main head office is split into various subnets.  For user PCs (as an example - not the real config here), we have a range similar to the following

192.168.10.0/24

192.168.11.0/24

192.168.12.0/24

...and so on...

For the servers, we have

192.168.100.0/24

192.168.101.0/24

...and so on

This is all fine, with our router handling all the traffic between subnets.

However, for the regional sites we have a VPN link allowing them to access resources at our main office.  The VPN subnets are as follows:

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

So far so good, and up until now everything is working as expected.  With our Enterprise Console setup, we'd just set up a Sophos Update Manager at each of these sites with an updating policy configured so that all the client machines could update from them.  However, with Sophos Update Cache in Central, we now have client PCs at our head office realising they're numerically closer to the remote sites and attempting to update from them!  For some reason, some of our servers are attempting to do so too, even though an Update Cache has been set up at the main office.  Obviously with a satellite connection at one of the remote sites, this is not ideal and defeats the whole point of trying to control bandwidth.

One approach would be to set up firewall rules across all of our VPN tunnels to block port 8191, but this seems like an administrative overhead I'd rather avoid if possible.  It does seem a bit of a clunky workaround too.  What I'm ideally looking for is an updating policy that I can apply to groups of machines saying "Always update from server xxxxx (directly from Sophos if unavailable)", pretty much like was the case in SEC, but this doesn't appear to be an option in Central.

I've had a look around knowledgebase articles and some posts here, but I'm still hoping I'm just missing something and this is possible without firewall rules.

If not, does anyone have any better workarounds that have suited them?



Many thanks



This thread was automatically locked due to age.
Unfiltered HTML