We recently commenced the migration of a customer from Sophos Enterprise Console to Sophos Central, and encountered some challenges that slowed down the initial deployment.
Our customer has a reasonably well secured environment, and has both a good quality enterprise firewall (Check Point), as well as a good quality enterprise web proxy solution.
The problem is that current versions of the Sophos Central agent do not support either deployment, or ongoing management communications, via a configurable proxy. This meant that we had to, somehow, configure the firewall to permit the required traffic. Since the firewall did not have it's Web and Application awareness capability turned on, because everything uses the proxy, we had to find a way to allow the required management communications through the firewall.
When a vendor supplies *.sophos.com (among others), this is not something that you can put in a DNS/FQDN object in the firewall and expect to work.
One of the challenges we encountered with the Check Point firewall, in particular, is that it doesn't directly support objects with forward DNS Resolution, like many other firewalls do. Before you go looking, Domain Objects are not the answer (they do reverse lookups on every destination IP that is assessed by the rule, which causes a performance hit, and resolves to an aws address instead). One of our engineers built a lab, and tried a number of different ways to make this work with the Sophos Central Management URLs, but ran into numerous dead ends. Finally he had the brilliant idea of using Check Point's Dynamic Objects functionality.
I'd seen Dynamic Objects in the configuration previously, but never really looked into how they work. Basically you can just create a Dynamic Object in Smart Dashboard, and then use the "dynamic_objects" command on each gateway to locally define what that resolves to. In this case we used dig to resolve the management host addresses, and add these to the dynamic object.
Our engineer posted the solution to the Check Point Check Mates community:
Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples
When this was initially configured, it worked, but a couple of installs later and there were more connection issues. Some further investigation later, and we have so far found the following 3 management hostnames used by Sophos Central agents:
dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com
So far we have not been able to find any more, but suspect that there may be one more for the Germany (eu-central-1) AWS region, but have not yet encountered it.
The customer has configured a script that is executed every 10 minutes via cron to clear and re-populate the dynamic object on each gateway, based on the above host names. So far, so good.
The hostname that a specific endpoint is communicating with, from the above list, can be found in the client's diagnostics.
Open the Sophos Client on the end-point, click the small "about" link in the bottom right of the window, and click the "Run Diagnostic Tool" button. This will open a new window, and collects some of the basic diagnostics data. Click on the "Management Communication" tab. You can also find it in the C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\Config.xml file.
You should find that the hostname part of the "Server" value is one of the three listed above. If not, please reply to this post, and add it in a comment. I know this list will grow/change over time.
A similar solution can also be applied to the following firewalls:
- Juniper SSG
- Juniper SRX
- Cisco ASA (8.4 or later, but not 8.5(1))
- FortiGate firewalls
On the above firewall technologies these are referred to as DNS or FQDN objects, and will use periodic DNS queries to update the objects. You will need to create an FQDN object for each of the hosts listed above, and then use these in the firewall.
Hopefully this post will help others attempting to migrate or deploy Sophos Central with agents sitting behind a firewall like those mentioned above. If so, give it a thumbs up.
Regards,
JohnB
This thread was automatically locked due to age.
