Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3320 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to setup two Enterprise Consoles pointing to just one Sophos Endpoint Server?

RWSysEngr

Hi Guys,

I just wanted to ask if it's possible to have two Enterprise consoles pointing to just a single Sophos Endpoint Server? 

Here is our current setup.  Our Sophos Endpoint Security and Data Protection server is located at London.  We have different sub-groups across the different regions.  What we want to do is to manage the APAC sub-group via Singapore.  The problem is, our link to the London office is quite slow thus, we need to find a way on how to manage the APAC Sub-group from the Singapore office while streamlining the policies from that of the London site.  Is this possible?

Can we set-up another site in Singapore and have it connect to the London site as a replication server so that all policies and updates are consistent?

Thanks!

:17403


This thread was automatically locked due to age.
  • 0

    Hi,

    You can certainly install multiple Enterprise Consoles, each pointing at a single management server.

    Are you saying that you've tried installing a remote console in Singapore but the bandwidth required by the remote console connecting back to London was too high?

    The options you have are really:

    1. A Sophos Management Server at each site, to keep managment traffic contained within the site.  Downside being that the administrative overhead would be more and consolidating reports may require you to write your own reports, etc.. 
    2. A single Sophos Management Server at London, installing just a remote console in Singapore. Possibly using Role Based Administration to partition up the console, so only regional admins see their groups.
    3. A single Sophos Management Server at London, at Singapore install a local SUM and message relay.  The local SUM could update from Sophos, removing updating traffic from your internal network,  It would go to a local Akamai server, the clients would update locally. The endpoints in the region would all talk to a local message relay that would forward on the client management traffic to the London site.  This wouldn't cut down on the amount of data but would cut down on the number of connections.  Message relay article http://www.sophos.com/support/knowledgebase/article/14635.html .
    4. On the management server in London, if it's running 2008R2, you could enable the remote desktop services role and then just "publish" EnterpriseConsole.exe.   Doing this, the Singapore office could use SEC over HTTP or a RDP session just being able to see SEC.

    You could do a couple of these.  If you are running 2008R2 I would start with number 4 as that would be quite a quick test and I would think should perform well.

    Hope that helps.


    Regards,

    Jak 

    :17411
  • 0

    Thanks for the input jak.

    I'm interested in item #3, however, I would like to ask whether it addresses the concern about policy streamlining. 

    If I would implement item #3 (A single Sophos Management Server at London, at Singapore install a local SUM and message relay), would I still be able to let the Singapore local SUM get all the policies from the London Management Server?  If this is possible, then it would be able to resolve the issue that I'm at. :)

    Cheers Mate!

    :17465
  • 0

    A SUM doesn't not manage policies but only CIDs. Policies would be sent from the Management Server through the message relay (which just happens to be on the same machine as the SUM) to the clients.

    Christian

    :17489
  • 0

    please correct my understanding....the message relay can contain the Policies? pardon my questions for being such a noob

    :17497
  • 0

    Agreed, much information for a beginner.

    The policies are kept on the management server. A client usually requests the initial policy from the server after installation. I case a message relay is configured the client send this request to the relay which in turn forwards it to the server. The server responds with the policy (policies) which is sent through the relay to the client. The relay does not keep any policy (or other content exchanged between clients and servers) except that it does a store and forward if needed. Thus the traffic is in principle the same with our without a message relay but there would be only two connections (one down- and one upstream) between server and relay (which reduces the overhead).

    Later a policy will only be sent by the server if it is changed, the client's group is assigned a different policy or the client is moved to a group with a different policy (or you use Comply with ...). Thus no policies travel if there are no changes. The message relay is just that - a message relay. It is not a mirror or satellite.

    Christian

    :17499