Hi all, I'm wanting to really lock down on my Windows firewall rules. On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound): NAME - SOPHOS - RouterNT ACTION - Allow the connection PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe SERVICES - Apply to all programs and services PROTOCOLS & PORTS - Protocol Type - Any SCOPE - Local IP Address - Any IP Address Remote IP Address - Any IP Address ADVANCED PROFILES - Domain I want to harden the rules so what is recommended? Is this rule only needed for outbound and not inbound rules (or vice versa)? Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server? Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)? Should I specify the Sophos server in Authorized Computers rather than in the Scope? Many questions and I'm sure more will arise, so thanks in advance to any that reply. :10263

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Firewall Rules

Hi all,

I'm wanting to really lock down on my Windows firewall rules. On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound):

NAME - SOPHOS - RouterNT
ACTION - Allow the connection
PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe
SERVICES - Apply to all programs and services
PROTOCOLS & PORTS - Protocol Type - Any
SCOPE - Local IP Address - Any IP Address Remote IP Address - Any IP Address
ADVANCED PROFILES - Domain

I want to harden the rules so what is recommended?
Is this rule only needed for outbound and not inbound rules (or vice versa)?
Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
Should I specify the Sophos server in Authorized Computers rather than in the Scope?

Many questions and I'm sure more will arise, so thanks in advance to any that reply.

This thread was automatically locked due to age.

0 Azurus over 14 years ago

The configuration will depend on what modules that you are using within Sophos. Are you just referring to endpoint hosts or also SUMs?

The following table shows which ports used based on the function.

Client Firewall	Port used by Remote Procedure Call (RPC) port mapper is 135 Default setting for PPTP Control Connection: remote port is 1723 and the local port is 1024-65535	135 1723 1024-65535
EM Library	EM Library uses HTTP port 80 for connections to an HTTP databank/parent, and the NetBIOS ports for connections to a UNC databank/parent	80 8080 (proxy)
Sophos Update Manager (SUM)	SUM uses HTTP port 80 for connections to an HTTP warehouse, and the NetBIOS ports for connections to a UNC warehouse Port 51234 is used for inter-process communication only, outgoing/incoming connections will not occur on this port.	80 8080 (proxy) 51234
Email Appliance	Active Directory port: the port number of the server used for Active Directory lookups. If the Active Directory global catalog (GC) is used, the port is 3268. Otherwise, the default port is 389	3268 389
Enterprise Console	Windows Firewall ports to allow Sophos to communicate. Port numbers should be 8192, on TCP (Sophos1), 8193 (Sophos2) and 8194 (Sophos3)	8192 8193 8194
Enterprise Manager	Enterprise Manager uses the standard protocols/ports required by NetBIOS when updating CIDs. These are TCP & UDP 137, 138, 139	137 138 139 445
ES1000	Port 80 is used for user access whilst port 18080 is used for administrator access.	18080
Mail Monitor for SMTP	To receive external mail default value is 25 on all interfacesSMTP server then needs to be configured to listen on a different port. This could be any port that is not in use by another application (e.g. port 24, which is reserved for any private email system).	25
PureMessage for Exchange	Quarantine port is 8081	8081
PureMessage for UNIX	Default is 5432.When dumping and restoring the PostgreSQL database, port temporarily changed to 5433.	5432 5433
Remote EM Library	If you want to run Windows Firewall you need to exclude port TCP 135	135

RMS	To allow RMS to communicate through the Windows firewall	8192 8193 8194
Sophos Anti-Virus	80: HTML 137: NetBios name service 138: NetBios session service 139: Datagram service Ensure that TCP Ports 8192, 8193 and 8194 are added as exceptions to the Windows Firewall	80 137 138 139 445 8192 8193 8194

0 Yabusame over 14 years ago

Hi Azurus,
I've managed to find that list from the knowledgebase too. Was actually wanting to know about restricting the windows firewall rule for RouterNT.exe.
Comments anyone?
:10309
Cancel
Vote Up 0 Vote Down

Cancel
0 Azurus over 14 years ago
Is the host(s) reporting to a SUM or directly to the Enterprise Console server? It seems to me that you have already kind of answered your own questions in a way. Not much else you could do to lock down the ruleset.
These rules above do apply to Windows Firewall settings. These are the ports that RouterNT.exe will use.
I want to harden the rules so what is recommended?
Lock down the rule by explicit assignment of the destination ip.

2. Is this rule only needed for outbound and not inbound rules (or vice versa)?
I believe the 8192 - 8194 ports are used for inbound and outbound
3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
Could just use LOCALHOST and, yes the sophos server as the destination.
4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
Yes you can. Sophos does not use UDP protocol for these ports.
5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?
Either or both.
:10311
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 14 years ago

I would have PM'd you, Azurus, but you have it off. Great post, but the links to the articles should be absolute

Thanks

Christian
:10313
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 14 years ago

With regards to RouterNT.exe. The Sophos firewall will automatically allow this process. For non Sophos Firewalls the following rules are required:

RouterNT.exe on the SEC Server
INCOMING
TCP
Ports 8192 and 8194

RouterNT.exe on a message relay

INCOMING
TCP
Ports 8192 and 8194

RouterNt.exe on a client machine
INCOMING
TCP
Port 8194

The "client" router will operate without allowing any incoming a ports as long as it can connect to the parent router on ports 8192 and 8194. In this mode the server will not be able to send messages to the client machine. In this scenario the system will rely on the client router checking for messages (polling). By default this is every 15 minutes. So to ensure you can send action messages and configurations immediately you will need to open port 8194 on the client.

Note: The local agents that logon to the router, e.g.. ManagementAgentNT.exe process will connect locally to port 8192 and 8194. On the server this will also include the mgntsvc.exe, the certification manager service and EMLibupdate agent.

Regards,
Jak
:10315
Cancel
Vote Up 0 Vote Down

Cancel
0 Dave-Kilborn over 14 years ago

I am finding out slowly that my co-worker is shutting down the Windows firewall to just about anyone that can not update the anti-virus. I have explained to my boss that this is a bad idea and now I am asking you.
What ports/program do I need to allow through the Windows firewall for sophos to update via a local server?
Any and all assistance is appreciated.

Thank you
Dave-Kilborn
Pacific Crest Securities Administrator
:15799
Cancel
Vote Up 0 Vote Down

Cancel
0 Azurus over 14 years ago

The post above yours by Jak explains the answer to your question about as best as it could be answered.
:15801
Cancel
Vote Up 0 Vote Down

Cancel
0 ruckus over 14 years ago

Dave-Kilborn wrote:

What ports/program do I need to allow through the Windows firewall for sophos to update via a local server?

For updating...'File and Printer Sharing' has to be enabled. Ports: TCP 445, UDP 137, 138 and UDP 139

Jak's answer is regarding allowing the Remote Management System (RMS) component through a firewall - so you can manage (control) the client from the console.

For more details on deploying, managing, and allowing updating of endpoint software please see:

How to configure a GPO to ensure that you can protect and manage computers with endpoint software

or

How to locally configure computers to ensure that you can protect and manage computers with endpoint software centrally

:15805
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 14 years ago

The absolute minimum number of ports required to open for both RMS and updating to work from SEC server to client would be:

Updating:

Create a web CID, rather than a UNC share for the client to update from. This way on the server you just open one INCOMING TCP port, e.g. 80.

RMS:

TCP 8192 INCOMING on the the management server.

TCP 8194 INCOMING on the the management server .

In theory on the client you don't have to open any incoming ports and it would still work.

On the client, the RouterNT.exe process would need to connect to the server on the above TCP ports, i,e, 8192, 8194.
On the client, the alupdate.exe process would need to connect to the web server on TCP 80 for example.
Both these files are allowed through the Sophos Client Firewall due to the SCF.dat files in the same directories.

I would still advise where possible to open INCOMING 8194 on the client to ensure than the server RouterNT.exe can send downstream messages to the client RouterNT.exe in a timely fashion. As I said before, if you don't, server to client message delivery will be delayed by up to 15 minutes by default.

Regards,

Jak

:15807
Cancel
Vote Up 0 Vote Down

Cancel