Hi all, I'm wanting to really lock down on my Windows firewall rules. On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound): NAME - SOPHOS - RouterNT ACTION - Allow the connection PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe SERVICES - Apply to all programs and services PROTOCOLS & PORTS - Protocol Type - Any SCOPE - Local IP Address - Any IP Address Remote IP Address - Any IP Address ADVANCED PROFILES - Domain I want to harden the rules so what is recommended? Is this rule only needed for outbound and not inbound rules (or vice versa)? Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server? Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)? Should I specify the Sophos server in Authorized Computers rather than in the Scope? Many questions and I'm sure more will arise, so thanks in advance to any that reply. :10263

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Firewall Rules

Hi all,

I'm wanting to really lock down on my Windows firewall rules. On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound):

NAME - SOPHOS - RouterNT
ACTION - Allow the connection
PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe
SERVICES - Apply to all programs and services
PROTOCOLS & PORTS - Protocol Type - Any
SCOPE - Local IP Address - Any IP Address Remote IP Address - Any IP Address
ADVANCED PROFILES - Domain

I want to harden the rules so what is recommended?
Is this rule only needed for outbound and not inbound rules (or vice versa)?
Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
Should I specify the Sophos server in Authorized Computers rather than in the Scope?

Many questions and I'm sure more will arise, so thanks in advance to any that reply.

This thread was automatically locked due to age.

Parents

0 Azurus over 14 years ago

The configuration will depend on what modules that you are using within Sophos. Are you just referring to endpoint hosts or also SUMs?

The following table shows which ports used based on the function.

Client Firewall	Port used by Remote Procedure Call (RPC) port mapper is 135 Default setting for PPTP Control Connection: remote port is 1723 and the local port is 1024-65535	135 1723 1024-65535
EM Library	EM Library uses HTTP port 80 for connections to an HTTP databank/parent, and the NetBIOS ports for connections to a UNC databank/parent	80 8080 (proxy)
Sophos Update Manager (SUM)	SUM uses HTTP port 80 for connections to an HTTP warehouse, and the NetBIOS ports for connections to a UNC warehouse Port 51234 is used for inter-process communication only, outgoing/incoming connections will not occur on this port.	80 8080 (proxy) 51234
Email Appliance	Active Directory port: the port number of the server used for Active Directory lookups. If the Active Directory global catalog (GC) is used, the port is 3268. Otherwise, the default port is 389	3268 389
Enterprise Console	Windows Firewall ports to allow Sophos to communicate. Port numbers should be 8192, on TCP (Sophos1), 8193 (Sophos2) and 8194 (Sophos3)	8192 8193 8194
Enterprise Manager	Enterprise Manager uses the standard protocols/ports required by NetBIOS when updating CIDs. These are TCP & UDP 137, 138, 139	137 138 139 445
ES1000	Port 80 is used for user access whilst port 18080 is used for administrator access.	18080
Mail Monitor for SMTP	To receive external mail default value is 25 on all interfacesSMTP server then needs to be configured to listen on a different port. This could be any port that is not in use by another application (e.g. port 24, which is reserved for any private email system).	25
PureMessage for Exchange	Quarantine port is 8081	8081
PureMessage for UNIX	Default is 5432.When dumping and restoring the PostgreSQL database, port temporarily changed to 5433.	5432 5433
Remote EM Library	If you want to run Windows Firewall you need to exclude port TCP 135	135

RMS	To allow RMS to communicate through the Windows firewall	8192 8193 8194
Sophos Anti-Virus	80: HTML 137: NetBios name service 138: NetBios session service 139: Datagram service Ensure that TCP Ports 8192, 8193 and 8194 are added as exceptions to the Windows Firewall	80 137 138 139 445 8192 8193 8194

Reply

0 Azurus over 14 years ago

The configuration will depend on what modules that you are using within Sophos. Are you just referring to endpoint hosts or also SUMs?

The following table shows which ports used based on the function.

Client Firewall	Port used by Remote Procedure Call (RPC) port mapper is 135 Default setting for PPTP Control Connection: remote port is 1723 and the local port is 1024-65535	135 1723 1024-65535
EM Library	EM Library uses HTTP port 80 for connections to an HTTP databank/parent, and the NetBIOS ports for connections to a UNC databank/parent	80 8080 (proxy)
Sophos Update Manager (SUM)	SUM uses HTTP port 80 for connections to an HTTP warehouse, and the NetBIOS ports for connections to a UNC warehouse Port 51234 is used for inter-process communication only, outgoing/incoming connections will not occur on this port.	80 8080 (proxy) 51234
Email Appliance	Active Directory port: the port number of the server used for Active Directory lookups. If the Active Directory global catalog (GC) is used, the port is 3268. Otherwise, the default port is 389	3268 389
Enterprise Console	Windows Firewall ports to allow Sophos to communicate. Port numbers should be 8192, on TCP (Sophos1), 8193 (Sophos2) and 8194 (Sophos3)	8192 8193 8194
Enterprise Manager	Enterprise Manager uses the standard protocols/ports required by NetBIOS when updating CIDs. These are TCP & UDP 137, 138, 139	137 138 139 445
ES1000	Port 80 is used for user access whilst port 18080 is used for administrator access.	18080
Mail Monitor for SMTP	To receive external mail default value is 25 on all interfacesSMTP server then needs to be configured to listen on a different port. This could be any port that is not in use by another application (e.g. port 24, which is reserved for any private email system).	25
PureMessage for Exchange	Quarantine port is 8081	8081
PureMessage for UNIX	Default is 5432.When dumping and restoring the PostgreSQL database, port temporarily changed to 5433.	5432 5433
Remote EM Library	If you want to run Windows Firewall you need to exclude port TCP 135	135

RMS	To allow RMS to communicate through the Windows firewall	8192 8193 8194
Sophos Anti-Virus	80: HTML 137: NetBios name service 138: NetBios session service 139: Datagram service Ensure that TCP Ports 8192, 8193 and 8194 are added as exceptions to the Windows Firewall	80 137 138 139 445 8192 8193 8194

Children

No Data