Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 40102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Firewall Rules

Yabusame

Hi all,

I'm wanting to really lock down on my Windows firewall rules.  On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound):

  • NAME - SOPHOS - RouterNT
  • ACTION - Allow the connection
  • PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe
  • SERVICES - Apply to all programs and services
  • PROTOCOLS & PORTS - Protocol Type - Any
  • SCOPE - Local IP Address - Any IP Address  Remote IP Address - Any IP Address
  • ADVANCED PROFILES - Domain
  1. I want to harden the rules so what is recommended?
  2. Is this rule only needed for outbound and not inbound rules (or vice versa)?
  3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
  4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
  5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?
Many questions and I'm sure more will arise, so thanks in advance to any that reply.
:10263


This thread was automatically locked due to age.
Parents
  • 0

    With regards to RouterNT.exe.  The Sophos firewall will automatically allow this process.  For non Sophos Firewalls the following rules are required:

    RouterNT.exe on the SEC Server
    INCOMING
    TCP
    Ports 8192 and 8194

    RouterNT.exe on a message relay

    INCOMING 
    TCP
    Ports 8192 and 8194

    RouterNt.exe on a client machine
    INCOMING
    TCP
    Port 8194

    The "client" router will operate without allowing any incoming a ports as long as it can connect to the parent router on ports 8192 and 8194.  In this mode the server will not be able to send messages to the client machine. In this scenario the system will rely on the client router checking for messages (polling).  By default this is every 15 minutes.  So to ensure you can send action messages and configurations immediately you will need to open port 8194 on the client.

    Note: The local agents that logon to the router, e.g.. ManagementAgentNT.exe process will connect locally to port 8192 and 8194.  On the server this will also include the mgntsvc.exe, the certification manager service and EMLibupdate agent.

    Regards,
    Jak

    :10315
Reply
  • 0

    With regards to RouterNT.exe.  The Sophos firewall will automatically allow this process.  For non Sophos Firewalls the following rules are required:

    RouterNT.exe on the SEC Server
    INCOMING
    TCP
    Ports 8192 and 8194

    RouterNT.exe on a message relay

    INCOMING 
    TCP
    Ports 8192 and 8194

    RouterNt.exe on a client machine
    INCOMING
    TCP
    Port 8194

    The "client" router will operate without allowing any incoming a ports as long as it can connect to the parent router on ports 8192 and 8194.  In this mode the server will not be able to send messages to the client machine. In this scenario the system will rely on the client router checking for messages (polling).  By default this is every 15 minutes.  So to ensure you can send action messages and configurations immediately you will need to open port 8194 on the client.

    Note: The local agents that logon to the router, e.g.. ManagementAgentNT.exe process will connect locally to port 8192 and 8194.  On the server this will also include the mgntsvc.exe, the certification manager service and EMLibupdate agent.

    Regards,
    Jak

    :10315
Children
No Data