Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 40100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Firewall Rules

Yabusame

Hi all,

I'm wanting to really lock down on my Windows firewall rules.  On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound):

  • NAME - SOPHOS - RouterNT
  • ACTION - Allow the connection
  • PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe
  • SERVICES - Apply to all programs and services
  • PROTOCOLS & PORTS - Protocol Type - Any
  • SCOPE - Local IP Address - Any IP Address  Remote IP Address - Any IP Address
  • ADVANCED PROFILES - Domain
  1. I want to harden the rules so what is recommended?
  2. Is this rule only needed for outbound and not inbound rules (or vice versa)?
  3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
  4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
  5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?
Many questions and I'm sure more will arise, so thanks in advance to any that reply.
:10263


This thread was automatically locked due to age.
Parents
  • 0

    The absolute minimum number of ports required to open for both RMS and updating to work from SEC server to client would be:

    Updating:

    Create a web CID, rather than a UNC share for the client to update from. This way on the server you just open one INCOMING TCP port, e.g. 80.

    RMS:

    TCP 8192 INCOMING on the the management server.

    TCP 8194 INCOMING on the the management server .
     

    In theory on the client you don't have to open any incoming ports and it would still work.


    On the client, the RouterNT.exe process would need to connect to the server on the above TCP ports, i,e, 8192, 8194.
    On the client, the alupdate.exe process would need to connect to the web server on TCP 80 for example.
    Both these files are allowed through the Sophos Client Firewall due to the SCF.dat files in the same directories.

    I would still advise where possible to open INCOMING 8194 on the client to ensure than the server RouterNT.exe can send downstream messages to the client RouterNT.exe in a timely fashion.  As I said before, if you don't, server to client message delivery will be delayed by up to 15 minutes by default.

    Regards,

    Jak 


     

    :15807
Reply
  • 0

    The absolute minimum number of ports required to open for both RMS and updating to work from SEC server to client would be:

    Updating:

    Create a web CID, rather than a UNC share for the client to update from. This way on the server you just open one INCOMING TCP port, e.g. 80.

    RMS:

    TCP 8192 INCOMING on the the management server.

    TCP 8194 INCOMING on the the management server .
     

    In theory on the client you don't have to open any incoming ports and it would still work.


    On the client, the RouterNT.exe process would need to connect to the server on the above TCP ports, i,e, 8192, 8194.
    On the client, the alupdate.exe process would need to connect to the web server on TCP 80 for example.
    Both these files are allowed through the Sophos Client Firewall due to the SCF.dat files in the same directories.

    I would still advise where possible to open INCOMING 8194 on the client to ensure than the server RouterNT.exe can send downstream messages to the client RouterNT.exe in a timely fashion.  As I said before, if you don't, server to client message delivery will be delayed by up to 15 minutes by default.

    Regards,

    Jak 


     

    :15807
Children
No Data