Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2433 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protecting Internet Facing Servers in a Perimeter network

Chunk

Hi All,

first post so go easy on me :smileywink: 

My set up is this:

Enterprise Console v4 running on a LAN server, I have 2 Win2k3 servers in a perimeter network (hardware firewall) and would like to manage and protect them using the Enterprise console.

The 2 Perimeter network servers are not Domain members.

I have checked the Sophos knowledge based article 50832 and understand the port requirements but as the article states: "it is it is beyond the scope of this article to give recommendations on hosting internet facing services, and securing Microsoft Windows servers for use in a DMZ"

Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

Also we are part way through implementing Microsoft ISA 2006 - any guidance or experience of setting up ISA for Perimeter networks and Sophos?

Thanks in advance :smileyhappy:

Regards

Chunk

:1572


This thread was automatically locked due to age.
Parents
  • 0

    Hello Chunk,

    Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

    Protecting the servers from SEC requires a number of conditions to be met and you probably don't want to go through it for "just two servers". IMHO there is no advantage in configuring the firewall in order to enable the Enterprise Console to firstly see a non-domain machine and then protect it.  For management you need ports 8192-8194  and you have to download the updates from somewhere - see Summary of port configurations in Sophos applications: RMS and Sophos Anti-Virus (these are in the last two rows).

    Since the servers are already running (I assume they are) I'd copy the CID (SAVSCFXP) to some portable medium and install from it. The servers should report to SEC (provided you have opened 8192-8194) and you should see that their update location points to the removable medium (which is not what you want). As you probably don't want the perimeter servers to make NetBIOS connections into the LAN there are two options for configuring the update location:

    1) if you publish your CID(s) on a webserver use it

    2) let the two servers update from Sophos

    Christian

    :1576
Reply
  • 0

    Hello Chunk,

    Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

    Protecting the servers from SEC requires a number of conditions to be met and you probably don't want to go through it for "just two servers". IMHO there is no advantage in configuring the firewall in order to enable the Enterprise Console to firstly see a non-domain machine and then protect it.  For management you need ports 8192-8194  and you have to download the updates from somewhere - see Summary of port configurations in Sophos applications: RMS and Sophos Anti-Virus (these are in the last two rows).

    Since the servers are already running (I assume they are) I'd copy the CID (SAVSCFXP) to some portable medium and install from it. The servers should report to SEC (provided you have opened 8192-8194) and you should see that their update location points to the removable medium (which is not what you want). As you probably don't want the perimeter servers to make NetBIOS connections into the LAN there are two options for configuring the update location:

    1) if you publish your CID(s) on a webserver use it

    2) let the two servers update from Sophos

    Christian

    :1576
Children
No Data