multiple remote clients, no vpn, single console.

Hi,

This post should help:

http://community.sophos.com/t5/Sophos-Endpoint-Protection/Configure-Endpoint-Server-10-with-RMS-behind-a-firewall-NAT-Don/m-

p/20971

Otherwise, I'm sure there is a specifc PDF for MSPs, you may want to call Support to check.

The points to consider are:

1. Will the clients need to talk to a message relay or directly to a management server?

2. The external clients will need to resolve an external IP address from a DNS name.  

E.g. You have the domain name test.com which resolves to an external IP you are considering using.

I would probably suggest create a a name on that called for example:  rms.test.com which forwards to the same IP.

Port forward 8192 and 8194 to the relay or management server.

Then using the post info above (hostname_in_ior) you can set that to rms.test.com.  This would also be the address the clients have as their parent address (as configured using the custom mrinit.conf in the CID).  So that they read 8192 (IOR port), that would provide them with the details to connect to rms.test.com on 8194 to communicate.

Note: Where you use the hostname_in_ior switch (relay or SEC server) that computer needs to resolve what ever is in the IOR to itself.  I suggest using the hosts file to do this.  This is required as the local agents are also connecting to the router to read the IOR, and these need to see that rms.test.com to use our example, as the local computer.

3. Updating is the other concern.  I assume you will have IIS/Apache setup and Sophos Update Manager (SUM) can push a distribution to that for the client to udpate?  I would suggest in SEC create a dedicated subscription, call it for example "MSP" and subscribe to the "Previous" versions of the packages.  This will minimise risk to the endpoints should the latest package have a problem and save you some time later.

I hope these pointers help.

Regards,

Jak

Hi,

This post should help:

http://community.sophos.com/t5/Sophos-Endpoint-Protection/Configure-Endpoint-Server-10-with-RMS-behind-a-firewall-NAT-Don/m-

p/20971

Otherwise, I'm sure there is a specifc PDF for MSPs, you may want to call Support to check.

The points to consider are:

1. Will the clients need to talk to a message relay or directly to a management server?

2. The external clients will need to resolve an external IP address from a DNS name.  

E.g. You have the domain name test.com which resolves to an external IP you are considering using.

I would probably suggest create a a name on that called for example:  rms.test.com which forwards to the same IP.

Port forward 8192 and 8194 to the relay or management server.

Then using the post info above (hostname_in_ior) you can set that to rms.test.com.  This would also be the address the clients have as their parent address (as configured using the custom mrinit.conf in the CID).  So that they read 8192 (IOR port), that would provide them with the details to connect to rms.test.com on 8194 to communicate.

Note: Where you use the hostname_in_ior switch (relay or SEC server) that computer needs to resolve what ever is in the IOR to itself.  I suggest using the hosts file to do this.  This is required as the local agents are also connecting to the router to read the IOR, and these need to see that rms.test.com to use our example, as the local computer.

3. Updating is the other concern.  I assume you will have IIS/Apache setup and Sophos Update Manager (SUM) can push a distribution to that for the client to udpate?  I would suggest in SEC create a dedicated subscription, call it for example "MSP" and subscribe to the "Previous" versions of the packages.  This will minimise risk to the endpoints should the latest package have a problem and save you some time later.

I hope these pointers help.

Regards,

Jak