This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

multiple remote clients, no vpn, single console.

Hi all.
We are an MSP new to Sophos.
.We want to manage multiple remote clients (w/o vpn's) from a single enterprise console.
After searching thru the documentation, here are what we believe to be the articles we need:
1.) Updating via http - http://www.sophos.com/en-us/support/knowledgebase/38238.aspx
2.) Message relay over WAN: http://www.sophos.com/en-us/support/knowledgebase/50832.aspx
3.) Message relay computer setup: http://www.sophos.com/en-us/support/knowledgebase/14635.aspx

Is that all we need, or are there other articles y'all think we should follow as well?

Do we need to implement the first article even though we are doing the other two? (Or is the message relay system only for policy, etc updating?)

In the second articke listed above, i am pretty sure we should i plement scenario 1.
For the message relay computer, does that need to be on a seperate public IP than all our other stuff?

Thanks, in advance, for your help!

-eric

This thread was automatically locked due to age.

Parents

0 jak over 12 years ago

Here is a quick example to hopefully give some more insight ofn roughly what you need to do...
Router/Gatway
82.67.45.23 (sophos.test.com resolves to this external IP)
192.168.1.1 (internal)
Port forwards: 80, 8192 and 8194 to 192.16.1.2 (i.e. the intenal Sophos server)
Sophos Server
192.168.1.2
Hosts file has and entry: 192.168.1.2 sophos.test.com
Installed: SEC + IIS
SUM configured with a custom subscription called "MSP", subscribed to "Previous" version of SAVXP for example, which creates:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\ (View bootstrap locations in SEC will show this)
IIS shares this out such that: http://127.0.0.1/SophosUpdate/CIDs/S001/SAVSCFXP is in effect the same location.
To configure RMS for the clients from the install location:
Copy (not move) mrinit.conf from the root of the CID: "\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\"
to "\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\rms\"
edit the file in Notepad so that: "ParentRouterAddress"="sophos.test.com"
Run: "C:\Program Files (x86)\Sophos\Update Manager\condifcid.exe" \\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\
to add this custom mrinit.conf to the checksum file cidsync.upd in the rms sub directory.
Any client that instals from:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\setup.exe with then have a RMS parent address of sophos.test.com
I would then create top level groups in SEC for each "company" to support, and whatever hierarchy is required underneath that.

I would configure new updating policies with the update locations to be:
http://sophos.test.com/SophosUpdate/

Make sure the subscription tab has the custom "MSP" subscription selected in order for the update location to add on the correct: "/CIDs/S001/SAVSCFXP". as the final update location the client gets is a concatination of what you specify in the primary update location and the part added by the subscription tab.

You should now be able to install a client using the CID:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\setup.exe
You can copy this off to create an installer package for the clients.
This article will then become useful for automating the install process from that CID, by passing switches: http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
You should then check that a test client, e.g.
Client:
88.6.5.5 (some external IP)
has:
ParentAddress: sophos.test.com
UpdateLocation: http://sophos.test.com/SophosUpdate/CIDs/S001/SAVSCFXP
And it can message in to SEC and update ok.
You should find that upstream messages from the client to the server are pretty quick, but downsteam messages from the server to the client, i.e. policy push make take up to 15 minutes based on the client polling for messages. THis can be changed if required on the client by creating a registry key. GeterInterval DWORD under the \Router\ key. This needs to be a time in seconds.
This is all of the top of my head, but it should be 99% there or there abouts.
The other option as I mention is to get the clients to message in to a message relay rather than the SEC server directly.
You may also have a dedicated web server. If this is the case, it would be quite easy to change the above to split out roles.
Regards,
Jak
:34765
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 12 years ago

Here is a quick example to hopefully give some more insight ofn roughly what you need to do...
Router/Gatway
82.67.45.23 (sophos.test.com resolves to this external IP)
192.168.1.1 (internal)
Port forwards: 80, 8192 and 8194 to 192.16.1.2 (i.e. the intenal Sophos server)
Sophos Server
192.168.1.2
Hosts file has and entry: 192.168.1.2 sophos.test.com
Installed: SEC + IIS
SUM configured with a custom subscription called "MSP", subscribed to "Previous" version of SAVXP for example, which creates:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\ (View bootstrap locations in SEC will show this)
IIS shares this out such that: http://127.0.0.1/SophosUpdate/CIDs/S001/SAVSCFXP is in effect the same location.
To configure RMS for the clients from the install location:
Copy (not move) mrinit.conf from the root of the CID: "\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\"
to "\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\rms\"
edit the file in Notepad so that: "ParentRouterAddress"="sophos.test.com"
Run: "C:\Program Files (x86)\Sophos\Update Manager\condifcid.exe" \\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\
to add this custom mrinit.conf to the checksum file cidsync.upd in the rms sub directory.
Any client that instals from:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\setup.exe with then have a RMS parent address of sophos.test.com
I would then create top level groups in SEC for each "company" to support, and whatever hierarchy is required underneath that.

I would configure new updating policies with the update locations to be:
http://sophos.test.com/SophosUpdate/

Make sure the subscription tab has the custom "MSP" subscription selected in order for the update location to add on the correct: "/CIDs/S001/SAVSCFXP". as the final update location the client gets is a concatination of what you specify in the primary update location and the part added by the subscription tab.

You should now be able to install a client using the CID:
\\127.0.0.1\SophosUpdate\CIDs\S001\SAVSCFXP\setup.exe
You can copy this off to create an installer package for the clients.
This article will then become useful for automating the install process from that CID, by passing switches: http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
You should then check that a test client, e.g.
Client:
88.6.5.5 (some external IP)
has:
ParentAddress: sophos.test.com
UpdateLocation: http://sophos.test.com/SophosUpdate/CIDs/S001/SAVSCFXP
And it can message in to SEC and update ok.
You should find that upstream messages from the client to the server are pretty quick, but downsteam messages from the server to the client, i.e. policy push make take up to 15 minutes based on the client polling for messages. THis can be changed if required on the client by creating a registry key. GeterInterval DWORD under the \Router\ key. This needs to be a time in seconds.
This is all of the top of my head, but it should be 99% there or there abouts.
The other option as I mention is to get the clients to message in to a message relay rather than the SEC server directly.
You may also have a dedicated web server. If this is the case, it would be quite easy to change the above to split out roles.
Regards,
Jak
:34765
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data