Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 12701 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Install Sophos on a non-domain machine over remote VPN

ARIT

Hello,

I need to install Sophos on machines that are connected via a Site-to-Site VPN and are NOT on the

Domain. These machines are also not connected to the Internet and also do not allow for any sort of

drive mappings to the LAN either. The only ports allowed are 8192, 8194 and Remote Desktop to the

LAN. I would like to manage these non-domain machines using Enterprise Console, so I can update

them and push out policies if needed.

The Sophos Server is in the LAN and on the domain and is also the only Update Manager. I have gone through the documentation for creating a standalone installer, since I can't access the Sophos

share from the non-domain clients, but am unsure as to how the non-domain clients get the updates.
The LAN clients are set to update using an UNC path - \\ServerA\SophosUpdate, but how does it work

through the VPN. I'm assuming I would have to enable some more ports so it can talk to

\\ServerA\SophosUpdate, or does the 8192 port take care of that? Also, I would have to probably setup a hosts file to point to the IP for ServerA since there's no DNS on the remote machine.
Does this sound like something that would work, or is there a better way to do this without adding any other machines? Any help advice is appreciated.


Thank you,
ARIT

:33483


This thread was automatically locked due to age.
  • 0

    Hi,

    Could you add IIS to the computer with SEC (or any other web server but IIS makes the most sense)?  The clients could then update using HTTP?

    This way, the clients would only need access to the following TCP ports 8192, 8194 and 80.  8192 and 8194 is for management only, leaving 80 for updating.

    The updating policy (for this group of clients) could use an IP address to ensure that the clients can resolve the server.  If the SEC server has a static IP, the clients would resolve the server by IP anyway for messaging.

    In addition to the ports the client needs to access on the server, the server would ideally have access to the clients on port 8194 (TCP) so messages could be pushed to the client without having to wait for the 15 minute poll from the client for the messages.

    Regards,

    Jak

    :33485
  • 0

    Thanks for your response. I would think opening port 80 would be sort of a last option, however is it possible to use 443 instead?

    Thanks again!

    --ARIT

    :33507
  • 0

    HI,

    No, AutoUpdate doesn't support SSL.  

    It's only Sophos files typically that get pulled down.  AutoUpdate supports digest auth:

    http://www.sophos.com/en-us/support/knowledgebase/38238.aspx

    Regards,

    Jak

    :33511
  • 0

    Thank you for all your help.

    --ARIT

    :33715
  • 0

    Sorry just want to confirm, if I were to allow the client to only talk to the Sophos server on those 3 ports, then I'm assuming the clients will also be able to get the policy updates and A/V updates from the Sophos server without any problems?

    Thanks,

    --ARIT

    :33721
  • 0

    HI,

    Yes, the absolute minimum to alow a client to update and message is to open 3 ports on the server:

    • 8192 and 8194 TCP (incoming) for RMS
    • updating over HTTP for example TCP 80 (incoming).

    Ideally the server could also connect to the client on TCP 8194, so if you change a policy for the client in SEC for example, the server can notify the client that there is an outstanding policy for it to pickup.  If this "notification" doesn't happen, the client polls the server every 15 minutes for messages and would pick it up then.

    Regards,

    Jak

    :33723
  • 0

    No problem, one extra thing just so the post is complete, I'm not sure if you're intending to install the Patch agent on the endpoint?

    If so, this communicates with the management server over HTTP for both reporting and updating of patch signatures.  It's not a problem though if you use IIS to host the updates for example.

    When you setup the management server it asks what port (http://www.sophos.com/en-us/support/knowledgebase/114182.aspx) you want, by default 80.  

    If you're using IIS to host updates on port 80, the server will port share 80 based on the reservation so will not clash.  

    The management server listens/registers the URL:

    http://[server]:80/Sophos/Management

    So you can have updates  configured in IIS for example:

    http://[server]:80/SophosUpdate

    As mentioned in the article, on Vista+

    netsh http show urlacl

    will show the reservations used in the system.

    HTTP.sys below IIS and Sophos applications will take care of routing the traffic to IIS or the Sophos applications based on path.

    So essentially, the same 3 ports is sufficient.

    Regards,

    Jak

    :34143