Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 12702 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Install Sophos on a non-domain machine over remote VPN

ARIT

Hello,

I need to install Sophos on machines that are connected via a Site-to-Site VPN and are NOT on the

Domain. These machines are also not connected to the Internet and also do not allow for any sort of

drive mappings to the LAN either. The only ports allowed are 8192, 8194 and Remote Desktop to the

LAN. I would like to manage these non-domain machines using Enterprise Console, so I can update

them and push out policies if needed.

The Sophos Server is in the LAN and on the domain and is also the only Update Manager. I have gone through the documentation for creating a standalone installer, since I can't access the Sophos

share from the non-domain clients, but am unsure as to how the non-domain clients get the updates.
The LAN clients are set to update using an UNC path - \\ServerA\SophosUpdate, but how does it work

through the VPN. I'm assuming I would have to enable some more ports so it can talk to

\\ServerA\SophosUpdate, or does the 8192 port take care of that? Also, I would have to probably setup a hosts file to point to the IP for ServerA since there's no DNS on the remote machine.
Does this sound like something that would work, or is there a better way to do this without adding any other machines? Any help advice is appreciated.


Thank you,
ARIT

:33483


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Could you add IIS to the computer with SEC (or any other web server but IIS makes the most sense)?  The clients could then update using HTTP?

    This way, the clients would only need access to the following TCP ports 8192, 8194 and 80.  8192 and 8194 is for management only, leaving 80 for updating.

    The updating policy (for this group of clients) could use an IP address to ensure that the clients can resolve the server.  If the SEC server has a static IP, the clients would resolve the server by IP anyway for messaging.

    In addition to the ports the client needs to access on the server, the server would ideally have access to the clients on port 8194 (TCP) so messages could be pushed to the client without having to wait for the 15 minute poll from the client for the messages.

    Regards,

    Jak

    :33485
Reply
  • 0

    Hi,

    Could you add IIS to the computer with SEC (or any other web server but IIS makes the most sense)?  The clients could then update using HTTP?

    This way, the clients would only need access to the following TCP ports 8192, 8194 and 80.  8192 and 8194 is for management only, leaving 80 for updating.

    The updating policy (for this group of clients) could use an IP address to ensure that the clients can resolve the server.  If the SEC server has a static IP, the clients would resolve the server by IP anyway for messaging.

    In addition to the ports the client needs to access on the server, the server would ideally have access to the clients on port 8194 (TCP) so messages could be pushed to the client without having to wait for the 15 minute poll from the client for the messages.

    Regards,

    Jak

    :33485
Children
No Data