Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 12700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Install Sophos on a non-domain machine over remote VPN

ARIT

Hello,

I need to install Sophos on machines that are connected via a Site-to-Site VPN and are NOT on the

Domain. These machines are also not connected to the Internet and also do not allow for any sort of

drive mappings to the LAN either. The only ports allowed are 8192, 8194 and Remote Desktop to the

LAN. I would like to manage these non-domain machines using Enterprise Console, so I can update

them and push out policies if needed.

The Sophos Server is in the LAN and on the domain and is also the only Update Manager. I have gone through the documentation for creating a standalone installer, since I can't access the Sophos

share from the non-domain clients, but am unsure as to how the non-domain clients get the updates.
The LAN clients are set to update using an UNC path - \\ServerA\SophosUpdate, but how does it work

through the VPN. I'm assuming I would have to enable some more ports so it can talk to

\\ServerA\SophosUpdate, or does the 8192 port take care of that? Also, I would have to probably setup a hosts file to point to the IP for ServerA since there's no DNS on the remote machine.
Does this sound like something that would work, or is there a better way to do this without adding any other machines? Any help advice is appreciated.


Thank you,
ARIT

:33483


This thread was automatically locked due to age.
Parents
  • 0

    No problem, one extra thing just so the post is complete, I'm not sure if you're intending to install the Patch agent on the endpoint?

    If so, this communicates with the management server over HTTP for both reporting and updating of patch signatures.  It's not a problem though if you use IIS to host the updates for example.

    When you setup the management server it asks what port (http://www.sophos.com/en-us/support/knowledgebase/114182.aspx) you want, by default 80.  

    If you're using IIS to host updates on port 80, the server will port share 80 based on the reservation so will not clash.  

    The management server listens/registers the URL:

    http://[server]:80/Sophos/Management

    So you can have updates  configured in IIS for example:

    http://[server]:80/SophosUpdate

    As mentioned in the article, on Vista+

    netsh http show urlacl

    will show the reservations used in the system.

    HTTP.sys below IIS and Sophos applications will take care of routing the traffic to IIS or the Sophos applications based on path.

    So essentially, the same 3 ports is sufficient.

    Regards,

    Jak

    :34143
Reply
  • 0

    No problem, one extra thing just so the post is complete, I'm not sure if you're intending to install the Patch agent on the endpoint?

    If so, this communicates with the management server over HTTP for both reporting and updating of patch signatures.  It's not a problem though if you use IIS to host the updates for example.

    When you setup the management server it asks what port (http://www.sophos.com/en-us/support/knowledgebase/114182.aspx) you want, by default 80.  

    If you're using IIS to host updates on port 80, the server will port share 80 based on the reservation so will not clash.  

    The management server listens/registers the URL:

    http://[server]:80/Sophos/Management

    So you can have updates  configured in IIS for example:

    http://[server]:80/SophosUpdate

    As mentioned in the article, on Vista+

    netsh http show urlacl

    will show the reservations used in the system.

    HTTP.sys below IIS and Sophos applications will take care of routing the traffic to IIS or the Sophos applications based on path.

    So essentially, the same 3 ports is sufficient.

    Regards,

    Jak

    :34143
Children
No Data