Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9685 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Update and manage Remote Laptop Users without VPN Connection

MarioSchaper

Hi,

we are using Enterprise Console 5.2.197 and want to update and manage our remote Laptop Users who only use an Citrix Client to connect to the headquarter.

The remote laptops get their updates directly from Sophos and once in a while they connect their endpoint in the headquarter an we receive their Endpoint reports.

Now we want to update and manage them directly through internet.

Seeing that we only have 5 remote Laptops, we don't want a big solution with Message Relay Server in an DMZ etc.

My idea was to submit the needed Ports for managment and updates directly through our firewall and NAT it to one of our public IPs or the be precise via: https://sophos.ourdomain.com.

Could please anyone help me how i have to configure Sophos to communicate directly through our firewall and if maybe anyone could tell me if this would raise a safety issue?

Greetings

Mario

:42736


This thread was automatically locked due to age.
  • 0

    Hello Mario,

    the needed Ports for managment and updates

    updates are either via UNC (you probably don't want to open NetBIOS) or HTTP (no s) - so you'd either have to publish the CID on your public IP port 80 or use a proxy.

    As for management - the client first tries to contact port 8192 on any of the address(es) and names in mrinit.conf. Thus there must be either a public IP or resolvable (to your public IP) name in there. But that's not all. The server (usually a relay but not necessarily) will respond with an IOR which usually contains the internal address. In order to make this work is must return a reference which is valid for both your inside and your outside clients. If it is an IP it must be public and internally reachable (might be tricky in terms of routing), if it is a name it must be resolvable (normally to the public IP from outside and the internal IP inside, therefore some DNS configuration is required) - please see Using Sophos message relays in a public WAN for details.

    Ideally the server should be able to connect back to the client's 8194 port.

    OTOH a message relay is not rocket science and probably less effort. All it requires is an additional customized CID (perhaps easier said than done) and the relay.

    Of course any open port is an additional risk, presumably it would be possible to conduct a DOS attack on RMS, but then ...

    Christian

    :42752
  • 0

    Hello Christian,

    thanks for your reply. So, you would instal a message relay in the DMZ and update the relay via a Web CID? In this case i have to create an Update Policy for the clients which points to the Public IP/Message Relay in the DMZ?

    Do you know a manual for how to install a message relay server in the DMZ? Or is it as simple as I only have to open the ports for the Web CID from DMZ to our local LAN?

    Mario

    :42834
  • 0

    You're talking about allowing the Remote Management System (RMS) to communicate over a public WAN.  Which is this...

    If that's too complicated (for five computers it seems overkill) you may want to consider Sophos Cloud which is a web console (we host all the server stuff and take care of the back ups, performance etc.) and it also allows for remote endpoint management.

    :42838
  • 0

    The diagram (not really the text) in article 110340 may also be worth looking at.

    :42840
  • 0

    Sophos Cloud sound ok, but to the 5-10 Home Office Clients (maybe more in future) we have another 120+ Clients in our headquarter. And I don't want to put all the internal servers and clients to the Cloud-Solution.

    in the diagram the part with "Site 3 (DMZ)" is exactly what I want.

    I will try to install a Message Relay to our DMZ and then publish an Update Point to the Internet and route this to the DMZ Server.

    Thanks for your help

    :42842