Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9687 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Update and manage Remote Laptop Users without VPN Connection

MarioSchaper

Hi,

we are using Enterprise Console 5.2.197 and want to update and manage our remote Laptop Users who only use an Citrix Client to connect to the headquarter.

The remote laptops get their updates directly from Sophos and once in a while they connect their endpoint in the headquarter an we receive their Endpoint reports.

Now we want to update and manage them directly through internet.

Seeing that we only have 5 remote Laptops, we don't want a big solution with Message Relay Server in an DMZ etc.

My idea was to submit the needed Ports for managment and updates directly through our firewall and NAT it to one of our public IPs or the be precise via: https://sophos.ourdomain.com.

Could please anyone help me how i have to configure Sophos to communicate directly through our firewall and if maybe anyone could tell me if this would raise a safety issue?

Greetings

Mario

:42736


This thread was automatically locked due to age.
Parents
  • 0

    Hello Mario,

    the needed Ports for managment and updates

    updates are either via UNC (you probably don't want to open NetBIOS) or HTTP (no s) - so you'd either have to publish the CID on your public IP port 80 or use a proxy.

    As for management - the client first tries to contact port 8192 on any of the address(es) and names in mrinit.conf. Thus there must be either a public IP or resolvable (to your public IP) name in there. But that's not all. The server (usually a relay but not necessarily) will respond with an IOR which usually contains the internal address. In order to make this work is must return a reference which is valid for both your inside and your outside clients. If it is an IP it must be public and internally reachable (might be tricky in terms of routing), if it is a name it must be resolvable (normally to the public IP from outside and the internal IP inside, therefore some DNS configuration is required) - please see Using Sophos message relays in a public WAN for details.

    Ideally the server should be able to connect back to the client's 8194 port.

    OTOH a message relay is not rocket science and probably less effort. All it requires is an additional customized CID (perhaps easier said than done) and the relay.

    Of course any open port is an additional risk, presumably it would be possible to conduct a DOS attack on RMS, but then ...

    Christian

    :42752
Reply
  • 0

    Hello Mario,

    the needed Ports for managment and updates

    updates are either via UNC (you probably don't want to open NetBIOS) or HTTP (no s) - so you'd either have to publish the CID on your public IP port 80 or use a proxy.

    As for management - the client first tries to contact port 8192 on any of the address(es) and names in mrinit.conf. Thus there must be either a public IP or resolvable (to your public IP) name in there. But that's not all. The server (usually a relay but not necessarily) will respond with an IOR which usually contains the internal address. In order to make this work is must return a reference which is valid for both your inside and your outside clients. If it is an IP it must be public and internally reachable (might be tricky in terms of routing), if it is a name it must be resolvable (normally to the public IP from outside and the internal IP inside, therefore some DNS configuration is required) - please see Using Sophos message relays in a public WAN for details.

    Ideally the server should be able to connect back to the client's 8194 port.

    OTOH a message relay is not rocket science and probably less effort. All it requires is an additional customized CID (perhaps easier said than done) and the relay.

    Of course any open port is an additional risk, presumably it would be possible to conduct a DOS attack on RMS, but then ...

    Christian

    :42752
Children
No Data