Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10572 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Direct Access

DetlevRackow

Hi,

we've been using Sophos for ages on all our endpoints and servers. Currently we plan a strategic move for mobile workers towards Windows tablets with Direct Access.

Initial test results were not impressive:

- Sophos can not communicate with a message router inside the LAN, it can only communicate to a IPv4-reachable message relay in the DMZ. This is a no-go, as this requires split-tunnel-routing (clients can communicate openly both with the LAN and the Internet) The workaround in 121627 essentially comes down to this.

- Update is only possible via SMB-share, but can not use the "infrastructure tunnel" which is meant for authentication-free access towards active directory, patches, anti-virus etc. Instead it opens a "corporate tunnel" with user/password, so we can not deploy DA with the enhanced "smartcard only"-authentication.

Since Sophos is focused on enterprise customers, and Direct Access is also a typical enterprise product, I find it hard to believe that this problem affects only us. 

Question: How do other customers work around these issues?

Regards,

Detlev

:55002


This thread was automatically locked due to age.
Parents
  • 0

    Hi DetlevRackow,

    We have had DA setup for quite some time at this point (it's amazing once you get it completely setup) and ran into the exact same issue as you are now with Sophos.  This was probably over a year ago and when we reached out to Sophos they gave us the exact same solution you mentioned below; IPv4 relay in the DMZ.  Like you, we immediately said "That's not happening".

    The only REAL solution for this is for Sophos to make their messaging components IPv6 aware, something that they told us they would 'work on' but who knows when/if that will ever happen.  Again, this was years ago and it's still not been done.  We've seen this crop up in a couple other instances with applications (TortiseSVN client) that are also not IPv6 aware but Sophos client management was the first we ran into.

    So, we basically decided that clients who are not often 'inside' the network simply have to get their .dat updates from Sophos servers and unfortunately they aren't manageable by us (eg. they can't report their status to the console or get policy updates from us) while they are external.

    At the time that was the ONLY option other than setting up the relay, which we did not want to do.

    :55023
Reply
  • 0

    Hi DetlevRackow,

    We have had DA setup for quite some time at this point (it's amazing once you get it completely setup) and ran into the exact same issue as you are now with Sophos.  This was probably over a year ago and when we reached out to Sophos they gave us the exact same solution you mentioned below; IPv4 relay in the DMZ.  Like you, we immediately said "That's not happening".

    The only REAL solution for this is for Sophos to make their messaging components IPv6 aware, something that they told us they would 'work on' but who knows when/if that will ever happen.  Again, this was years ago and it's still not been done.  We've seen this crop up in a couple other instances with applications (TortiseSVN client) that are also not IPv6 aware but Sophos client management was the first we ran into.

    So, we basically decided that clients who are not often 'inside' the network simply have to get their .dat updates from Sophos servers and unfortunately they aren't manageable by us (eg. they can't report their status to the console or get policy updates from us) while they are external.

    At the time that was the ONLY option other than setting up the relay, which we did not want to do.

    :55023
Children
No Data