Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Direct Access

DetlevRackow

Hi,

we've been using Sophos for ages on all our endpoints and servers. Currently we plan a strategic move for mobile workers towards Windows tablets with Direct Access.

Initial test results were not impressive:

- Sophos can not communicate with a message router inside the LAN, it can only communicate to a IPv4-reachable message relay in the DMZ. This is a no-go, as this requires split-tunnel-routing (clients can communicate openly both with the LAN and the Internet) The workaround in 121627 essentially comes down to this.

- Update is only possible via SMB-share, but can not use the "infrastructure tunnel" which is meant for authentication-free access towards active directory, patches, anti-virus etc. Instead it opens a "corporate tunnel" with user/password, so we can not deploy DA with the enhanced "smartcard only"-authentication.

Since Sophos is focused on enterprise customers, and Direct Access is also a typical enterprise product, I find it hard to believe that this problem affects only us. 

Question: How do other customers work around these issues?

Regards,

Detlev

:55002


This thread was automatically locked due to age.
Parents
  • 0

    Even without legal issues, Sophos Cloud requires that the protected client has connection to third-party-addresses in the internet (namely Sophos Infrastructure). A client with DirectAccess in "forced tunnel"-mode can not communicate with IPv4-addresses beyond the gateway of the current network, so it has neither routing to the customer's Messagereleay in the DMZ nor to any address Sophos might hold in the cloud.

    This is only possible if you allow "split-tunneling", which has heavy security implications, because the client is at the same time connected to the corporate network and to the entire Internet. While some companies allow such scenarios, we don't.

    Regards,

    Detlev

    :55040
Reply
  • 0

    Even without legal issues, Sophos Cloud requires that the protected client has connection to third-party-addresses in the internet (namely Sophos Infrastructure). A client with DirectAccess in "forced tunnel"-mode can not communicate with IPv4-addresses beyond the gateway of the current network, so it has neither routing to the customer's Messagereleay in the DMZ nor to any address Sophos might hold in the cloud.

    This is only possible if you allow "split-tunneling", which has heavy security implications, because the client is at the same time connected to the corporate network and to the entire Internet. While some companies allow such scenarios, we don't.

    Regards,

    Detlev

    :55040
Children
No Data