DMZ servers

Hello Leto,

it depends, naturally, on the setup of your DMZ. IMO install is secondary, the main question is what's necessary for daily operation.

First the servers have to update their definitions. Usually this is done by connecting to a share (UNC path) and this requires NetBIOS. If you don't want NetBIOS connections to/from your DMZ you'd have to use HTTP as updating method (and consequently publish the CID with a webserver).

As you likely want to manage Sophos on your DMZ servers from the console you have to open the necessary ports between the DMZ and your internal network.

To simplify the administration of the firewall you could install an additional SUM (update manager, see chapter 7 in the Startup Guide) in the CID which also acts as a message relay.  Thus you'd have to open the ports between the management server and the SUM/relay in the DMZ.

Finally the install - Protect Computers from SEC requires a level of access to the servers in the DMZ you probably don't want to allow. If you install a SUM in the DMZ and let the servers update from a UNC path you can run the setup manually from there. If you decide that the servers update only via HTTP you'd have to create a package for the install.

Feel free to ask if you have further questions

Christian

Thanks for the information Christian. I have begun configuring a DMZ server for my users to update their personal home machines, I'll most likely use that server then to update the DMZ servers, make sense.