Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3594 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with deployment

DarioPalermo

Hello guys,

1st time for me and Sophos endpoint security, so be nice ;)

I'm trying to understand the steps to make to deploy the product and be able to:

1) control and update the clients, when they're connected to the internal LAN, directly from the main SEC server.

2) control and update the same clients, when they're outside the LAN, from a server placed in DMZ

Obviusly I'm using Split DNS.

The DMZ server has a natted ip.

I'm reading various documents:

http://www.sophos.it/support/knowledgebase/article/14635.html

http://www.sophos.com/support/knowledgebase/article/50832.html

http://www.sophos.it/support/knowledgebase/article/38238.html

http://www.sophos.it/support/knowledgebase/article/61560.html

but cannot tell if what I want to do is doable or not...

The network topology is very simple:

ServerA in on the lan, ip 10.10.254.28

ServerB is on the dmz, ip 192.168.1.10 natted to aaa.bbb.ccc.ddd

SEC is installed and working on ServerA. Some clients are already connected to that server.

Now, can someone help with some sort of procedure?

Thanks

:25271


This thread was automatically locked due to age.
Parents
  • 0

    Hello Dario,

    first of all, please note that updating and management are two distinct components.

    Let's look at updating first. Usually "outside" clients are not set to use a UNC path but http. Thus you could use \\ServerA\SophosUpdate as Primary and http://ServerB.yourdomain.com/SophosUpdate/ as Secondary - the drawback is that you will see updating errors for the outside clients. Another option would be updating from http://SoUpd.yourdomain.com/SophosUpdate where SoUpd.yourdomain.com internally resolves to ServerA and externally to ServerB.

    RMS is, as said, a different thing. In principle you could forward the ports but you'd have to make sure that only the FQDN is returned in the IOR - as this FQDN is likely an alias you'd also have to check if it works (I haven't done so lately), i.e. that the management server is also able to talk to itself. May I point out that you don't reduce the POFs from 3 to 1but "only" from 3 to 2 as the firewall is still involved. Using the suggested setup adds the risk of RMS on the relay failing - which is very unlikely unless the whole server goes belly up (in this case clients would also fail to update and that would be our primary problem).

    Christian

    :25289
Reply
  • 0

    Hello Dario,

    first of all, please note that updating and management are two distinct components.

    Let's look at updating first. Usually "outside" clients are not set to use a UNC path but http. Thus you could use \\ServerA\SophosUpdate as Primary and http://ServerB.yourdomain.com/SophosUpdate/ as Secondary - the drawback is that you will see updating errors for the outside clients. Another option would be updating from http://SoUpd.yourdomain.com/SophosUpdate where SoUpd.yourdomain.com internally resolves to ServerA and externally to ServerB.

    RMS is, as said, a different thing. In principle you could forward the ports but you'd have to make sure that only the FQDN is returned in the IOR - as this FQDN is likely an alias you'd also have to check if it works (I haven't done so lately), i.e. that the management server is also able to talk to itself. May I point out that you don't reduce the POFs from 3 to 1but "only" from 3 to 2 as the firewall is still involved. Using the suggested setup adds the risk of RMS on the relay failing - which is very unlikely unless the whole server goes belly up (in this case clients would also fail to update and that would be our primary problem).

    Christian

    :25289
Children
No Data