Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with deployment

DarioPalermo

Hello guys,

1st time for me and Sophos endpoint security, so be nice ;)

I'm trying to understand the steps to make to deploy the product and be able to:

1) control and update the clients, when they're connected to the internal LAN, directly from the main SEC server.

2) control and update the same clients, when they're outside the LAN, from a server placed in DMZ

Obviusly I'm using Split DNS.

The DMZ server has a natted ip.

I'm reading various documents:

http://www.sophos.it/support/knowledgebase/article/14635.html

http://www.sophos.com/support/knowledgebase/article/50832.html

http://www.sophos.it/support/knowledgebase/article/38238.html

http://www.sophos.it/support/knowledgebase/article/61560.html

but cannot tell if what I want to do is doable or not...

The network topology is very simple:

ServerA in on the lan, ip 10.10.254.28

ServerB is on the dmz, ip 192.168.1.10 natted to aaa.bbb.ccc.ddd

SEC is installed and working on ServerA. Some clients are already connected to that server.

Now, can someone help with some sort of procedure?

Thanks

:25271


This thread was automatically locked due to age.
Parents
  • 0

    Hello Dario,

    I find the concept to go out to the dmz and then back to the lan just... dumb, plain and simple

    well, the general case is still - I assume - managed clients on the LAN or VPN, or a complex installation with several sites where you already use relays for "traffic consolidation".  Dunno about the long-term future of RMS - newer features (Patch assessment and Web Control) use a different mechanism for communication (directly or port-forwarded to the management server, but this is naturally one-way client-pull) - but it will likely be around for some more time.

    Just made some test on a test management server. In mrinit.conf set MRParentAddress to just the FQDN and ParentRouterAddress   to the alias - this works without problems so no tweak on the management server is needed for this. But - article 50832 states: The Enterprise Console management server and the message relay should be able to resolve each other via DNS to their actual IP addresses, not the external IP addresses. Now it says should - right now I don't see why this should be required.

    Don't have a split DNS available so I can't test. I'd just set ParentRouterAddress to - say - SophosMR.yourdomain.com which on the LAN resolves to the management server and outside (including the relay) to the relay and change the relay to return just the FQDN in the IOR. 

    Christian

    :25301
Reply
  • 0

    Hello Dario,

    I find the concept to go out to the dmz and then back to the lan just... dumb, plain and simple

    well, the general case is still - I assume - managed clients on the LAN or VPN, or a complex installation with several sites where you already use relays for "traffic consolidation".  Dunno about the long-term future of RMS - newer features (Patch assessment and Web Control) use a different mechanism for communication (directly or port-forwarded to the management server, but this is naturally one-way client-pull) - but it will likely be around for some more time.

    Just made some test on a test management server. In mrinit.conf set MRParentAddress to just the FQDN and ParentRouterAddress   to the alias - this works without problems so no tweak on the management server is needed for this. But - article 50832 states: The Enterprise Console management server and the message relay should be able to resolve each other via DNS to their actual IP addresses, not the external IP addresses. Now it says should - right now I don't see why this should be required.

    Don't have a split DNS available so I can't test. I'd just set ParentRouterAddress to - say - SophosMR.yourdomain.com which on the LAN resolves to the management server and outside (including the relay) to the relay and change the relay to return just the FQDN in the IOR. 

    Christian

    :25301
Children
No Data