Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with deployment

DarioPalermo

Hello guys,

1st time for me and Sophos endpoint security, so be nice ;)

I'm trying to understand the steps to make to deploy the product and be able to:

1) control and update the clients, when they're connected to the internal LAN, directly from the main SEC server.

2) control and update the same clients, when they're outside the LAN, from a server placed in DMZ

Obviusly I'm using Split DNS.

The DMZ server has a natted ip.

I'm reading various documents:

http://www.sophos.it/support/knowledgebase/article/14635.html

http://www.sophos.com/support/knowledgebase/article/50832.html

http://www.sophos.it/support/knowledgebase/article/38238.html

http://www.sophos.it/support/knowledgebase/article/61560.html

but cannot tell if what I want to do is doable or not...

The network topology is very simple:

ServerA in on the lan, ip 10.10.254.28

ServerB is on the dmz, ip 192.168.1.10 natted to aaa.bbb.ccc.ddd

SEC is installed and working on ServerA. Some clients are already connected to that server.

Now, can someone help with some sort of procedure?

Thanks

:25271


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    The Remote Management System (RMS), relies on a one to one mapping between Sophos Message Routers.  I.e. 

    Server <> Client

    Server <> Relay <> Client

    Server <> Relay <> Relay <> Client

    etc...  There is a limit to the number of relays (probably related to the length of the hostname), but I've never considered any more than 2 relays in the chain.

    The key thing is to ensure that the path a client communicates over must always be the same.  It can work to a point, having the client move between parent routers but you would loose messages.

    Firstly, it is important to know that if a client is unable to connect to the parent router it will queue messages and deliver them when it can.  Likewise any commands issued to a disconnected client will be queued on the server until the client comes online.  So in a reasonable time frame, you don't loose messages.

    However, to maintain management, regardless of location, VPN connections asside, you would need to set up a publically routable message router, such that a client can wander and always find its parent router.

    So you would need to have a routable "ParentAddress" for the clients to use that always points them at the same parent router regardless of location.

    So I would have SEC on the internal network, have a message relay in the DMZ.  The clients would message in via the relay when in both locaitons.  For example if the parent address of the clients was: relay.domain.com, internally that address would resolve the same machine as externally.

    The post here:

    /search?q= 20971

    has some relevant info.

    Regards,

    Jak

    :25273
Reply
  • 0

    HI,

    The Remote Management System (RMS), relies on a one to one mapping between Sophos Message Routers.  I.e. 

    Server <> Client

    Server <> Relay <> Client

    Server <> Relay <> Relay <> Client

    etc...  There is a limit to the number of relays (probably related to the length of the hostname), but I've never considered any more than 2 relays in the chain.

    The key thing is to ensure that the path a client communicates over must always be the same.  It can work to a point, having the client move between parent routers but you would loose messages.

    Firstly, it is important to know that if a client is unable to connect to the parent router it will queue messages and deliver them when it can.  Likewise any commands issued to a disconnected client will be queued on the server until the client comes online.  So in a reasonable time frame, you don't loose messages.

    However, to maintain management, regardless of location, VPN connections asside, you would need to set up a publically routable message router, such that a client can wander and always find its parent router.

    So you would need to have a routable "ParentAddress" for the clients to use that always points them at the same parent router regardless of location.

    So I would have SEC on the internal network, have a message relay in the DMZ.  The clients would message in via the relay when in both locaitons.  For example if the parent address of the clients was: relay.domain.com, internally that address would resolve the same machine as externally.

    The post here:

    /search?q= 20971

    has some relevant info.

    Regards,

    Jak

    :25273
Children
No Data