Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with deployment

DarioPalermo

Hello guys,

1st time for me and Sophos endpoint security, so be nice ;)

I'm trying to understand the steps to make to deploy the product and be able to:

1) control and update the clients, when they're connected to the internal LAN, directly from the main SEC server.

2) control and update the same clients, when they're outside the LAN, from a server placed in DMZ

Obviusly I'm using Split DNS.

The DMZ server has a natted ip.

I'm reading various documents:

http://www.sophos.it/support/knowledgebase/article/14635.html

http://www.sophos.com/support/knowledgebase/article/50832.html

http://www.sophos.it/support/knowledgebase/article/38238.html

http://www.sophos.it/support/knowledgebase/article/61560.html

but cannot tell if what I want to do is doable or not...

The network topology is very simple:

ServerA in on the lan, ip 10.10.254.28

ServerB is on the dmz, ip 192.168.1.10 natted to aaa.bbb.ccc.ddd

SEC is installed and working on ServerA. Some clients are already connected to that server.

Now, can someone help with some sort of procedure?

Thanks

:25271


This thread was automatically locked due to age.
Parents
  • 0

    Hi jak and thank you for your reply.

    However, the solution you provide is exactly the one I'm trying to avoid: when always using the RMS, you elevate the number of single point of failure to 3 (dmz firewall, rms server in dmz, sec in lan), when it could be just 1 for the internal clients.

    I'm thinking of exclude the rms at all and force the sec to publish updates via http. Then I will publish the 8192 and 8194 ports on the Forefront TMG firewall pointing straight to the sec server. It's possible, right?

    :25277
Reply
  • 0

    Hi jak and thank you for your reply.

    However, the solution you provide is exactly the one I'm trying to avoid: when always using the RMS, you elevate the number of single point of failure to 3 (dmz firewall, rms server in dmz, sec in lan), when it could be just 1 for the internal clients.

    I'm thinking of exclude the rms at all and force the sec to publish updates via http. Then I will publish the 8192 and 8194 ports on the Forefront TMG firewall pointing straight to the sec server. It's possible, right?

    :25277
Children
No Data