This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Web Appliance & Endpoint network traffic

My company is in the process of testing the Sophos Virtual Web Appliance being integrated with Endpoint and have run into a lack of information and was hoping someone here is running a similar setup and had some statics to share.

We are in the middle of rolling out Endpoint v10 and also purchased the Virtual Web Appliance to do logging/filtering to around 3,000 users spread out over 100+ remote sites of varying size and internet connections. We haven’’’’t been able to find any information online or from Sophos about what type of network traffic we can expect all of these Endpoints to generate.

The most information I’’’’ve gotten from tech support is the endpoints send the logs back to the appliance once every 45seconds. However, the size amount of traffic generated varies based on how much surfing was done, and if the site was blocked, allowed, or warned. They have no whitepapers or information giving even a general ballpark range of network traffic the Endpoint would be sending back to the appliance for low/medium/high internet users.

I’’’’m hoping someone here has deployed the Web Appliance with Endpoint and has some data they are able to share regarding the load this puts on the network, or any issues they have had with this setup.

Thanks,

Joe

This thread was automatically locked due to age.

Parents

0 TomA over 12 years ago
Hi Joe,
At the moment the documentation doesn't cover the functionality at this level of detail I'm afraid.
> I’’’’m also a little curious as to why the endpoint doesn’’’’t do the filtering locally on the workstation? It seems odd that it updates it policies at the endpoint level once every 60seconds and also verifies with the appliance every time someone goes to a website. Wouldn’’’’t it be less network load and just as effective to have the endpoint do the heavy lifting?
Sorry if I wasn't entirely clear. The purpose of getting the policy every 60 seconds is to pick up changes you make to the appliance. Eg. If you block UserA access to 'Search Engines' you want this to take effect as soon as possible - This is contained in the policy.
The verification that takes place is to determine what category the website is. This isn't taken from the appliance but rather directly from Sophos servers. So when you go to google.com an extra HTTP request is sent to Sophos servers to determine the category of the site. Eg. google.com = Search Engines.
This is much more efficient for several reasons:
The endpoint doesn't need to keep and update a huge set of data containing every website/domain
Categorization changes made at Sophos take effect immediately with no updates require
The system also works when the endpoint is roaming
So the endpoint does actually do the filtering, it just needs to send some extra traffic to work out what category the site is. In reality this should only have a very minor affect on bandwidth and is much better than having the category data stored locally.
--------------------------------------------
The activity data is here on a Windows XP system:
C:\Documents and settings\all users\application data\sophos\web control\activity\
This data isn't human readable but will give you an idea of how much report data is generated. To prevent the logs being cleared you may want to stop them being uploaded. Either:
- Break communication with the appliance at firewall level or with invalid host entry
- Take the machine off the LAN and make sure LiveConnect is disabled
I hope this helps to clear things up! Do let me know if you have any other questions though.
-Tom.
:28303
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TomA over 12 years ago
Hi Joe,
At the moment the documentation doesn't cover the functionality at this level of detail I'm afraid.
> I’’’’m also a little curious as to why the endpoint doesn’’’’t do the filtering locally on the workstation? It seems odd that it updates it policies at the endpoint level once every 60seconds and also verifies with the appliance every time someone goes to a website. Wouldn’’’’t it be less network load and just as effective to have the endpoint do the heavy lifting?
Sorry if I wasn't entirely clear. The purpose of getting the policy every 60 seconds is to pick up changes you make to the appliance. Eg. If you block UserA access to 'Search Engines' you want this to take effect as soon as possible - This is contained in the policy.
The verification that takes place is to determine what category the website is. This isn't taken from the appliance but rather directly from Sophos servers. So when you go to google.com an extra HTTP request is sent to Sophos servers to determine the category of the site. Eg. google.com = Search Engines.
This is much more efficient for several reasons:
The endpoint doesn't need to keep and update a huge set of data containing every website/domain
Categorization changes made at Sophos take effect immediately with no updates require
The system also works when the endpoint is roaming
So the endpoint does actually do the filtering, it just needs to send some extra traffic to work out what category the site is. In reality this should only have a very minor affect on bandwidth and is much better than having the category data stored locally.
--------------------------------------------
The activity data is here on a Windows XP system:
C:\Documents and settings\all users\application data\sophos\web control\activity\
This data isn't human readable but will give you an idea of how much report data is generated. To prevent the logs being cleared you may want to stop them being uploaded. Either:
- Break communication with the appliance at firewall level or with invalid host entry
- Take the machine off the LAN and make sure LiveConnect is disabled
I hope this helps to clear things up! Do let me know if you have any other questions though.
-Tom.
:28303
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data