Thu 28-Jul-2011 19:02
Hello, first post. We are in the process of deploying Sophos Endpoint to our Active Directory domain. In addition we have 5 computers in a workgroup that act as time clocks. I have installed the standalone AV on the first one and supplied the credentials for the software to update directly to Sophos. Because these computers are in public areas and connected to the internet, we have the firewall locked down so only traffic to the timeclock servers is permitted.
Long story short the standalone computers will not update Sophos AV over the internet. Viewing the firewall traffic, I can see the computer trying to update to 22.214.171.124. I added an exception for http traffic to that IP address and now the workstation updates to Sophos just fine. My concern is there may be more than one update server or the IP address for Sophos may change. Is there a documented range of server update IP range of IP addresses I can define on my firewall? Thank you. mark
Thu 28-Jul-2011 19:16
Sophos uses Akamai to host the data so depending on your location and the load you might get a few different IPs.
I suspect you could try and build up a list and see how often they cycle at least to see how big a pool it might be for you but that's about it I would think.
Thu 28-Jul-2011 19:21
Jak, thank you for the reply. Problem is, these computers are in different locations, and I won't know if they fail to update since they are standalone computers with touch screens. What would be ideal is if they updated on a different port other than port 80 or 443. Anyhow, maybe someone else can chime in. Leaving port 80 and 443 open to all outbound traffic to all locations is just not an option. mark
Fri 29-Jul-2011 08:00
can't say how often the actual addresses change so you'd probably have to check the resolution from time to time. Names are dci|d1|d2.sophosupd.com|net (where .com and .net should resolve to the same addresses). Do you monitor these machines in any way? You can periodically check for the last update time and status (DWORD Result, 0 means success) with a script as shown here and in case of a failure send an alert (email is rather simple but there are many ways).
Fri 29-Jul-2011 15:16
Christian that is helpful. I am out of the office today, but will look at the information you provided. Checkpoint Firewall does not support adding domains, it has to be tuned by ip address. I can ping or tracert to the servers you provided and add the IP addresses to the rule. Thank you. mark