This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard Enterprise server over Internet not via VPN

Having trouble when syncing with SafeGuard when not connecting via VPN, after looking at this thread: 

https://community.sophos.com/encryption/f/discussion/104413/clients-connect-to-safeguard-enterprise-server-over-internet

We have this setup, but get this error when running SGNCSCC.exe tool.



This thread was automatically locked due to age.
Parents Reply
  • Yes it would Dan - Did you use a public cert or is it an internal one? Public ones will require that the intermediary certs (if needed) are accessible. We do this via GPO to all the AD bound machines, but if it's an internal cert the clients will need a copy of the certs. Creating a new configuration file and applying this to the clients would resolve as the config file contains the certs needed-  but you then have the hassle of applying the new config file to every client.....

Children
  • It was an internal one, but surely just renewing, why does it cause this issue, because then we have to change something every time it expires. What do we have to change to the config file? This is for domain users

  • The SSL cert secures communication between the host and client so it's critical. I understand your frustration - I had exactly this challenge last year and despite Support suggesting otherwise, I was able to get away with it as I used an externally minted cert - so the clients picked up the change straight away as soon as I switched the cert over and restarted IIS. You have a few options though since they're domain bound but this would HAVE to have access to your AD/GPO. This works for physical PC's on site but if you have laptops and don't have an always on VPN then it's more of a challenge! When you create a config file on the server, it creates an MSI file. This contains some XML/config AND the certs. This is the easiest method of doing it to be honest - but as I said...needs installing/running on every client. 

    This is common though for certs and not a fault of Sophos as such . I do though wish there was better functionality for this, but also appreciate the security constraints of this. If the client could update itself/update certs in the same way it can do policies....we'd be onto a winner! This is made worse by the recent validity period being reduced for certs too-  most are only a year now so this is a more common event than it was!

    So - Push out the certs with AD/GPO to the domain bound clients (is the SSG server not bound to the same domain?) or create a new config file and apply it to the client.

    Personally - I'd create a new config file anyway - apply it to the one client you've pictured - reboot and then test all works again?

  • Yes the SGS Server is on the same domain

  • Then you could push out all the certs from the DC? How many PC's are there?

  • About 200 plus, it's fine when connected via our vpn for domain users, but it's more of an issue with the WORKGROUPS now not able to sync

  • Ah ha, you have domain bound AND Workgroup? Obviously you'll not be able to use the DC to push out to those and as it's an internal cert your easy options are limited. I would create a new configuration file and install that. Unless the WG PC's are managed by some sort of MDM?

  • No unfortunately, our Domains will be fine as the certs gets pushed out but it was more for our workgroups, but because we found that when our domains weren't connected via the vpn it was erroring when syncing but that's because our secondary server which is setup for that the cert expired and was renewed.

  • One of the reasons my secondary is in the DMZ and has a public cert! I'm afraid your options are...config file....or install the certs manually. How many WG PC's are there - it that the 200 plus figure or is that the whole estate?

  • Probably the same if not more, however we will hopefully be moving away from workgroups in the future, so with this in mind it's not that urgent, but can I ask what issues we will stumble across if we leave it? I presume from a support side we can still recover Bitlocker codes via the helpdesk etc?

  • If there's a primary server that still works - no real issues at all. Your secondary is there purely as a failover to the primary should that become unavailable. Yes - as long as the primary remains up and there's a server to communicate with every X minutes (what's ever set as your policy). I would personally resolve it - but appreciate it's hassle.