This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Regarding the Secondary Public IP in Sophos Safeguard 8.1 or above server to communicate roaming users

Dear Team,

One  of our client is having the below environments:

Server --- Sophos Safeguard 8.1 Server ,SQL Database , IIS Server & Management Center are both installed on the single Server.

Client --- Win 7, Win 8 & Win 10 Professional ,pro editions are enrolled in the Safeguard 8.1 Server & total around 2500 users are enrolled on this server.

Currently due to COvid 19 ,90% of users using the laptop system to do the office work & due to this scenarios we are facing the multiple issues like Unable to Sync the client policy to the Server,Unable to recreate the new Client certificate once the user is changed password out of Active Directory network,Unable to login ;etc

To avoid this issue,

Can we create & configure the Secondary Server where PubliC IP/HostName to Private IP/Hostname(Office Network)   we mapped ,Please share us the steps if this scenario is possible

Currently below packages are installed on the client systems:

1.Safeguard Preinstall

2. Safeguard CLient

3.Safeguard Client Confgiuration(Register on Primary SGN Server with SSL certificate)

In this scenario of roaming User (WFH),

how client is communicating with the public IP of secondary server to sync the policy in the datacard



This thread was automatically locked due to age.
Parents
  • Yes, this is possible but after creating the secondary server, assigning it in your DMZ (or other firewalled location) you would have to update the configuration and then install this new configuration on each client in turn. You would need a public SSL cert on the secondary server too. The other alternative is using a VPN client on each computer - ideally an always-on but on demand would work well enough. Both options require quite a bit of work and design. Your third option that might be worth considering is moving to Sophos Central (assuming you only need disk encryption and not files) but again - a big design change. Don't forget that SafeGuard now has a defined EOL too - So you'll HAVE to move to a different solution by July 2023 anyway.

Reply
  • Yes, this is possible but after creating the secondary server, assigning it in your DMZ (or other firewalled location) you would have to update the configuration and then install this new configuration on each client in turn. You would need a public SSL cert on the secondary server too. The other alternative is using a VPN client on each computer - ideally an always-on but on demand would work well enough. Both options require quite a bit of work and design. Your third option that might be worth considering is moving to Sophos Central (assuming you only need disk encryption and not files) but again - a big design change. Don't forget that SafeGuard now has a defined EOL too - So you'll HAVE to move to a different solution by July 2023 anyway.

Children
  • Hi Micheal,

    Thanks for sharing the details & we want to understand the below queries:

     

    1. Bydefault only one SSL certificate is configured on the Server Side(Client COnfiguraition).
    2. Currently here we are using the SSL certificate which we created in the Safeguard Certificate Manager & do we need to procure the new SSL certificate which is used in the Public IP or can we used the existing SSL Server certificates here?
    3. As per the documents you mentioned in this trail mail,

    We need to setup  the two server to configure the same ,Can I understand which Sophos Roles need to be installed on the Secondary Server like Safeguard Server,Safeguard Management Console.

  • 1 - Yes, that's the standard setup with one SSL cert for the server. However each and every server needs its own cert.

    2 - You can use an internal cert. The certs are included within the configuration created by the server. You may find a public one easier however - but it's personal preference.

    3  - The secondary server just needs the one MSI installing  (SGNServer.msi found in Installers - Backend Installers) - and then the configuration that's generated by the primary applied. 

    You can do most of this work using the Configuration Package Tool - You may need to log on as MSO to access this.

  • So In this Case,

    We need two sepearate server 1 & Server 2 SSL certificate for the configurations,correct me if i wrong here.

    In the Server 1 ,we have already deployed the Safegurd Server ,Management Center ,IIS & SQL db roles.

    And the client is working only when its connected at the office Private network.

    In the Server  2,We need to only deploy Safeguard Server packages & what about the database in the Server 2,could you please confirm us

  • Yes, just one DB needed. You do not need to set this up on the secondary server. It communicates with the primary server and the primary server has the relationship with the database (or database server)