Actually I need AD Sync tool to send AD updates to Central.
A device with an Endpoint Installed to enable Cache and Relay
A "Sophos Security VM" to protect VM devices.
Maybe use one or multiple balanced/redundant "Sophos Security VM" to do all these jobs will help the Sophos infrastructure maintenance.
For AD Sync, you can refer to its details on this Kb Article.
For Promoting a server as an update cache and message relay you may refer to this KB Article
For Sophos SVM, you may refer to this Article.