This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Intercept for servers onprem proxy

Hello

I some instances we use Sophos intercept for servers. and it is quite compicated to manage access for Sophos agent to connect to sophos central.

In Palo Alto Cortex XDR there is such thing as connetion Broker, that can be installed on prem and when installing agent on server/pc you can say that this Cortex agent should use that broker server/service to access updates, reports statuss e.t.c. So i need to open only access to internet for Broker server.

Is there some similar thing in Sophos Intercept ? I was searching for that online but without success, maybe i was just using wrong keywords and that's why I could not find.



This thread was automatically locked due to age.
  • You can promote a device, traditionally an existing managed server to be a message relay and update cache.  This will act as a proxy to the clients for either management AND/OR updating.

    Article Detail (sophos.com)

  • Thanks, that is something to work with.

    I have some servers that never have seen Updates and config from Sophos Central, how to force them to connect to that Proxy/relay server ?

  • So they have the Sophos client software but are currently unable to contact Central to get the updating policy that will have the list of newly installed update servers and update cache?

    Were they initially installed with access to Central / internet and now do not?

    The command line option list here:

    https://docs.sophos.com/central/enterprise/help/en-us/Deployment/EndpointWindowsCommandLine/index.html

    suggests you could make run the reregister command option, maybe with the message relay also specified. That might work to get management working via the relay; that would enable you to get policy for updating. Tamper would need to be disabled to re-run the central installer on the computer. If you can’t get policy from Central you can do it in the endpoint UI or using sedcli.exe.

  • have no idea how they were installed, i am trying to clean up the mess :)

    I spend some time in that message relay and update cache thing.

    I found out that only Windows servers can be promoted, also that promotion somehow works only on some windows servers, rest of them just stays in installing statuss, but that thing maybe can be solved (some restart maybe needed on server side or something like that).

    But the biggest problem. So I have in sophos central 3 subestates, so each of subestate needs its own message relay and update cache server, there is no way they can use one for all subestates. That makes things difficult, because each subestate have servers that are in separated isolated local network zones, so to make that work in each zone in each subestate there should be windows server that have access to internet. Other solution can be if i open network in all possible directions between local network zones with those two ports 8190 and 8191, but that will make a mess in router configs.

    I am stuck here, all that looks wrong and should be redesigned. 
    I have no will to create multiple windows servers in each local zone that have access to internet, i dont like the idea about making that network rulle mess in routers and in other security devices. 

    What will be your suggestion ?

     

  • You can make Windows endpoints relays but you have to use the drop down:

    This is why in Endpoint Self Help, there is a "Server" option which shows:

    It can take a while for them to complete as they cache all the data at the moment.  I believe the next version of UC will download files on demand rather than upfront.

    There was a bug in AutoUpdate prior to the latest version where the UpdateSource value under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus

    wasn't maintained when clients used SDDS3. 

    If you have Core Agent 2022.1.0.78, which is the latest at time of writing that should be fixed.  If you check the reg value it should be the GUID of an UC or Sophos.