Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protecting Internet Facing Servers in a Perimeter network

Chunk

Hi All,

first post so go easy on me :smileywink: 

My set up is this:

Enterprise Console v4 running on a LAN server, I have 2 Win2k3 servers in a perimeter network (hardware firewall) and would like to manage and protect them using the Enterprise console.

The 2 Perimeter network servers are not Domain members.

I have checked the Sophos knowledge based article 50832 and understand the port requirements but as the article states: "it is it is beyond the scope of this article to give recommendations on hosting internet facing services, and securing Microsoft Windows servers for use in a DMZ"

Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

Also we are part way through implementing Microsoft ISA 2006 - any guidance or experience of setting up ISA for Perimeter networks and Sophos?

Thanks in advance :smileyhappy:

Regards

Chunk

:1572


This thread was automatically locked due to age.
  • 0

    Hello Chunk,

    Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

    Protecting the servers from SEC requires a number of conditions to be met and you probably don't want to go through it for "just two servers". IMHO there is no advantage in configuring the firewall in order to enable the Enterprise Console to firstly see a non-domain machine and then protect it.  For management you need ports 8192-8194  and you have to download the updates from somewhere - see Summary of port configurations in Sophos applications: RMS and Sophos Anti-Virus (these are in the last two rows).

    Since the servers are already running (I assume they are) I'd copy the CID (SAVSCFXP) to some portable medium and install from it. The servers should report to SEC (provided you have opened 8192-8194) and you should see that their update location points to the removable medium (which is not what you want). As you probably don't want the perimeter servers to make NetBIOS connections into the LAN there are two options for configuring the update location:

    1) if you publish your CID(s) on a webserver use it

    2) let the two servers update from Sophos

    Christian

    :1576
  • 0

    Hi Christian,

    first off, many thanks for your reply, when you come up against a brick wall on the knowledge base it's good to know the 'community' support is working well.

    Seeing as it sounds a big deal to allow the Perimeter servers to be managed fully by the SEC I reckon your suggestion of installing from a copy of the CID and pointing them to update directly from Sophos is the most practical

    Cheers for pointing me in the direction of the kb article regarding the necessary ports for Sophos applications, had come across it before but was 'concerned' about the NetBIOS coming in from the DMZ to the LAN.

    Thanks again!

    Best regards

    Chunk

    :1582
  • 0

    Hello Chunk,

    I have to deal with some perimeter servers as well.

    What we do is:

    1.) Allow Port 8192-8194 from the DMZ to our sophos Server, in order to make them manageable.

    2.) Enter the IP-address and the name of our management server into the hosts-file (c:\windows\system32\drivers\etc\hosts) so the RMS-service is able to find the server.

    This is not much work, but it allows you to monitor the servers centrally just like any other machine on your network.

    If you don't have a CID on a webserver, the assigned update policy should point to Sophos - this can be done in the "secondary CID", look here: http://www.sophos.com/support/knowledgebase/article/12592.html

    Of course it's possible to update from Sophos without the use of the Enterprise Console, but it's better to have easy monitoring facilities.

    Best regards,

    Detlev

    :1599
  • 0

    Hi Detlev,

    many thanks for your wisdom on this too!

    The perimeter servers we have already update directly from Sophos but the link to the article you provided has given me some guidance on the config possibilities and the ability to let them be managed by the console

    Looks like I've got my Sunday planned out with various testing scenarios, will post back with my results.

    Once again many thanks for your help.

    Best regards

    Chunk

    :1611
Unfiltered HTML