Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2550 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protecting Internet Facing Servers in a Perimeter network

Chunk

Hi All,

first post so go easy on me :smileywink: 

My set up is this:

Enterprise Console v4 running on a LAN server, I have 2 Win2k3 servers in a perimeter network (hardware firewall) and would like to manage and protect them using the Enterprise console.

The 2 Perimeter network servers are not Domain members.

I have checked the Sophos knowledge based article 50832 and understand the port requirements but as the article states: "it is it is beyond the scope of this article to give recommendations on hosting internet facing services, and securing Microsoft Windows servers for use in a DMZ"

Anybody have any experience of this? What do I need to do in terms of allowing access from the LAN to the Perimeter on the firewall to enable the Enterprise Console to firstly see a non-domain machine and then protect it?

Also we are part way through implementing Microsoft ISA 2006 - any guidance or experience of setting up ISA for Perimeter networks and Sophos?

Thanks in advance :smileyhappy:

Regards

Chunk

:1572


This thread was automatically locked due to age.
Parents
  • 0

    Hello Chunk,

    I have to deal with some perimeter servers as well.

    What we do is:

    1.) Allow Port 8192-8194 from the DMZ to our sophos Server, in order to make them manageable.

    2.) Enter the IP-address and the name of our management server into the hosts-file (c:\windows\system32\drivers\etc\hosts) so the RMS-service is able to find the server.

    This is not much work, but it allows you to monitor the servers centrally just like any other machine on your network.

    If you don't have a CID on a webserver, the assigned update policy should point to Sophos - this can be done in the "secondary CID", look here: http://www.sophos.com/support/knowledgebase/article/12592.html

    Of course it's possible to update from Sophos without the use of the Enterprise Console, but it's better to have easy monitoring facilities.

    Best regards,

    Detlev

    :1599
Reply
  • 0

    Hello Chunk,

    I have to deal with some perimeter servers as well.

    What we do is:

    1.) Allow Port 8192-8194 from the DMZ to our sophos Server, in order to make them manageable.

    2.) Enter the IP-address and the name of our management server into the hosts-file (c:\windows\system32\drivers\etc\hosts) so the RMS-service is able to find the server.

    This is not much work, but it allows you to monitor the servers centrally just like any other machine on your network.

    If you don't have a CID on a webserver, the assigned update policy should point to Sophos - this can be done in the "secondary CID", look here: http://www.sophos.com/support/knowledgebase/article/12592.html

    Of course it's possible to update from Sophos without the use of the Enterprise Console, but it's better to have easy monitoring facilities.

    Best regards,

    Detlev

    :1599
Children
No Data
Unfiltered HTML