How to install Sophos Endpoint Security and Control from UTM9 on a PC without internet access?

Hello Markus,

we do not need the Sophos Enterprise Console and its functionalities
and apparently not the functionalities of Central. One of the advantages of Central and the UTM managed Endpoint is that they don't require a local infrastructure. So the question is if one of these (I think I've read that UTM Endpoint will be retired) is the right choice for your setup.

Since all connections are over HTTP/HTTPS it's AFAIK possible to use a proxy for the required connections.
The on-premise product includes a stand-alone version, your endpoints wouldn't need an internet connection. The connected server could download from Sophos and can publish a share where other computers can update from.

Christian

Hello Markus,

we do not need the Sophos Enterprise Console and its functionalities
and apparently not the functionalities of Central. One of the advantages of Central and the UTM managed Endpoint is that they don't require a local infrastructure. So the question is if one of these (I think I've read that UTM Endpoint will be retired) is the right choice for your setup.

Since all connections are over HTTP/HTTPS it's AFAIK possible to use a proxy for the required connections.
The on-premise product includes a stand-alone version, your endpoints wouldn't need an internet connection. The connected server could download from Sophos and can publish a share where other computers can update from.

Christian

Hello Christian,

this sounds exactly like what we are looking for!

But can you please explain how Sophos Central exactly functions? It seems to me that - since it's a cloud based product - every computer using it needs internet connection as well or am I mistaken?

The UTM Endpoint Protection seems to be more what we need: every Endpoint AV should be controlled by the UTM but the Endpoints cannot have internet access. So we should set up a proxy to route Endpoint Security and Control through it, am I right? But how can we set the endpoints to use the shared folder as their update path? And how can we set the server with internet connection to download the Sophos updates and virus definitions?

Thanks for the help!

  Markus

Hello,

sorry that I need to come back to this, but I still couldn't figure out how to do this...

Can someone please tell me how I should set this up? Or simpler: How can I install and update Sophos Endpoint Security and Control on a computer without internet access? Is there any detailed instruction out there?

How must the firewall rules be configured?

How can we set up a computer as an "update downloader" and provide an update share for the other computers?

Thanks!

  Markus

I have the same requirements with a client. I've downloaded the non-slim MCS endpoint but the installation process still wants to connect to the Amazon AWS server to register with liveconnect.

Hello plecavalier,

the UTM version of Endpoint is a managed version and it doesn't talk directly to the UTM but via the Broker which is in the cloud. Central has been upgraded to support caches and message relays, you have to manage them though and this would require changes in the UTM (which, AFAIK, is anyway only able to manage the basic Endpoint).

For a truly disconnected network (no connectivity to the Internet at all) the on-premise SESC is AFAIK the only option (it's also the only product that offers a stand-alone version). I assume Central would be able to work in an "umbilical network", it might or might not be possible to NAT the necessary cloud resources.

Christian

Thanks Christian. My plan was to purchase two units, bring one off site to update when needed and swap them.

I tried following the installer by pointing the registered broker address to local Host in case all it needed was a ping check. I also added a cname in AD for nalookup but none of that allowed the installer past the internet connection check.

Hi there, good to know I'm not the only one with this kind of setup and requirement. :)

For a truly disconnected network (no connectivity to the Internet at all) the on-premise SESC is AFAIK the only option (it's also the only product that offers a stand-alone version).

I have a stupid question...: what is SESC? (S)ophos (E)ndpoint (S)ecurity an (C)ontrol?  Isn't that exactly the software we're using right now? If not, what's the difference between the on-premise and UTM versions of SESC?

***

We have one server with internet connection and many others without.

I assume Central would be able to work in an "umbilical network", it might or might not be possible to NAT the necessary cloud resources.

So this is what we need, right?

Central has been upgraded to support caches and message relays, you have to manage them though and this would require changes in the UTM (which, AFAIK, is anyway only able to manage the basic Endpoint).

Is there a guide on how to set this up?

@plecavalier, if this might help you: what we're doing right now is to open internet connection temporarily in the UTM for every endpoint, update the Sophos AV and then close the connections again. It's a more than inconvenient approach but it works.

Thanks for any help!

   Markus

Hello plecavalier,

two units, bring one off site
but where and how does Endpoint come into play here?

Anyway, AFAIK this version requires the broker connection for the install. It doesn't just check whether it's there (ping - whatsoever this can tell about the availability of a service), it needs the backend to get its proper configuration. I don't think you can work around this.

The question is what this off-net PC is supposed to do, both "normally" and when needed and why you need an up-to-date Endpoint protection on it.

Christian

Hello Markus,

what is SESC
Sophos isn't known for unambiguous naming [:)]. The difference is in management and its components. For SESC the on-premise management server sets up the install/update locations, endpoints get their configuration from there, then the management system (RMS) connects "directly" (i.e. without going through the Cloud) to the server.
MCS (used in Central and UTM) contacts the cloud, all data is stored in the cloud. Central is managed in the cloud with Central Admin, UTM provides a limited access to the backend.
The base components and their architecture are the same, AutoUpdate, SAV, RMS or MCS

what we need
just my personal opinion - UTM Endpoint is an afterthought add-on for customers who can't or don't want to set up yet another server/management interface. SESC's management (SEC) requires Windows, so just implanting SEC into UTM was beyond all question. SaaS was emerging so the UTM was plugged into the backend where the adolescent Central (then called Cloud) lived. Cloud was expected to be the Grand Unified Product that would eventually replace everything else.
Central has been developed and supports update caches (now even selectable) and message relays so it would work with a "network bubble" where just one server has connectivity. The functionality requires a corresponding management interface and developing it for the UTM would likely not be economical. 

Dunno the price tags attached to the various Endpoint products

Christian

Thank you for the insight Christian; very well outlined. I appreciate that.

To answer some of your earlier questions, There is absolutely no way any part of this particular network is going to get connected no matter how briefly. It appears the best course of action for this particular situation is to swap UTM Endpoint with MCS for a SESC based product since they do have a Windows based server that can easily handle the task. Assuming the updates are available for plain download I can side load these to that network location you mentioned that is part of the SESC config. Does that make sense?

Hello plecavalier,

apart from the management component (which doesn't require a connection to Sophos) the Sophos Update Manager (SUM) is installed on the management server. It does more than just simply download a few or more files. It consults the backend Warehouse to determine what's available for download, the warehouse is structured using catalogs and checksums/hashes to guarantee the completeness and integrity of the downloads. There's also (meta)data required for policy configuration (e.g. Application Control).
Obviously some device (that is connected to the Internet) is needed to download (by whatever means) the "updates". SEC can be installed on a workstation as well, all it has to do is to download the required data(and protect itself). It downloads the data to a local Warehouse that is a mirror of the selected subscriptions available with the license. It is this Warehouse that has to be copied to the air-gapped network. The SUM inside this network would update from this copy and this way behave as if it were updating from Sophos.

Christian