This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to install Sophos Endpoint Security and Control from UTM9 on a PC without internet access?

Hi there!

 

we are currently setting up a small AD-less infrastructure of 17 servers. All of them are protected by a Sophos UTM 9. Only one of those servers has internet access, the rest is blocked by the firewall. This is by design and should not be changed.

For additional security we want to install Sophos Endpoint Security and Control - which can be downloaded from the UTM - on every server. But since they do not have internet access the installation fails. And even on the one server with internet access the software is unable to receive updates from Sophos.

What can we do to install the Sophos AV on these computers?

We would like to have something like the SUM (Sophos Update Manager) to bundle all update in one place on the infrastructure but we do not need the Sophos Enterprise Console and its functionalities.

As an alternative, which ports/URLs need to be opened/accessible by the infrastructure to enable installation and update of Sophos Endpoint Security and Control? Web filtering is currently disabled.

 

UTM 9 version: 9.501-5

Endpoint Security and Control version: 10.3.3.121

 

Thanks in advance for every answer!

 

Regards,

 

  Markus



This thread was automatically locked due to age.
Parents
  • Hello Markus,

    we do not need the Sophos Enterprise Console and its functionalities
    and apparently not the functionalities of Central. One of the advantages of Central and the UTM managed Endpoint is that they don't require a local infrastructure. So the question is if one of these (I think I've read that UTM Endpoint will be retired) is the right choice for your setup.

    Since all connections are over HTTP/HTTPS it's AFAIK possible to use a proxy for the required connections.
    The on-premise product includes a stand-alone version, your endpoints wouldn't need an internet connection. The connected server could download from Sophos and can publish a share where other computers can update from.

    Christian

  • Hello Christian,

    this sounds exactly like what we are looking for!

    But can you please explain how Sophos Central exactly functions? It seems to me that - since it's a cloud based product - every computer using it needs internet connection as well or am I mistaken?

    The UTM Endpoint Protection seems to be more what we need: every Endpoint AV should be controlled by the UTM but the Endpoints cannot have internet access. So we should set up a proxy to route Endpoint Security and Control through it, am I right? But how can we set the endpoints to use the shared folder as their update path? And how can we set the server with internet connection to download the Sophos updates and virus definitions?

    Thanks for the help!

      Markus

  • Hello,

    sorry that I need to come back to this, but I still couldn't figure out how to do this...

    Can someone please tell me how I should set this up? Or simpler: How can I install and update Sophos Endpoint Security and Control on a computer without internet access? Is there any detailed instruction out there?

    How must the firewall rules be configured?

    How can we set up a computer as an "update downloader" and provide an update share for the other computers?

    Thanks!

      Markus

  • I have the same requirements with a client. I've downloaded the non-slim MCS endpoint but the installation process still wants to connect to the Amazon AWS server to register with liveconnect.

  • Hello plecavalier,

    the UTM version of Endpoint is a managed version and it doesn't talk directly to the UTM but via the Broker which is in the cloud. Central has been upgraded to support caches and message relays, you have to manage them though and this would require changes in the UTM (which, AFAIK, is anyway only able to manage the basic Endpoint).

    For a truly disconnected network (no connectivity to the Internet at all) the on-premise SESC is AFAIK the only option (it's also the only product that offers a stand-alone version). I assume Central would be able to work in an "umbilical network", it might or might not be possible to NAT the necessary cloud resources.

    Christian

  • Thanks Christian. My plan was to purchase two units, bring one off site to update when needed and swap them.

    I tried following the installer by pointing the registered broker address to local Host in case all it needed was a ping check. I also added a cname in AD for nalookup but none of that allowed the installer past the internet connection check.

  • Hi there, good to know I'm not the only one with this kind of setup and requirement. :)

    For a truly disconnected network (no connectivity to the Internet at all) the on-premise SESC is AFAIK the only option (it's also the only product that offers a stand-alone version).

    I have a stupid question...: what is SESC? (S)ophos (E)ndpoint (S)ecurity an (C)ontrol?  Isn't that exactly the software we're using right now? If not, what's the difference between the on-premise and UTM versions of SESC?

    ***

    We have one server with internet connection and many others without.

    I assume Central would be able to work in an "umbilical network", it might or might not be possible to NAT the necessary cloud resources.

    So this is what we need, right?

    Central has been upgraded to support caches and message relays, you have to manage them though and this would require changes in the UTM (which, AFAIK, is anyway only able to manage the basic Endpoint).

    Is there a guide on how to set this up?

    @plecavalier, if this might help you: what we're doing right now is to open internet connection temporarily in the UTM for every endpoint, update the Sophos AV and then close the connections again. It's a more than inconvenient approach but it works.

    Thanks for any help!

       Markus

  • Hello plecavalier,

    two units, bring one off site
    but where and how does Endpoint come into play here?

    Anyway, AFAIK this version requires the broker connection for the install. It doesn't just check whether it's there (ping - whatsoever this can tell about the availability of a service), it needs the backend to get its proper configuration. I don't think you can work around this.

    The question is what this off-net PC is supposed to do, both "normally" and when needed and why you need an up-to-date Endpoint protection on it.

    Christian

Reply
  • Hello plecavalier,

    two units, bring one off site
    but where and how does Endpoint come into play here?

    Anyway, AFAIK this version requires the broker connection for the install. It doesn't just check whether it's there (ping - whatsoever this can tell about the availability of a service), it needs the backend to get its proper configuration. I don't think you can work around this.

    The question is what this off-net PC is supposed to do, both "normally" and when needed and why you need an up-to-date Endpoint protection on it.

    Christian

Children
No Data