Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 9363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best practice for DMZ devices and laptops

warnox

Hi,

I've been reading documentation and community posts all day but I'm still not sure what the recommended approach is. I'm setting up an environment where I need to cater for devices which are frequently taken off-site, servers in the DMZ and internal LAN clients.

Info

  • Management Server (and SUM): Internal LAN
  • Message Relay (and SUM): DMZ
  1. Internal devices: Update and report to the management server directly. I see no reason to use the MR for this, unless I see performance issues later on.
  2. DMZ devices: Update from SUM on the MR (smb) and report via the MR. No secondary (as no Internet access and different mrinit.conf files internally).
  3. Laptops/Mobile devices: Update from SUM on the MR (HTTP) and report via the MR. Secondary update location would be Sophos. Disable location roaming.

Questions

  1. Using the configuration above, I will lose the ability to 'protect' laptop/mobile devices from the SEC unless I specify a 'initial install location' (but that's ok, as it would need to use the same credentials as my primary update location, which is HTTP). Is this correct?
  2. Any other comments/improvements on the above?

Cheers for any help.



This thread was automatically locked due to age.
  • +1

    Hello warnox,

    1. is fine
    2. also
    3. report via the MR so you open ports 8192 and 8194 to the MR - public IP or NATted? If you publish via HTTP the CID the DMZ devices are updating from the mrinit.conf must work for both your DMZ and external devices. The Secondary isn't required unless you expect the HTTP CID to be unavailable more or less regularly. Minimum updating interval for Sophos is one hour and furthermore updating the RMS component will fail
      In addition they must be able to access the HTTP CID from the LAN (as it has to have a public IP this might seem a silly remark but I've seen sites it doesn't work) and they must be able to reach either the MR or the management server. This in turn requires an appropriately specified mrinit.conf

    As Protect requires SMB it's only possible when the devices are on the LAN. You either have to install from the DMZ CID or apply the correct policy before they leave the LAN. BTW - the credentials required for the WebCID depend on the webserver configuration.

    Christian 

  • 0 in reply to QC

    Thanks for the info. Good point, I will remove secondary from laptops/mobile devices, no need to go direct to Sophos.

    8192/8194/80 will be NAT'd to the MR. Split-DNS used so internal resolution differs and solves the internal routing problem. mrinit.conf would be configured as:

    "MRParentAddress"="192.168.0.3,[Console-FQDN],[Console-HOSTNAME]"
    "ParentRouterAddress"="MR.domain.com"     

    Ok, so for laptops, I will need to use an install package from the MR/DMZ CID or make sure they pick up the required updating policy before they leave the LAN?

  • 0 in reply to warnox

    Hello warnox,

    for laptops
    correct (personally I prefer packages).

    MR.domain.com
    in the DMZ must return the name in the IOR - but I'm sure you already know this and the other intricacies involved.

    Christian 

  • 0 in reply to QC

    Yep, I believe you're referring to the steps in https://community.sophos.com/kb/en-us/50832, so hopefully it'll be fine :)

    Thanks again!

Unfiltered HTML