This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection for Off-site Windows machines

I have some old computers that I want to get off of Symantec and on to Sophos but they are all computers that are not joined to our domain.  Not entirely off-site equipment, they are just carried to and from work so that the users can have them at home.  I want to make sure they are updated and communicating with the server as all other machines are that are joined to the domain.  I have read the article at www.sophos.com/en-us/support/knowledgebase/38238.aspx and I don't have a problem doing this.  My question is, what other configuration do I have to do in order for this to work?  Is there something that I have to do for a user to have the computer still communicate with my server while they are at home?  Also, will this have any effect on all of the other computers that are joined to the domain and currently getting updates from the server share setup during installation?  

I have some computers already that someone else setup with a Sophos AV package and they are all in a group called Off-Site Users and it shows that they are getting updates and when they communicated with the server but they only get updates when VPN is connected.  The updating is configured the same way as all other computers.  They have the UNC path to the share and they also have a secondary update source which looks like it is configured with just Sophos and a username and password.  Is this how it is supposed to be.  I am confused.  



This thread was automatically locked due to age.
  • Hi,

    The options get a little complicated so I've tried to lay them all out....

    There are really two channels of communication between the 'on-premise' client and the management server in your infrastructure. I suppose there are 3 if you're using the Sophos Patch agent as well.  These are:

    1. Remote Management System (RMS) - This provides the management of the on-premise endpoint software. This requires the client to connect to the management server or message relay server on TCP ports 8192 and 8194 and ideally the server (or message relay) can connect to the client on port 8194 but it will work if not but downstream messages will be delayed due to polling mode - 15 minutes +-50%.
    2. Updating for Sophos AutoUpdate (HTTP or UNC).
    3. HTTP connection back to the management server for Patch Agent, this is the same port as chosen during the install of SEC but the default is 80. - If you're not using Sophos Patch agent don't worry about this one.

    To supply updating for you remote computers you can make the updating source available over HTTP so you have full control of the distribution of updates.  As per the article you have found which details using IIS to share out the files.  That said, just creating a "Web CID" will not provide management just updating.  To provide management you would need to follow an article such as: https://community.sophos.com/kb/en-us/50832 - The details in this post may also help you - https://community.sophos.com/products/endpoint-security-control/f/3/p/3154/8546#8546. Clearly this is quite a bit of work and the steps will differ depending on your infrastructure.

    If you just provide updating, the clients will queue the messages locally and deliver them when the client is able to contact the management server. Be this when they join the LAN or the VPN connection is established.

    That said, to give a complete answer in this area, you could just provide configuration changes to the client via the updating channel if you really need to push out a change - https://community.sophos.com/kb/en-us/13111. Not full management but I wanted to mention it for completeness.

    The other option to remove the need to configure your own update location is just to configure the secondary update location to be Sophos.  That way, when the clients are unable to access your update location them come to Sophos.  The minimum download algorithm is used to choose the "best" update.  Using this method you loose a little bit of control as custom files in the distribution point are not available to you.

    When the clients are connected via the VPN, they just work as if they are on the LAN, i.e. if they are using UNC updating from the management server that will work.  RMS also works as the client can resolve the ParentAddress and contact ports 8192 and 8194.

    So it's a bit of a sliding scale of control and features vs complexity of setup.

    There is another option however if you don't mind managing these computers separately. I would strongly recommend managing them with Sophos Central.  This gives you full management without needing to change anything in your infrastructure. The following article should help you decide if it covers what you need: https://community.sophos.com/kb/en-us/121475.  

    That said, if you visit: https://cloud.sophos.com/ there is a "Sign up link". You can create an account and protect a client in around 10 minutes. If you decide that the future of Sophos in your organisation would be better implemented using Sophos Central, there is also a migration tool to move the clients from SEC to Central Managed - https://community.sophos.com/kb/en-us/121475.

    I hope this helps inform you of the options.  Reply if you need more detail on any of these points.

    Regards,

    Jak

     

  • Thank you for the detailed response.  I will consider all of this.  However, to do this, I may need to contact my ISP for the external connection for the client updates.  Our ISP is another state agency and we have to go through the F5 proxy for these kinds of things so I may just skip that headache and keep it the way it is for now.