Sophos Endpoint Protection for Off-site Windows machines

Hi,

The options get a little complicated so I've tried to lay them all out....

There are really two channels of communication between the 'on-premise' client and the management server in your infrastructure. I suppose there are 3 if you're using the Sophos Patch agent as well.  These are:

1. Remote Management System (RMS) - This provides the management of the on-premise endpoint software. This requires the client to connect to the management server or message relay server on TCP ports 8192 and 8194 and ideally the server (or message relay) can connect to the client on port 8194 but it will work if not but downstream messages will be delayed due to polling mode - 15 minutes +-50%.
2. Updating for Sophos AutoUpdate (HTTP or UNC).
3. HTTP connection back to the management server for Patch Agent, this is the same port as chosen during the install of SEC but the default is 80. - If you're not using Sophos Patch agent don't worry about this one.

To supply updating for you remote computers you can make the updating source available over HTTP so you have full control of the distribution of updates.  As per the article you have found which details using IIS to share out the files.  That said, just creating a "Web CID" will not provide management just updating.  To provide management you would need to follow an article such as: https://community.sophos.com/kb/en-us/50832 - The details in this post may also help you - https://community.sophos.com/products/endpoint-security-control/f/3/p/3154/8546#8546. Clearly this is quite a bit of work and the steps will differ depending on your infrastructure.

If you just provide updating, the clients will queue the messages locally and deliver them when the client is able to contact the management server. Be this when they join the LAN or the VPN connection is established.

That said, to give a complete answer in this area, you could just provide configuration changes to the client via the updating channel if you really need to push out a change - https://community.sophos.com/kb/en-us/13111. Not full management but I wanted to mention it for completeness.

The other option to remove the need to configure your own update location is just to configure the secondary update location to be Sophos.  That way, when the clients are unable to access your update location them come to Sophos.  The minimum download algorithm is used to choose the "best" update.  Using this method you loose a little bit of control as custom files in the distribution point are not available to you.

When the clients are connected via the VPN, they just work as if they are on the LAN, i.e. if they are using UNC updating from the management server that will work.  RMS also works as the client can resolve the ParentAddress and contact ports 8192 and 8194.

So it's a bit of a sliding scale of control and features vs complexity of setup.

There is another option however if you don't mind managing these computers separately. I would strongly recommend managing them with Sophos Central.  This gives you full management without needing to change anything in your infrastructure. The following article should help you decide if it covers what you need: https://community.sophos.com/kb/en-us/121475.  

That said, if you visit: https://cloud.sophos.com/ there is a "Sign up link". You can create an account and protect a client in around 10 minutes. If you decide that the future of Sophos in your organisation would be better implemented using Sophos Central, there is also a migration tool to move the clients from SEC to Central Managed - https://community.sophos.com/kb/en-us/121475.

I hope this helps inform you of the options.  Reply if you need more detail on any of these points.

Regards,

Jak

Hi,

The options get a little complicated so I've tried to lay them all out....

There are really two channels of communication between the 'on-premise' client and the management server in your infrastructure. I suppose there are 3 if you're using the Sophos Patch agent as well.  These are:

1. Remote Management System (RMS) - This provides the management of the on-premise endpoint software. This requires the client to connect to the management server or message relay server on TCP ports 8192 and 8194 and ideally the server (or message relay) can connect to the client on port 8194 but it will work if not but downstream messages will be delayed due to polling mode - 15 minutes +-50%.
2. Updating for Sophos AutoUpdate (HTTP or UNC).
3. HTTP connection back to the management server for Patch Agent, this is the same port as chosen during the install of SEC but the default is 80. - If you're not using Sophos Patch agent don't worry about this one.

To supply updating for you remote computers you can make the updating source available over HTTP so you have full control of the distribution of updates.  As per the article you have found which details using IIS to share out the files.  That said, just creating a "Web CID" will not provide management just updating.  To provide management you would need to follow an article such as: https://community.sophos.com/kb/en-us/50832 - The details in this post may also help you - https://community.sophos.com/products/endpoint-security-control/f/3/p/3154/8546#8546. Clearly this is quite a bit of work and the steps will differ depending on your infrastructure.

If you just provide updating, the clients will queue the messages locally and deliver them when the client is able to contact the management server. Be this when they join the LAN or the VPN connection is established.

That said, to give a complete answer in this area, you could just provide configuration changes to the client via the updating channel if you really need to push out a change - https://community.sophos.com/kb/en-us/13111. Not full management but I wanted to mention it for completeness.

The other option to remove the need to configure your own update location is just to configure the secondary update location to be Sophos.  That way, when the clients are unable to access your update location them come to Sophos.  The minimum download algorithm is used to choose the "best" update.  Using this method you loose a little bit of control as custom files in the distribution point are not available to you.

When the clients are connected via the VPN, they just work as if they are on the LAN, i.e. if they are using UNC updating from the management server that will work.  RMS also works as the client can resolve the ParentAddress and contact ports 8192 and 8194.

So it's a bit of a sliding scale of control and features vs complexity of setup.

There is another option however if you don't mind managing these computers separately. I would strongly recommend managing them with Sophos Central.  This gives you full management without needing to change anything in your infrastructure. The following article should help you decide if it covers what you need: https://community.sophos.com/kb/en-us/121475.  

That said, if you visit: https://cloud.sophos.com/ there is a "Sign up link". You can create an account and protect a client in around 10 minutes. If you decide that the future of Sophos in your organisation would be better implemented using Sophos Central, there is also a migration tool to move the clients from SEC to Central Managed - https://community.sophos.com/kb/en-us/121475.

I hope this helps inform you of the options.  Reply if you need more detail on any of these points.

Regards,

Jak

Thank you for the detailed response.  I will consider all of this.  However, to do this, I may need to contact my ISP for the external connection for the client updates.  Our ISP is another state agency and we have to go through the F5 proxy for these kinds of things so I may just skip that headache and keep it the way it is for now.