This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploy Endpoint Protection over VPN

Hi,

I'm kinda new to 'SOPHOS' world and quite pleased of how the Enterprise Console is working and doing its job so far.

I've deployed the Enterprise Console 5.2.2 and successfully deployed endpoint protection on on-site clients.

And now I'm faced with a new request.


There are at least 10 coworkers who are working using Transport-Mode, mostly they're are sales guys who just use an IPSEC Client to connect to the HQ.

I was now wondering how could I deploy the endpoint protection to those computers.

:55192


This thread was automatically locked due to age.
  • Hello nask,

    if they are fully "inside" (i.e. SEC can find and contact them) when connected, deployment should work as with the on-site endpoints. Another option would be a deployment package but the users would need administrator rights to install it.

    The most important part is to ensure that the endpoints can update when they are not connected over VPN. You'd either have to publish a WebCID on the public Internet or set Sophos as secondary update location. Please note that the endpoints can't be managed (i.e. they won't report their status and can't receive policies) when they are not connected.

    Christian

    :55195
  • Thanks for quick answer, ;-)

    I had started thinking about publishing a WebCID but I guess it would be simpler to use Sophos as secondary update location.

    I have to say ... I do not understand why someone chose on-premise solution instead of the cloud-based one.

    I'll give it a try.

    :55203
  • Hello nask,

    why someone chose on-premise solution instead of the cloud-based one

    • it hasn't been available
    • it has not (yet) all the features
    • some CSOs don't embrace SaaS

    Why do you have it on-premise? :smileyhappy:

    Christian

    :55205
  • I simply have no idea. Unfortunately nobody asked me if "we" should have cloud-based or on-premise.

    Still some clients to deploy but it's running smoothly. 

    :55225
  • I have a question, When you say Inside, Would this mean that it would go over to another Subnet over an IPSEC tunnel at another location if it is a site to site VPN

  • Hello RyanHosiassohn,

    inside in this context means that the computer can access the necessary resources (management server and CID) as if it were on the LAN and that seen from the management server the computer is accessible like any other endpoint on the LAN. SEC isn't aware of networking intricacies, whether it's a site-to-site or client connection doesn't matter. Specifically for Protect Computers (as the original question was about deployment) the computer's name must in addition resolve to an address that SEC can use to create a Scheduled Task in the computer.

    Christian