Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 20018 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploy Endpoint Protection over VPN

nask

Hi,

I'm kinda new to 'SOPHOS' world and quite pleased of how the Enterprise Console is working and doing its job so far.

I've deployed the Enterprise Console 5.2.2 and successfully deployed endpoint protection on on-site clients.

And now I'm faced with a new request.


There are at least 10 coworkers who are working using Transport-Mode, mostly they're are sales guys who just use an IPSEC Client to connect to the HQ.

I was now wondering how could I deploy the endpoint protection to those computers.

:55192


This thread was automatically locked due to age.
Parents
  • 0

    Hello nask,

    if they are fully "inside" (i.e. SEC can find and contact them) when connected, deployment should work as with the on-site endpoints. Another option would be a deployment package but the users would need administrator rights to install it.

    The most important part is to ensure that the endpoints can update when they are not connected over VPN. You'd either have to publish a WebCID on the public Internet or set Sophos as secondary update location. Please note that the endpoints can't be managed (i.e. they won't report their status and can't receive policies) when they are not connected.

    Christian

    :55195
  • 0 in reply to QC

    I have a question, When you say Inside, Would this mean that it would go over to another Subnet over an IPSEC tunnel at another location if it is a site to site VPN

  • 0 in reply to RyanHosiassohn

    Hello RyanHosiassohn,

    inside in this context means that the computer can access the necessary resources (management server and CID) as if it were on the LAN and that seen from the management server the computer is accessible like any other endpoint on the LAN. SEC isn't aware of networking intricacies, whether it's a site-to-site or client connection doesn't matter. Specifically for Protect Computers (as the original question was about deployment) the computer's name must in addition resolve to an address that SEC can use to create a Scheduled Task in the computer.

    Christian

Reply
  • 0 in reply to RyanHosiassohn

    Hello RyanHosiassohn,

    inside in this context means that the computer can access the necessary resources (management server and CID) as if it were on the LAN and that seen from the management server the computer is accessible like any other endpoint on the LAN. SEC isn't aware of networking intricacies, whether it's a site-to-site or client connection doesn't matter. Specifically for Protect Computers (as the original question was about deployment) the computer's name must in addition resolve to an address that SEC can use to create a Scheduled Task in the computer.

    Christian

Children
No Data
Unfiltered HTML