Message Relay or WebCID

Hello James,

first of all, please be aware the Web Control likely doesn't offer the same functionality as the Barracuda service.

It's both 1 & 2 (unless you want to open or forward the required ports, SMB/445 and RMS/8192+8194) on the perimeter. The WebCID is for updating and the Message Relay is for communication and management. Also note that if the relay can't connect to port 8194 on the off-site endpoints management has a considerable latency.

The basic setup would be the management server on the LAN and the WebCID/Relay in the DMZ. Endpoints would be configured either as LAN endpoints or off-site endpoints. Whether this makes sense depends on your endpoints' "movement patterns". If they are mostly off-site this two-tier setup is fine if the DMZ or at least the WebCID/Relay is accessible from the LAN in the same way as from the Internet.

Christian

Hi Christian

Thanks for the reply, I have done some reading and one thing I was looking at was that there seems to be different products from Sophos that have different levels of Web safety

Web Control,Web Protection and Sophos device with Web protection.

We have just got a Sophos UTM Device (SG310) with the Web protection subscription, and I am not sure what the best was to go is. as there seems to be a few ways to tackle this.

I assume that the UTM would be the best way to go , but again how would that be able to update the off site machines? would I still need a relay? can I control this from the enterprise console, and will I get more functionality more like barracuda Flex.

Thanks Christian

James

Hello James,

I'm not Sophos or a partner and we don't have a Sophos gateway so ...
With the UTM there AFAIK are two options: 1. Endpoint managed by UTM that has less functionality than the SEC managed version or Central but is in principle Central with the management "outsourced" to the UTM (endpoints would communicate with and update from the cloud and the UTM would provide the interface to the cloud backend). 2. The SESC product with the full Web Control managed by the UTM. Otherwise the UTM is not SESC-aware and the SESC setup the same as without the UTM.

Christian

Christian,

Sorry for the late reply.

I have enabled Sophos Live Connect on the UTM, this allows Sophos to be updated off network, and will also update any changes we make the web Protection policies right away.

so on a test machine I have don't the following:

1. Laptop with Sophos Antivirus installed and machine visible in Enterprise console.

2. Tested a website e.g. www.site1.com, just to make sure that we could access it. we could.

3. Went to the UTM and added the site in to the blacklist under filtering options.

4. Updated Sophos (right click shield, update now)

5. Tested a website www.site1.com, and it is now blocked.

6. Took the laptop off the network, put it on 4g

7. Tested a website e.g. www.site2.com, just to make sure that we could access it. we could.

8. Went to the UTM and added the site in to the blacklist under filtering options.

9. Updated Sophos (right click shield, update now)

10. Tested a website www.site2.com, and it is now blocked.

So it seems to work fine, with Sophos Live Connect, no message relay or WebCID required.

There is a Sophos agent on the UTM that I can install on the clients, but not sure if I need this or not, as it seems to be for adding machines to the computer management section of the UTM, so that they can be managed from there, I still want to use SEC, so I'm looking at what I can do using SEC, still not sure yet whether I need to use UTM or SEC or both.

James

Hello James,

if I understand you correctly you manage your endpoints with SEC and have told them to use full Web Control that is managed by the UTM?
As the SEC-managed SAV/SESC is installed in the computer - where does it update from? Primary must be either a UNC or HTTP CID, did you also set a Secondary location? Did you test whether you can send the endpoint a policy or request when it's off-net?

Christian

Hi Christian,

Yes that is correct. the updates are configured in the Web Control Policy section, of SEC, here we tell it to go to the UTM by selecting the Full Web Control option.

James

Hello James,

I was referring to the software (SAV) updates and the management besides Web Control. For the former, if you don't create an Internet-facing WebCID you could specify Sophos as Secondary update source. This would permit endpoints to update when off-net (or better: off-LAN) though they will complain about being unable to update RMSNT. For the latter you'd need a relay, otherwise you couldn't manage them except for Web Control (which isn't managed by SEC but offloaded to the UTM anyway).

Nevertheless you answered a not so unimportant part. What you can achieve using both SEC and UTM you can't with just one of them.
As far as I understand Chapter 14.1.5 of the UTM Administration Guide the computers should be visible in and their Web Control policies manageable from the UTM without an additional agent deployed.

Christian 

Hi Christian ,

I see what you are saying now, yes we have a secondary (Sophos Warehouse)

the computers do update AV from the Sophos warehouse when off the lan , however the machines will not show up as online in SEC(unless I put the message relay in is that correct?) , but will update AV from secondary and Web Protection from the UTM via live connect.

I think I read that the agent is only useful for reporting the usernames in the logs/reports, and would not affect the web protection. I will look in to this more.

James

Hello James,

when off the LAN [...] will not show up as online [...] unless
so it is, exactly.
I have no experience at all with the UTM and its agent (and you can't really deduce from the docs [;)])

Christian

Hi Christian,

Yes the docs and videos that are available, are very high level at times, with not a lot of detail how things are configured/setup,  more it can do this and this and its great. :)

once I know more I would update this post.

thanks

James