Deploying Endpoint Protection

Hi Guys,


Just want to ask on how would the Sophos Management Console see the Windows endpoint to have the same policy (reflect it to management console) after I installed endpoint protection to the Monitored host?



  • Hi Floki, 

    I am not sure if I understand your question completely. As per my understanding, you want to know if the policy which is applied is working properly or not on the endpoint machine. 

    If the policy is not working properly, Sophos Enterprise Console will show a warning such as "Differs from policy" if the policy is violated. 

    This article will help you in scenarios where you get such warnings. 

  • Hello Floki,

    I'm not sure how this relates to Deployment Packager - maybe you should edit this thread's subject.

    A managed computer communicates with the management server via the RMS component. The endpoint's RMS has two elements, the Agent and the Router. The latter routes the messages (status, alerts, and events) from the Agent to the management server and v.v. (policies, commands), the former collects them from and distributes them to the other components.
    The Agents stores the policies in its AdapterStorage. Whenever it receives a policy or a notification (status, settings change) from a local component it compares the cached policy to the settings in effect, reporting the result (Same as, Differs, or Comparison failure) to SEC. Initially the cache is empty and the Agent requests the policies from SEC (Awaiting policy from console). There's one more state, Awaiting policy transfer, when a policy has been changed (or a different policy assigned) and not yet acknowledged. As messages from SEC have a TTL it is possible that the Awaiting states persist for an endpoint that was disconnected when the message was enqueued and remained disconnected for longer than TTL.


  • In reply to QC:

    Edited the Title, sorry bout that. So I used deployment packager again and I figure out that I missed to check the RMS checkbox which will be the mechanism for Monitored hosts to connect with the Sophos Server. Now I was able to see that monitored hosts and the Management Console has the same policy. The only thing is to tighten the connection between them. For the connection of monitored hosts and the server, I'm planning to have the following steps:

    [Sophos Server]

    1. open 8192/tcp & 8194/tcp {inbound & outbound}

    2. Scope: Local {}, Remote {Local Network Subnet}

    [Monitored hosts]

    1. Open 8194/tcp {inbound & outbound}

    2. Scope: Local {}, Remote {Sophos_Server_IP_Address}


    Just saw them in the deployment guide. Is there other program I need to allow through the firewall? like for example the RouterNT or file sharing?


    Thanks a lot! We can now comply to CIS benchmarking :))))

  • In reply to Floki Saints:

    Hello Floki,

    for communication the process is RouterNT.exe. Scope Local would not permit connections from/to remote hosts though, would it? And monitored hosts need 8192 outbound (from RouterNT.exe) as well.

    For updating the process is ALUpdate.exe, it uses either SMB/NetBIOS (445/137-139) or HTTP (80) to download.

    Please note that certain features (Live Protection, MTD, ...) require additional connectivity. If not permitted nothing will break but the functionality won't be available.


  • In reply to QC:

    Good Day,


    Alright. Thank you so much Christian. Now I know why how can we secure the connection between the AV & other servers

  • In reply to Floki Saints:

    Hi Christian,


    After some discussion with my superior. We finalize the firewall settings:


    Here it is:

    [Sophos Server]

    1. open 8192/tcp & 8194/tcp {inbound & outbound}

    2. Scope: Local {any}, Remote {Local Network Subnet}

    [Monitored hosts]

    1. Open 8194/tcp {inbound & outbound}, 8192/tcp outbound, Ports 445/TCP {inbound} & 137-139/UDP {inbound}

    2. Scope: Local {any}, Remote {Sophos_Server_IP_Address}


    Looks Good? Thanks a lot!