Allowing external clients to talk directly to EC

I've read through https://community.sophos.com/kb/en-us/50832 on using MR in public WAN.  However, I'd like to know if I can configure things so that clients outside the LAN can talk directly to EC with RMS, and not use an MR.  In this case I would port forward TCP/8192 and TCP/8194 from a public WAN IP to the private IP of EC server.   I will define a FQDN of av.domain.com where will resolve to public IP when off network and private IP when on network.

Along with this, I'd like clients that sit both internal and external use the same package and mrinit.conf.  I have a lot of users who roam between internal and external networks.

If this can be down, how should I set MRParentAddress and ParentRouterAddress in mrinit.conf for CID?

 

  • Hi  

    Enterprise console provides below functions along with Sophos Update manager:

    1. Manage Endpoints and administration

    2. Provide updates to Endpoint which happens through Sophos update manager.

    Update of the clients can happen through WebCID. You can directly put your EC to DMZ but that is not recommended as it will be more vulnerable to the attack and it means your endpoint protection may get compromised if anyone reaches that server. So make the communication between clients from outside of the network, the message relay concept was introduced which keeps EC in the internal network and MR works as a relay agent to create a connection between endpoint and EC.

    MRINIT file configuration will be as same as message relay configuration provided in the article. We'd suggest you to use the MR in the DMZ to be on the safer side and to avoid security issues.