SEC 5.5.2 - security risks when using a Message Relay and SUM server in DMZ


I have a Sophos Enterprise Console 5.5.2 deployment that is LAN only for the moment.

Some laptops are out of the office without VPN for a long time without visibility on what's happening on them.

I would like to deploy a secondary MR and SUM in DMZ to manage these laptops.

My question is what about security risks to put this Sophos server in DMZ as it will be seen by everybody in the Internet ?

Is it possible to enforce security to limit these risks ?

Thanks for sharing your experience.


  • Hello Julien,

    on your perimeter firewall you should limit access to the required ports. Managing ports (8192-8194) are quite "safe", the greatest risk likely DoS. If you did not yet publish the update locations with a public web-server you have to install and configure one (e.g. IIS) and open the port it is listening on (80 or some other port of your choice).

    As to it will be seen - you don't have to advertise it. Nevertheless it will be found, rather sooner than later, the web-server usually a welcome target. There's no fancy logic on the server though, it "just" has to serve files and whatever smartness can be turned off should be turned off. It doesn't even have to have a direct connection for the web service, you can put a proxy in front for additional protection.


  • In reply to QC:

    Hello Christian,

    Thanks for your feedback.

    I did the deployment as it is descbribded in the KB 50832 & 14635 and so on.

    For the SUM all is fine and I configured a WAF in front of the web service to get a better security.

    For the MR, I have an issue with the IOR.

    I modified the ServiceArgs registry key of the MR in DMZ with this value : -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=mymr.mydomain.mycountry, but when I check the IOR sent by the relay, it doesn't contain the hostname in it.
    That's why the communication is not OK between the external laptop and the MR in DMZ.
    I can see in the router logs of the endpoint (with more debug activated) : SSL connection to <internal_ip_address:8194:8194> failed (errno: connection timed out).
    The problem is the endpoint is using the internal IP address of the relay and not the public IP address resolved by DNS of my FQDN.
    It seems the ServiceArgs registry key has not effect on the IOR sent by the MR in DMZ.


  • In reply to Julien LONGHI:

    Hello Julien,

    you did also change HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath? Please check with services.msc or equivalent that the Router service is indeed running with the desired arguments.