This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommended best-practice for providing endpoint updates / management over the internet

Hey folks,

I have what I hope is a quick question regarding best practices when it comes to Sophos management over the internet.

I am currently working on a way for remote users in our organization to receive updates from our Sophos Enterprise Console, as well as report statistics/etc. After doing some digging around and implementing something similar for WSUS, I've installed a new Sophos Enterprise Console in our AWS VPC, and currently have both a private (internal) IP address and a permanent public IP address assigned to it. I'd like to be in a situation where I can configure endpoint clients to connect to the internal IP when available (such as when they're in the office or connected to our VPN), and otherwise if that fails connect to the public IP address.

I was wondering if anyone else has done something similar, or if there are some documents I might have missed, or if this a bad idea - I'm a little concerned with what else might be exposed.

 

Thanks all!

Zack H.



This thread was automatically locked due to age.
Parents
  • Hello Zack H.,

    as you probably don't want to use NetBIOS/SMB over the public net (if it's possible at all) you'd have to publish a WebCID and configure your endpoints to update from the HTTP location.

    There are several options:

    • one HTTP update location
      h__p://server.fq.dn/SophosUpdate - the FQDN must resolve to the private IP when the endpoint is "in" the VPC and the public IP otherwise
    • two locations, UNC internal and HTTP external
      \\server\SophosUpdate and h__p://server.fq.dn/SophosUpdate
    • two HTTP locations with name, FQDN, or IP

    Management is independent from updating, for a start please see Using Sophos message relays in a public WAN. Guess you won't have a DMZ and it's not required anyway but I'm sure you can apply the concept to your situation. Likely you'll subsequently have some questions - feel free to ask.

    Christian

  • Christian,

    Thanks for the response and resources - this all makes sense to me. Our Sophos Management host is currently in our DMZ network already, and clients which are in the VPC (or more factually connecting in from our site to site link) can communicate with it just fine. It sounds like the best option for our environment would be to configure a WebCID to serve out on one HTTP fqdn and then edit local DNS to resolve to the private IP for local addresses.

    If I'm understanding correctly, will this then negate the need for a separate message relay as I can do the same thing with DNS as I did with the HTTP update location? And is there any practical advantage then to even differentiate between the private / public addresses? 

     

    Thanks!

  • Hello Zack,

    differentiate between the private / public addresses
    when not using UNC paths it's (almost) solely a question of networking, network topology, and last but not least interfaces. There's an article about the potential adverse effect of multiple IP addresses on the management server - dunno if it still applies.
    Anyway you have to make sure that IOR returned on port 8192 doesn't return an IP that can't be reached.

    Christian

Reply Children
No Data