Sanity check : valid topology for SEC, SUM & MR?

Question

Hi, I am currently researching our options for endpoint protection in our (fairly secure) environment and wanted to check my understanding of the Sophos components & their topology is correct... 
 
 First requirement is that the Management Console its Update Manager will have no access to the Internet as those roles will be placed on a server on the internal network. 
 Second requirement is support for standalone Windows Server VMs as well as members from several Active Directory forests (no trusts). 
 Third requirement is that the servers in the DMZ will only communicate with a local server, to avoid lots of traffic through the firewall (inbound or outbound). 
 
 Assumptions: 
 Regarding the first requirement: - the internal Update Manger is considered "Main" and points to an Additional Update Manager in the DMZ 
 Regarding the second requirement: - the Update Manager shares can be published via HTTP with anonymous access so the agents can download updates as needed without distributing credentials for a service account 
 Regarding the third requirement: - the server in the DMZ with the Additional Update Manager role -- has access to the Internet through a proxy server to download updates (to then be picked up by the Main Update Manager ) -- is used by servers in the DMZ as the local Update Manager -- has the Message Relay role so it can forward health status messages on behalf of the DMZ servers to the Server Management role on the internal network 
 As the roles on the internal network will belong to one AD forest and there are other AD forests without a two-way trust, no "discovery" will be possible and it will be up to us to check the agents which have successfully reported their status - but the status of all machines will appear on the one Management Console regardless of which network they are on. 
 
 Is there anything I have missed, or misunderstood? 
 Thanks in advance! 
 //Roger

QC · Accepted Answer

Hello //Roger, 
 some additional information first. When using EM I refer to the management server. distributing credentials for a service account it's not a service account in the sense that it has any special rights (please see this article under Sophos Update Manager (SUM) account). But of course you can instead permit anonymous access. Whether HTTP or UNC depends on your domain's security settings. It's not required that the SUM account is a domain account if the management server is in a domain. download updates (to then be picked up by the Main Update Manager Management Server's SUM ) please note that when a SUM updates from another SUM the source SUM (in your case in the DMZ) must subscribe to all the packages the downstream SUM needs, not only to the ones it needs for its clients. to avoid lots of traffic through the firewall basically only the two servers need to communicate. You're probably aware of the required ports, 8192 and 8194 in (if you intend to use Patch an additional port, default 80, is required), 80 and 8194 out. 
 The intended topology is IMO reasonable, installation will be a little bit tricky: 
 
 Install SEC on the Management Server, cancel the Download Security Software wizard 
 Install SUM in the DMZ with the Message Relay role, set up the web server to publish the SophosUpdate share (you can use whatever valid, including null , path you wish) 
 In the Console configure both SUMs as needed, start with SUM-DMZ. For SUM-EM the source is SUM-DMZ/Path_To_SophosUpdate 
 Select (additional) subscriptions as required 
 
 You are then ready to configure groups and policies as needed 
 Christian