This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sanity check : valid topology for SEC, SUM & MR?

Hi, I am currently researching our options for endpoint protection in our (fairly secure) environment and wanted to check my understanding of the Sophos components & their topology is correct...

 

First requirement is that the Management Console its Update Manager will have no access to the Internet as those roles will be placed on a server on the internal network.

Second requirement is support for standalone Windows Server VMs as well as members from several Active Directory forests (no trusts).

Third requirement is that the servers in the DMZ will only communicate with a local server, to avoid lots of traffic through the firewall (inbound or outbound).

 

Assumptions:

Regarding the first requirement:
- the internal Update Manger is considered "Main" and points to an Additional Update Manager in the DMZ

Regarding the second requirement:
- the Update Manager shares can be published via HTTP with anonymous access so the agents can download updates as needed without distributing credentials for a service account

Regarding the third requirement:
- the server in the DMZ with the Additional Update Manager role
-- has access to the Internet through a proxy server to download updates (to then be picked up by the Main Update Manager)
-- is used by servers in the DMZ as the local Update Manager
-- has the Message Relay role so it can forward health status messages on behalf of the DMZ servers to the Server Management role on the internal network

As the roles on the internal network will belong to one AD forest and there are other AD forests without a two-way trust, no "discovery" will be possible and it will be up to us to check the agents which have successfully reported their status - but the status of all machines will appear on the one Management Console regardless of which network they are on.

 

Is there anything I have missed, or misunderstood?

Thanks in advance!

//Roger



This thread was automatically locked due to age.
Parents
  • Hello //Roger,

    some additional information first. When using EM I refer to the management server.
    distributing credentials for a service account
    it's not a service account in the sense that it has any special rights (please see this article under Sophos Update Manager (SUM) account). But of course you can instead permit anonymous access. Whether HTTP or UNC depends on your domain's security settings. It's not required that the SUM account is a domain account if the management server is in a domain.
    download updates (to then be picked up by the Main Update Manager Management Server's SUM)
    please note that when a SUM updates from another SUM the source SUM (in your case in the DMZ) must subscribe to all the packages the downstream SUM needs, not only to the ones it needs for its clients.
    to avoid lots of traffic through the firewall
    basically only the two servers need to communicate. You're probably aware of the required ports, 8192 and 8194 in (if you intend to use Patch an additional port, default 80, is required), 80 and 8194 out.

    The intended topology is IMO reasonable, installation will be a little bit tricky:

    1. Install SEC on the Management Server, cancel the Download Security Software wizard
    2. Install SUM in the DMZ with the Message Relay role, set up the web server to publish the SophosUpdate share (you can use whatever valid, including null, path you wish)
    3. In the Console configure both SUMs as needed, start with SUM-DMZ. For SUM-EM the source is SUM-DMZ/Path_To_SophosUpdate
    4. Select (additional) subscriptions as required

    You are then ready to configure groups and policies as needed

    Christian

  • Cheers Christian, that's as perfect an answer as I could hope for :)

    HTTP is preferred not only as it is easier to set up as anonymous and allow just the one port through the firewall, but the LanmanServer service ("File and Printer sharing for Microsoft networks") can be unhooked from the IP-stack reducing the number of exposed services on the host.

    Time to PoC!

    Cheers,
    //Roger

Reply
  • Cheers Christian, that's as perfect an answer as I could hope for :)

    HTTP is preferred not only as it is easier to set up as anonymous and allow just the one port through the firewall, but the LanmanServer service ("File and Printer sharing for Microsoft networks") can be unhooked from the IP-stack reducing the number of exposed services on the host.

    Time to PoC!

    Cheers,
    //Roger

Children
No Data