This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring Existing SafeGuard Install for Clients to Connect Externally

 Hi,

We've been running SafeGuard v8.00.2.16 for a year or so and have 58 client machines with boot level and/or file encryption.

When it was first set up, I followed the Sophos guide on YouTube which advised using a lot of default settings, and knowing what I know now, I would have done things differently.

However, as it stands, in IIS it's configured as the Default Web Site, and clients use Port 80 to talk to the server directly via servername.domain.local.  This means clients only sync when they're directly on our network, which wasn't a major issue at first and external access was something we figured we would just sort out later.

We now need to address this, as we want to roll file encryption out to around 130 remote users.

Is there a way to configure these new clients to communicate with the server remotely, using a different port from 80, without interfering with the 58 clients already in use?

I'm hoping I can create a new configuration package and give that to the new clients, such that they are configured to connect to an external URL on a custom port, eg. sophos.externaldomain.co.uk:8787, something we could configure our network to recognise and route through to the Sophos server.

Over time we can then gradually migrate the original 58 clients over to the new settings.

Thanks!



This thread was automatically locked due to age.
Parents
  • It depends on how messed up you think your original config is. You could add a secondary server and configure this to be in your secure DMZ. The clients then attempt to connect to the primary (your original) server internally yet outside they'll attempt the primary and then try the secondary.

     

    I would argue this would be the safer/easier way of doing it but you could also consider setting up a new instance and then migrating the clients onto it? My original install here was not done to the optimum and I did that. Created an entirely new "service" and then moved the old clients across. Used the existing company cert to make sure the clients weren't too shocked! Create a new configuration on the new setup and then push that to the clients. All worked well.

     

    So - I think two options. Start again (if you really think the server is badly configured) and migrate or add a secondary "external" server to the current setup - create a new configuration with the primary and new secondary servers and then distribute that to the clients.

     

Reply
  • It depends on how messed up you think your original config is. You could add a secondary server and configure this to be in your secure DMZ. The clients then attempt to connect to the primary (your original) server internally yet outside they'll attempt the primary and then try the secondary.

     

    I would argue this would be the safer/easier way of doing it but you could also consider setting up a new instance and then migrating the clients onto it? My original install here was not done to the optimum and I did that. Created an entirely new "service" and then moved the old clients across. Used the existing company cert to make sure the clients weren't too shocked! Create a new configuration on the new setup and then push that to the clients. All worked well.

     

    So - I think two options. Start again (if you really think the server is badly configured) and migrate or add a secondary "external" server to the current setup - create a new configuration with the primary and new secondary servers and then distribute that to the clients.

     

Children
No Data