This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clients connect to Safeguard Enterprise server over Internet?

Kicking around SafeGuard Enterprise in a test environment for Synchronized Encryption.

In our production environment we will have users working remotely. Can the SafeGuard Enterprise server be set up to allow clients to sync over the Internet?

They currently use a VPN when they need to, and I know SafeGuard could sync that way, but some users could go days without ever using the VPN.



This thread was automatically locked due to age.
Parents
  • Hi - Yes, very easily. I have created a secondary server and placed this in the DMZ (or you could open the correct ports on your F/W if you don't have a DMZ). This server has points to the primary server. Diagram below may help a little.

     

     

     

    You'll need to use HTTPS on all the servers (and obviously sort a public cert) and secure all other open ports/protocols but my setup works well here. Clients talk to internal when internal and when elsewhere off the estate they talk to the primary (which then failsover to secondary) and they get a response from the secondary.

    I set up the webhelpdesk to help technical staff recover keys without the console - This is internal too for me.

    In terms of config it's very simple to setup. Build and setup the new server. Install Sophos SG on the server. Setup all ther SSL/IIS. Configure F/W. Once this is done - back to SSG server... Tools - Configuration Package Tool. This tells the additional servers who the primary is. You use the Server tab to add the extra server (s) and then use the Server Packages tab to create the config file for each server. You run that on the server after you've installed the Sophos setup.

    One downside is that now you've split out the servers you will have to do more housekeeping come updates time. Hardly worth fussing though as they're not that frequent and this gives you and your users a MUCH better experience!

     

     

    Hope this helps?

Reply
  • Hi - Yes, very easily. I have created a secondary server and placed this in the DMZ (or you could open the correct ports on your F/W if you don't have a DMZ). This server has points to the primary server. Diagram below may help a little.

     

     

     

    You'll need to use HTTPS on all the servers (and obviously sort a public cert) and secure all other open ports/protocols but my setup works well here. Clients talk to internal when internal and when elsewhere off the estate they talk to the primary (which then failsover to secondary) and they get a response from the secondary.

    I set up the webhelpdesk to help technical staff recover keys without the console - This is internal too for me.

    In terms of config it's very simple to setup. Build and setup the new server. Install Sophos SG on the server. Setup all ther SSL/IIS. Configure F/W. Once this is done - back to SSG server... Tools - Configuration Package Tool. This tells the additional servers who the primary is. You use the Server tab to add the extra server (s) and then use the Server Packages tab to create the config file for each server. You run that on the server after you've installed the Sophos setup.

    One downside is that now you've split out the servers you will have to do more housekeeping come updates time. Hardly worth fussing though as they're not that frequent and this gives you and your users a MUCH better experience!

     

     

    Hope this helps?

Children
  • Thanks this was a big help.

     

    I have one question about the public certificate. We're currently running a free certificate that needs to be renewed every 90 days. How much hassle is it going to be when renewal comes up? Will I have to update each workstation manually or will Safeguard push the newly renewed certificate where it needs to go?

  • A good question - When you produce the client configuration file (Tools - Configuration Package Tool - Managed client packages tab) the configuration package contains the server cert(s)

    it's this that you push to the clients to update config/certs.

    I purchased a 3yr public CA cert so I'm ok for a while yet but when the time comes I'll bind the new certs, produce a new configuration package and distribute that to the servers.

    Personally - Looking ahead I would probably create a secondary server and apply the cert to this. Add this server to the server packages - update the servers and then produce a new configuration package to include the "new" server. This would then allow me to migrate my clients across to include the new server so when the cert DOES expire I'm not left without service!