Best way to deploy Sophos for Virtual Environment in VMware

Hi there

I am trying to implement new Sophos for Virtual Environment. We were using VMware vSheild at the moment and we need to upgrade VMware 6.5 so we need to upgrade our Sophos as well as a requirement. 

New SSVM and installing lightweight agent on VMs new Sophos design seems to be more scattered and messy.

It seems like the new Sophos design won’t be host dependent anymore rather it will be like star or mesh network architecture.

Each VM’s network (vlan) must have trust relationship with a SSVM. Sophos for Virtual Environments Security VM (SSVM) will be required to specify network settings for virtual network connectivity. And VMs on given Network will only able to communicate with the SSVM if it has same network configured. For VMware ESXi one SSVM can have maximum 5 configured network connection (legs). So apparently we need to design to install separate SSVMs with 5 different networks and dedicate each SSVM for number of VMs configured on those 5 networks.

Also Network Configuration only can be possible during the SSVM installation. So we have to design and dedicate networks for respective SSVM beforehand (during installation).

Other options is to get some firewall rule in place, Ultimately VM’s need to be routable to use the SSVM’s IP over port 80 and other required ports via our firewalls however as no doubt this would add latency to scanning traffic having to traverse multiple networks. This would not be possible because of security exposed.


What would be the best way to achieve the new SSVM installation and the light weight agent? Adding 5 network on each SSVM and installing light agent on each VM looks really time consuming and tedious job. We do not use SCCM and I do not see any other way of automate the roll out.

Simplicity is the key. Does any of you have any other good option of deploying new Sophos so we can automate in simpler way like Sophos we always had?

  • Hello

    The VMware ESXi SVM is limited to 5 network cards, how many vlans do you have? Does your GVMs migrate between these vlans or are they fixed to a specific vlan?

    For deploying the guest agent see This details using group policy to deploy or using VM templates depending on what might be best for your environment, these should be feasible without SCCM.