Central Endpoint Updates Caching to XG


Looking to migrate on prem clients to Central and have an XG as the gateway - if I enable the `Always cache Sophos endpoint updates` on the XG will the central clients use this? If so how will I know they are getting the updates from XG? (is there a report/function to view?)

Bandwidth is of concern with an entire organisation working remotely so I would like to be sure if I do migrate these on-prem clients to Central the pipe is not going to get saturated with updates.

Any help appreciated



  • Hi  

    Please allow me some time, I will check this and inform you further.

  • Hi Ed,

    If we're concerned about bandwidth saturation you can configure the maximum bandwidth each endpoint will update at under Global Settings > Bandwidth Usage.  By default this is set to 256 Kb/s.

    If you're concerned about bandwidth as a whole you could deploy out an Update Cache in your environment that your endpoints update from although this might not help with an entire organization working remotely.  All endpoints will attempt to use the Update Cache first and will fail over to Sophos Central if it cannot reach it.  You can also view which computers are using the Update Cache from Sophos Central.  I would say these options would be more ideal than 'Always cache Sophos endpoint updates' on the XG.

  • Hi Ed,


    For your remote users - what type of VPN are you using? I am assuming it is a split tunnel - where traffic to your internal net is through the VPN but anything else goes out the direct ISP link the remote computer has. Is this correct?

    If it is, each machine will reach out to Sophos Central on its own and update from there using the local ISP. 

    As others have said, an update cache in your main site (or one in each site if you have decent sized nodes) really helps with the bandwidth because the update cache pulls the updates from Central and then it is only local traffic (on your switch or switches) that distributes the data to the endpoints in the site. 

    There are a lot of options here and without more accurate data about what your specific deployment is it will be hard to give you good guidance.


    If you have more questions, please post them.

  • In reply to MEric:

    Bandwidth Usage sounds a good solution (and on by default) but I am not sure about the Update Cache - I would of thought that having bought into a joined up solution would remove the need for additional external services outside of Central and the XG but have had a look at the link and it maybe the only way to go.


    Many thanks for the time and information.


  • In reply to RichardP:

    Ok so I am concerned about the internal workstations going out to get their updates through our single internet pipe which all the users are coming into on RDP. Users home machines do not have the client on and so will as you surmise do their own thing via their ISP.

    Since I have an XG that claims it can cache it made sense to see if it will, but I am assuming now that it only applies to a specific client and most likely not a Central client? I don't really want to install more applications if the appliance can do it but looks like Update Cache will be required.

    Many thanks for taking the time and making sense of the request!



  • In reply to Ed H:

    Central is using a HTTPs based Channel to update the Clients. XG would have to decrypt this traffic to cache it, which it does not do. 

    The best way for local clients is to work with the Update Cache / message relay. 

    As mentioned earlier. In Split Tunnel VPN communications, the Client will use his local ISP to get Updates. 


    Caching on a Proxy level is only possible for readable traffic. HTTP or decrypted Traffic.