Installing Sophos Web WS500 in High Availability (HA)

Hi David.

There are considerations depending on your deployment mode.  Here is a link to my kb on deployment modes..   Have a look at the .pac file section.. all of the links are there. 

if you wish to have redundancy between the VIP and the appliance simply make 3 entries and have them fail over in order or round robin them.   (each appliance will ALWAYS accept a proxy request made directly to it, just ensure the port is 8080)  This way even if your management appliance goes down the pac file will fail over to each appliance directly. 

this of course assumes your deployed in explicit mode, if you wish to deploy in transparent mode then just configure your redirection device to point traffic to where ever you like.  the recommend load balancing option is to use a cisco WCCP device. 

https://community.sophos.com/kb/en-us/126692

I do not believe there is a "video" for this as of yet.  Unfortunately the .pac file is not something support can help you do.. however you always have the option to engage pro services who can create the .pac file and address any deployment consideration.  There is usually some PS time allotted with every sale.. Just call your Account manager and they can get the ball rolling for you. 

cheers

Hello Team,

Thanks for all the response so far. We tried installing the web appliances (WS500) in HA mode but didnt work out so we have decided to install just one in Bridge(Inline) mode which means we may not be needing the pac file config again.

From my configuration and architecture, the WAN port of the web appliance will be going to the LAN port of the firewall while the LAN port of the web appliance will be going to the LAN port of the LAN switch.

NB: The servers will not be connected to the web appliance.

Questions:

1. I want the WS500 to distribute IP to every users devices through DHCP, how do i configure that?

2. How do i bridge the LAN and WAN port together and pointing everybody to the WAN interface IP.

3. I want to be able to manage the web appliance from my desk How do i configure the LAN interface to have IP so that i can manage from my desk.


NB: The Sophos Web appliance WS500 will be installed in bridge (Inline mode).

Awaiting kind responses.

Thanks 

This is the kind of network plan i want to achieve.

1. The WAN port of the SWA(2) is connected to the perimeter firewall (3) and the LAN port of the SWA(2) is connected to the LAN switch (5).

How do i  bridge or direct all traffic coming from the LAN port of the SWA to the WAN port of the SWA or what configuration should i do to achieve this..

NB:

The LAN IP is 192.168.10.0/24

The WAN IP is 10.10.0.0/24 -------- The WAN gateway is 10.10.0.1/24

Awaiting kind responses. 

Hi David

In regards to your questions, the appliance can not provide any dhcp service or ip assignments

please see the bridgemode deployment setup here

Assuming you have a ws500B you should see the bridge card on the right, just wire it as per the above.

Its important to note that this will directly brige the firewall and port on your switch . So make sure you have the approiate rules to ensure your appliance is not bridged across your wan or it may be an open proxy.

As for configuring bridge mode , there is no configuration nessary the appliance will pass all traffic and only look at traffic on port 80/443

In order to direct your vlan traffic you would simpally configure it as if it was any other gateway.

Hello, 

Thanks for the assistance up there. Please i need your response on the below question.

I want my sophos WS500 to help delete any website extension in my emails. How do i configure that on the WS500

Thanks

Hi David,

The SWA will apply threat data and user policy to any request going out to the internet.. but it has no idea what an email is.. (it only understands port 80 and 443)  not 25 .. so it cant do anything in respect to email scanning.

If you get an email and click on a malicious link.. that request would be scanned by the SWA (like any other user request) .. so it would apply policy to make sure the user can access the site and all known threat protection data about that site.

If you wish to get into email scanning and link protection your best to have a look at the Sophos Email Appliance, in particular the Time Of Click feature.  

https://docs.sophos.com/msg/sea/help/en-us/msg/sea/tasks/DBRuleToC.html?hl=time%2Cclick

as an existing subscriber of the SWA .. you could request a demo license from your account manager.

In addition to time of click you could also aggressively drop mail based on envelope sender or data information ..  Ie drop all mail from .ru or .info or .rocks domains.  Or drop all mail from your own domain with an external ip address ..  as well as a multitude of email security related features. 

Hi David,

The SWA will apply threat data and user policy to any request going out to the internet.. but it has no idea what an email is.. (it only understands port 80 and 443)  not 25 .. so it cant do anything in respect to email scanning.

If you get an email and click on a malicious link.. that request would be scanned by the SWA (like any other user request) .. so it would apply policy to make sure the user can access the site and all known threat protection data about that site.

If you wish to get into email scanning and link protection your best to have a look at the Sophos Email Appliance, in particular the Time Of Click feature.  

https://docs.sophos.com/msg/sea/help/en-us/msg/sea/tasks/DBRuleToC.html?hl=time%2Cclick

as an existing subscriber of the SWA .. you could request a demo license from your account manager.

In addition to time of click you could also aggressively drop mail based on envelope sender or data information ..  Ie drop all mail from .ru or .info or .rocks domains.  Or drop all mail from your own domain with an external ip address ..  as well as a multitude of email security related features.