【server protection】Intranet servers are not allowed to access the Internet, how sophos central delivers policies and soft version updates?

Hi team,

Our customer's intranet has dozens of Windows servers. According to the requirements of the security department, the intranet servers are not allowed to access the Internet. So, I would like to know how sophos central  delivers policies and updates to them?

Can we deploy a server on the intranet as a proxy, communicate with sophos central through the proxy server, and act as an agent between the real server and sophos central to solve this problem?



Added Tags
[edited by: Gladys at 2:07 PM (GMT -7) on 27 Jul 2023]
  • Hi Hongbo,

    While it is not possible to entirely air-gap your devices from the internet, we suggest using a Message Relay/Update Cache for this purpose. By deploying a Message Relay and Update Cache on your environment, one server will act as the proxy for Communication to Sophos Central, the server will also host update packages for the rest of the devices on the network. 

    The following techvid on the topic help explain this in further detail. 
    - Sophos Central: Configure Update Caches and Message Relays

    In this setup, one server on the local network will need to have access to the internet. Others on the network will connect locally to this internet-connected Server for updating and Communication. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • As Qoosh said, the Message Relay and Update Cache feature is what you seek; we did some Government work some time ago with stringent requirements such as your client's, and the solution (in their case) was to implement a special DMZ and place the update/message relay system there, and implement very restrictive firewall rules between each zone to meet their compliance requirements.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.