Sophos Protection for Linux (SPL) - Install on Linux Server without internet access

Hi there,

I followed documentation to install SPL on a Linux server that does not have internet access.

We have a Windows server acting as update cache / message relay. This is confirmed to work for other (Windows) machines.

However the installation fails, saying it cannot connect via the update cache.

What am I missing here?



Added Tags
[edited by: GlennSen at 12:54 PM (GMT -7) on 7 Aug 2024]
Parents
  • The message relay and update cache do not use the same port.

    You need to find the correct port for the message relay. I believe the port is usually 8190.

    In general, assuming the account is correctly setup in Central, you shouldn't need to use the command-line options to specify the update cache or message relay. In particular the Update Cache can not be specified as an IP address, since that will block SSL verification from working (That requires the hostname in the SNI request, so has to start with the hostname).

Reply
  • The message relay and update cache do not use the same port.

    You need to find the correct port for the message relay. I believe the port is usually 8190.

    In general, assuming the account is correctly setup in Central, you shouldn't need to use the command-line options to specify the update cache or message relay. In particular the Update Cache can not be specified as an IP address, since that will block SSL verification from working (That requires the hostname in the SNI request, so has to start with the hostname).

Children
  • Thank you, the port was a simple oversight on my part. I'm using the command line options to pass the IP addresses because it was unable to resolve the FQDN of the update cache and message relay.

    The installation proceeded further, however it failed again:

    The SPL log in logs/base/suldownloader.log is showing the following:

    On the update cache itself I checked the repository:

    The Windows packages seem to be up to date, however I'm not sure why the Linux packages are missing.

    Any pointers would be greatly appreciated.

  • You can't use IP addresses for the Update Cache - it needs to use hostname, so that the SSL certificate can be matched.

    For SDDS3, the Update Cache only caches packages as they are accessed, since the Linux endpoint hasn't managed to authenticate the Update Cache, it never get's as far as requesting a package.

    I suggest fixing your networking so that the Linux machine can resolve hostnames.

  • Thank you for the clarification. After correctly setting the DNS configuration on the Linux machine I was able to install SPL without using command line options.

    Much appreciated!