This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Mobile Control - On-premise to Central

Hi, 

We're looking at transitioning from Sophos Control on-premise to Sophos Control in Central. 

I've look at the admin guide's but still can't find the following information:

1. We wish to make use of the 'external LDAP' option in Mobile Control in Central, however there's no way that I'm going to expose LDAP to the world, secure or not. Can Sophos provide a list of source IP addresses I can add to our firewall where the LDAPS requests will come from?

2. Any docs / steps on what we need to do to move the Apple DEP devices from the old on-premise MDM to SMC in Central? Both in terms of the adding / removing the MDM server in Apple DEP and moving the devices to become "Managed" by the new Cloud MDM?

Thanks, 

John



This thread was automatically locked due to age.
  • Hi John,

    any benefits except renunciation of an own server you get of that?

    Just for my own decision in the future.

    Best regards

    Alex

    -

  • Hi Alex 

     

    For one, I don't want to expose critical security services to the unfiltered internet if I can help it. This is what a DMZ is for, however it's unlikely that LDAP services for many companies are situated in the DMZ.

     

    Think Brute force, DDOS,  Encryption Ciphers that lose validity over time. REDUCING the attack surface lessens these risks.

     

    I'm sure Sophos themselves wouldn't allow this kind of exposure, so why should they expect their customers too?

     

    Lastly, I have it on good authority from a knowledgeable source at Sophos that "there are 2 IP addresses for Secure LDAP authentication for each SMC geography". However, as usual it's a struggle to get to the right person at Sophos to confirm and obtain this information...

     

    When I tired to pick this up with Sophos support and raised a ticket, all I got was the usual bog standard textbook response of:

     

    A. The ticket not being read / understood properly.

    B. A response of being referred to the manual.

    C. A further response to Sophos Articles / forums posts which were neither helpful or relevant.

     

    Care to comment, SOPHOS?

  • If you are Sophos Partner ask the presales.

    Most time they are a lot faster and they have technicians too.

    They don't do support, but if you just have that simple questions i guess they will answer it.

     

    If you are a customer ask your Sophos Partner to foward your question to presales.

     

    Best wishes,

     

    Malte

  • I have received confirmation from Sophos support that the source IP address from Sophos Central (Hosted in AWS) is Dynamic...

     

    1. You need to determine what region your Central instance is running on:

    a. Logon to Sophos Central

    b. Click 'Endpoint Protection', followed by 'Protect Devices'

    c. Click 'Download installers'

    d. Hover over the ' Download Complete Windows Installer' hyperlink, and note the ALT text. 

    You should see something like: https://dzr-api-amzn-eu-west-1-8bf6.api-upe.p.hmr.sophos.com/api/download/***************/SophosSetup.exe

    e. Note the Amazon region (See my 'amzn-eu-west-1' example above).

     

    2. Find this region in the IP ranges listed in the following AWS URL https://ip-ranges.amazonaws.com/ip-ranges.json

     

    3. Authorise the appropriate CIDR on your firewall. In this case: ip_prefix": "54.155.0.0/16"

     

    ------

    Unfortunately, for us this scope of IP addresses is way to high, and also shared with other Amazon clients. - i.e. They are not reserved for the sole purpose of Sophos use only. Now I know that you can argue that this is the way of "The Cloud" and "CDN's (Centent Delivery Networks)", but we are not willing to take that risk. It too much of an uncertain and unmanageable variable.

    I have a call open with our Sophos Account Manager to determine if the information provided by the Sophos tech I spoke to is 100%. I have a sneaky suspicion (based on other conversations I've had) that the range of IP addresses from Sophos can be narrowed down drastically (note the 'upe.p.hmr.sophos.com' in the Download URL).

     

    However, for the time being, this won't wash with our security.

     

    Thanks, 

     

    John