Hi Sophos Community,

I'm excited to announce a major update to the firewall single-sign-on service available today in Sophos Central. This service allows you to access the local user interface of a firewall that is managed by Central, without needing to expose the UI of that firewall over the internet. This has been a staple of firewall management in Central for a long time, and I'm excited to announce a major update to this service, available now in Sophos Central, for all managed firewalls running SFOS v21 and newer.

Features

  • Faster connections- initial connectivity from Central will bring you to a responsive webadmin in a fraction of the time!
  • Faster navigation - once logged in, navigating through the firewall UI is faster than ever, and should now be comparable to being directly logging into the firewall.
  • Tabbed sessions - Firewall management sessions will open in a new tab, allowing you to easily reference other info in your Central account while also managing your firewall
  • Multiple firewall sessions - Connect to multiple firewalls at the same time, from the same Central login! Each session opens in a new tab, allowing you to easily compare settings between firewalls
  • Legacy support - Firewalls running SFOS v21.0 and newer can be managed from Central with all of the above benefits, while firewalls running older versions will continue to work like they always have. Firewalls supporting the new SSO service will have an icon next to the name in your firewall inventory list, indicating it will open in a new tab when clicked.
  • Reduced outbound port requirements - v21 firewalls using the new SSO service, and subject to upstream port restrictions now only require outbound access to Sophos Central on port 443 to be fully managed in Sophos Central. 

Requirements

  • One or more firewalls managed in your Central account
  • One or more of your managed firewalls upgraded to v21 GA or newer
Parents
  • Good to see that improvement. Older SFOS are slowly for the first SSO connect. If you disconnect and connect again, it's quite as fast as with the new SFOS. So I expect some caching or keep alive of the SSO session in the backend implemented on SFOS 21.

    Is this also resulting in higher resource footprint on the Firewall device (RAM/CPU)? How much do we need to expect?

Comment
  • Good to see that improvement. Older SFOS are slowly for the first SSO connect. If you disconnect and connect again, it's quite as fast as with the new SFOS. So I expect some caching or keep alive of the SSO session in the backend implemented on SFOS 21.

    Is this also resulting in higher resource footprint on the Firewall device (RAM/CPU)? How much do we need to expect?

Children
  • Essentially we worked on the service doing the connection.

    The video above is not the general "expected performance" instead a measurement for the "worst case" (very slow appliance - virtual with one core etc). 

    The "challenge" with reverseproxy is, if you want to open a webadmin, central can only cache your "request", and the appliance will pull this request. We speed up this process, plus other enhancements

  • the new service is a complete rewrite based on newer web technologies. the older sso relies on the firewall polling for connection requests, where the new one uses a persistent, long-lived session that can respond almost instantly to requests. repeat connections are faster for a while in the old sso because the connection to the firewall is maintained for a while after you finish with it, so polling isn't necessary if the connection is still present. Now though, all sessions should start faster, more consistently. 

    The new connection method is also more efficient as the service scales. If you've observed inconsistent speeds from day to day when connecting to a firewall, you should no longer see such slowdowns on the new service. Overall, it improves performance and reliability in every part of the process, and you shouldn't expect any higher resource usage as a result. 

  • "If you've observed inconsistent speeds from day to day when connecting to a firewall" yes, I did. Thanks for your reply and explanations! The whole v21 UI feels way more responsive and so does this feature.