What hypervisor would you use to install Sophos Home?

Users have good success with Proxmox VE. The biggest downside of ESXi is hardware is unsupported after a certain amount of time and the free version lacks some features. Proxmox is free and if your computer can run Linux there's a good chance Proxmox will run on it. 

One of the Sophos engineers (Christian Lempa) has a video on Youtube describing the installation of Sophos XG onto Proxmox. You can search for it there. It is recommended over KVM.

"Clearly setting up a hypervisor adds a significant amount of complexity to a Sophos Home setup. I don't actually need this myself"

Hardware compatibility  //

EDIT: If you really don't want to mess around with VMs and want to run "bare metal" you can use older hardware that has legacy boot support for the XG home. Pick up a used socket 1150/1151 motherboard and a Core i5 "T-series" or Xeon CPU which are low wattage ~35 watt TDP, and a Pro/1000 NIC card. Many of the older Intel NIC i210/i211 series are supported, also the Intel 82575/82576 cards should work.

Proxmox looks interesting and I like the idea of an open source product rather than a free commercial offering. Unfortunately, it fails one of my criteria, in that it doesn't support unattended install, which surprised me a bit. You can do a scripted install of Debian and then install Proxmox but this is an unsupported configuration. That doesn't rule it out, just reduces its appeal.

alan weir said:

If you really don't want to mess around with VMs

I'm not sure if this is aimed at me or the community in general. I'm aware that you can run Home on old hardware. In the other posting I linked to in my OP, I explained how I became a Sophos partner from personally originally running Home on old Sophos SG hardware.

If you read the forum regularly you will see people often asking about hardware support and you will also see people who have bought XGS hardware (assuming it would be supported) and finding Home won't run on it. The lack of UEFI support is also a frequent issue. The answers to my linked post seem to make it clear that none of this will change in the near future.

I don't need any of this because I have NFR hardware and licensing from Sophos. However, the idea of creating a platform that allows home users to use Home on any hardware platform appeals and I think will be useful to other people. Hence this post and the criteria I have set for it.

JasP said:

Unfortunately, it fails one of my criteria, in that it doesn't support unattended install, which surprised me a bit.

*scratches head*

Unattended installation of Proxmox - Proxmox VE

I've read this article. It is not an unattended install of Proxmox, you can not do an unattended installation of the Proxmox ISO (or at least that is what everyone says on their forum). The article describes an unattended installation of Debian, then installing Proxmox and changing to the Proxmox kernel.

It may sound like I am splitting hairs but, from what I have read on the Proxmox forums, this is not a supported way of installing Proxmox. That is why I said...

JasP said:

You can do a scripted install of Debian and then install Proxmox but this is an unsupported configuration.

I'm not saying it won't work fine, it probably will, but does count as a negative when weighing up the options.

So, are you looking to mass deploy this with a Hyper-V type of installation across multiple locations or something?  Having an unattended installation seems to indicate this which I find the criteria for something so specific fascinating.

If that's the case of such a requirement, I believe that ESXi may be your only option based on your criteria.

I quite honestly got away from ESXi, battling hardware requirements where a battle didn't need to take place to begin with was just... demoralizing.

Xen maybe, I don't know much about their product, the last time I ever wanted to touch their software was after the next to impossible task of setting up Citrix environments when half of what you had to deploy didn't work.  I actually wrote some technical articles for some (now) Oracle software to get it working, lol.

Speaking of, Oracle also has a VM Host software that is available too, but I haven't tried it.

So, are you looking to mass deploy this with a Hyper-V type of installation across multiple locations or something?  Having an unattended installation seems to indicate this which I find the criteria for something so specific fascinating.

If that's the case of such a requirement, I believe that ESXi may be your only option based on your criteria.

I quite honestly got away from ESXi, battling hardware requirements where a battle didn't need to take place to begin with was just... demoralizing.

Xen maybe, I don't know much about their product, the last time I ever wanted to touch their software was after the next to impossible task of setting up Citrix environments when half of what you had to deploy didn't work.  I actually wrote some technical articles for some (now) Oracle software to get it working, lol.

Speaking of, Oracle also has a VM Host software that is available too, but I haven't tried it.

Not mass installation, but I want to support as many hardware platforms as possible, including people who want to run Home on XGS hardware. As XGS hardware has no GPU, installation of the hypervisor would have to be unattended, and get you to the stage that you can log into it via the hypervisor's web interface or SSH.

I'm interested what sort of issues you had 'battling hardware requirements'. I'm sort of leaning towards ESXi but haven't ruled out Proxmox (via a Debian unattended then install Proxmox).

JasP said:

Not mass installation, but I want to support as many hardware platforms as possible, including people who want to run Home on XGS hardwar

I don't think you will be able to run anything on the XGS hardware.

It's not because it doesn't have a GPU, but all network interfaces are connected directly to the Xstream Processor, which is a Marvell Octeon NPU, this NPU is then connected with the CPU by PCI.

If you're looking to use those mini-pc (Firewalls) then I highly recommend you stick with Proxmox and use the latest 6.2 kernel.

JasP said:

installation of the hypervisor would have to be unattended

Can you explain the exact need for this?

Since you're talking about using the home license, there's no need to have unattended installation unless you're talking about dozens or hundreds of firewalls.

JasP said:

However, the idea of creating a platform that allows home users to use Home on any hardware platform appeals and I think will be useful to other people

You're trying to fix an issue that you've created yourself.

If someone is looking to use the home edition of Sophos Firewall, then that person already has enough knowledge on how-to do the basics. (Such as installing a hypervisor.) Or enough free time to search on how to do it.

The only thing I could think of is maybe install Proxmox on the XGS, then create an disk image of the hard drive, and then have a way for users to load the image onto their own XGS units and extract it to their HDD. It's not an installation, rather just extracting the hard drive image onto another device. Proxmox would be preinstalled after the extraction of the disk image. Of course then you would have to have a way to install Grub onto the MBR too.

JasP said:

I'm interested what sort of issues you had 'battling hardware requirements'.

It's not that I couldn't get anything to work, but every major revision they would discontinue another version of hardware that ESXi would not operate on and not allow you to install their bare metal OS.  That is frankly overkill and unnecessary, not even the open sourced VM hosts go to the extreme that VMWare was going with their requirements.  I could see that perhaps in an enterprise environment for this reason or that, but a lot - a LOT - of home/community users who have used their product don't need to cycle through that many versions of an OS host and don't have the finances to update hardware every revision.

At least with Proxmox, I could use the server that EoL'd by VMWare standards (dual Xeon Intel server) until I could get rid of that boat anchor and move to my new Intel NUCs.  But I still use Proxmox on those - I just think Proxmox is a better product for me. VMWare is just a fancy name.  Either way - I am not a fan of my firewall running in a VM for some reason.  Sure, I could see HA standby there, but not my main firewall.  I don't like that setup and use a SuperMicro server for that specific need.

Prism said:

JasP said:

Not mass installation, but I want to support as many hardware platforms as possible, including people who want to run Home on XGS hardwar

I don't think you will be able to run anything on the XGS hardware.

It's not because it doesn't have a GPU, but all network interfaces are connected directly to the Xstream Processor, which is a Marvell Octeon NPU, this NPU is then connected with the CPU by PCI.

If you're looking to use those mini-pc (Firewalls) then I highly recommend you stick with Proxmox and use the latest 6.2 kernel.

JasP said:

installation of the hypervisor would have to be unattended

Can you explain the exact need for this?

Since you're talking about using the home license, there's no need to have unattended installation unless you're talking about dozens or hundreds of firewalls.

JasP said:

However, the idea of creating a platform that allows home users to use Home on any hardware platform appeals and I think will be useful to other people

You're trying to fix an issue that you've created yourself.

If someone is looking to use the home edition of Sophos Firewall, then that person already has enough knowledge on how-to do the basics. (Such as installing a hypervisor.) Or enough free time to search on how to do it.

Fully Agree with everything here, trying to script this to work on any hardware will just lead to a nightmare, there is always going to need to be a manual element where the hardware is going to be varied and not standardised. by the time you have a working deployment script for one piece of hardware the software will change or there will be a revision on the hardware and it will break the deployment.