Couple of questions for Sophos wireless

Hi Louis,

Check the Sizing guide here, to know the number of AP supported by various UTM models. SSID supported by AP:

>> AP10, AP15 and AP30: total 8 SSIDs 

>> AP 50 and above; total 16 SSIDs

Thanks

Sachin, the real issue is the number of tunnels between an AP and a UTM.  For example, if there are three 'Separate Zone' SSIDs on an AP, are those all handled with a single tunnel back to the UTM or does each SSID get its own tunnel?

Cheers - Bob

Hi Bob,

Nice question, I am not sure about the answer but I think 3 SSIDs = 3 separate channel bands which means individual tunnels for each SSIDs.

I will discuss it with my team and update you soon.

Thanks

How much load on the wireless is a "seperate zone" compared to a "bridge to vlan"

Is the communication to the UTM secure for the config or the seperate zone.

IDEA: with sophos central (connecting via https), it would be good if the magic address of 1.2.3.4 could be configured on the AP and the wireless could https to a UTM from an external source?

How much load on the wireless is a "seperate zone" compared to a "bridge to vlan"

Is the communication to the UTM secure for the config or the seperate zone.

IDEA: with sophos central (connecting via https), it would be good if the magic address of 1.2.3.4 could be configured on the AP and the wireless could https to a UTM from an external source?

Put that in as a feature request.

"IDEA: with sophos central (connecting via https), it would be good if the magic address of 1.2.3.4 could be configured on the AP and the wireless could https to a UTM from an external source?"

I'm not sure what you're suggesting, Louis.  Since 1.2.3.4 is not routable to anything other than 1.2.3.4 in the public Internet, there's no way that the AP could get to "its" remote UTM except via a site-to-site VPN - and that's already possible.

Cheers - Bob

Hi Bob,

I suspect and hope he is suggesting something like I do with the work supplied AP, it sets up its own tunnel after it has been setup on the same network as the controller.

but it would be nice to configure the "magic ip" on a accesspoint manually. So the Accesspoint can connect to ANY utm on the world and REDs are no longer needed for wireless clients xD

That's it. They do it with Sophos Central with a https connection to SC. All new Sophos Ap's come with the 1.2.3.4 address but they also come with a routeable Sophos Central address.

Why can't they do it with https to a UTM? I suspect it's because of the REDs??

x.cr3w said:

but it would be nice to configure the "magic ip" on a accesspoint manually.

You actually can configure a different magic ip via a DHCP option, see also:

community.sophos.com/.../119131

Nice catch there. Opens up possibilities.

But, from what I can see you need the remote site to have a dhcp server capable of providing options. I think the aim was to have an AP at a remote site with the AP providing the connectivity (VPN) back to the head office server functions.

Reiner, have you tried this?  Anyone?  It seems like one would just need to specify the External interface as Allowed.  I don't know yet how I'd feel about the secure-ness of that though...

Cheers - Bob

and more interesting is, traffic between accesspoint and wan interface is encrypted? i dont think so