Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 5741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules to allow PMX for Unix spam signature downloads

Steve-TNC

Greetz all,

We adding a 2nd outbound edge server to our existing PMX for Unix 5.6 farm in reaction to network issues that may well be getting more common on our primary link.  Going to put the 2nd/backup outbound relay at my web colocation and push traffic to it over a private link. I have a much tighter security stance and flood control mechanisms at my colo where I have direct control of the firewalls and switches.

My question relates to information I need for the edge server to work in the tightly firewalled environment. Namely, what Sophos IP blocks do I need to enable to allow the spam filter signature downloads. I notice that DNS lookups to  *.sophosxl.com address abound as well, but I can send those to a forwarder DNS host.

So....the IP blocks I need to allow my edge server outbound port 80 access to, as well as any other gotcha you all can think of would be appreciated.

-steve

:7261


This thread was automatically locked due to age.
  • 0

    Opened a Sophos case to ask this.

    Was pointed to the following which proved quite useful (why their website search engine didn't pull this up when one hunts for 'firewall' is a mystery, but - shrug- )

    Link regarding how to set PMX repository pointers that includes the host names of their dynamic and static source hosts:

    http://www.sophos.com/support/knowledgebase/article/112028.html
    Link outlining all the TCP/UDP port requirements of PMX for Unix overall
    http://pmdocs.sophos.com/pmdocs/Latest/en/pmdocs/concepts/GSGPrereqPorts.html

    Before diving in an using the  pmx-static.sophos.com for situations like mine that arise for you, bear in mind their warning that the service level of their static site is not as high as their new default dynamic source, which instead resides on Akamai.

    For a backup outbound relay that will only see real service when my primary link fails, that is perfectly acceptable for me..odds of telco friskiness coinciding with UK maintenance windows are very very low...but I'd think twice about using that static host name/IP as my repository source for my edge servers on my primary link.

    Cheers all (and happy holiday)

    -steve

    :7277
Unfiltered HTML