Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 25537 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Web Appliance & Endpoint network traffic

JoeSakakeeny

My company is in the process of testing the Sophos Virtual Web Appliance being integrated with Endpoint and have run into a lack of information and was hoping someone here is running a similar setup and had some statics to share.

We are in the middle of rolling out Endpoint v10 and also purchased the Virtual Web Appliance to do logging/filtering to around 3,000 users spread out over 100+ remote sites of varying size and internet connections.  We haven’’’’t been able to find any information online or from Sophos about what type of network traffic we can expect all of these Endpoints to generate.

The most information I’’’’ve gotten from tech support is the endpoints send the logs back to the appliance once every 45seconds.  However, the size amount of traffic generated varies based on how much surfing was done, and if the site was blocked, allowed, or warned.  They have no whitepapers or information giving even a general ballpark range of network traffic the Endpoint would be sending back to the appliance for low/medium/high internet users.

I’’’’m hoping someone here has deployed the Web Appliance with Endpoint and has some data they are able to share regarding the load this puts on the network, or any issues they have had with this setup.

Thanks,

Joe

:27923


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the feedback bloodborn.

    >  When deploying web-filtering using the endpoint protection, the traffic doesnt come back to your appliance. Endpoints will get all of the policies from Sophos Live Connect.

    This is true when the endpoint is roaming.  However, the endpoint does actually try to connect directly to your appliance before going to LiveConnect.  It's only when this fails that LiveConnect is used.

    The 'extra' traffic generated by using endpoint web control:

    • An extra HTTP request is generated when you visit a site.  This is to check the category of the website using Sophos servers.  However, these will be very small (less than 1kb including request and response)
    • Approximately once a minute the endpoint checks for new policy on the appliance using HTTP.  Again this should only be a matter of a few kb even when the policy has changed.
    • The endpoint sends reporting data to the appliance every 15 minutes (or almost immediately when something is blocked).  The size of this data is completely dependant on how much traffic there is.

    There are ways you could see how much reporting data is generated on a test client.  For example, the data is generated in this directory:  C:\ProgramData\Sophos\Web Control\Activity\

    Bear in mind that this directory will clear when the upload happens though.  

    Alternatively, you could monitor your network traffic using tools like wireshark.

    Hope this is of some help,

    Tom.

    :28263
Reply
  • 0

    Thanks for the feedback bloodborn.

    >  When deploying web-filtering using the endpoint protection, the traffic doesnt come back to your appliance. Endpoints will get all of the policies from Sophos Live Connect.

    This is true when the endpoint is roaming.  However, the endpoint does actually try to connect directly to your appliance before going to LiveConnect.  It's only when this fails that LiveConnect is used.

    The 'extra' traffic generated by using endpoint web control:

    • An extra HTTP request is generated when you visit a site.  This is to check the category of the website using Sophos servers.  However, these will be very small (less than 1kb including request and response)
    • Approximately once a minute the endpoint checks for new policy on the appliance using HTTP.  Again this should only be a matter of a few kb even when the policy has changed.
    • The endpoint sends reporting data to the appliance every 15 minutes (or almost immediately when something is blocked).  The size of this data is completely dependant on how much traffic there is.

    There are ways you could see how much reporting data is generated on a test client.  For example, the data is generated in this directory:  C:\ProgramData\Sophos\Web Control\Activity\

    Bear in mind that this directory will clear when the upload happens though.  

    Alternatively, you could monitor your network traffic using tools like wireshark.

    Hope this is of some help,

    Tom.

    :28263
Children
No Data
Unfiltered HTML