How to install Sophos Endpoint for computers that cannot access the internet using Message Relays

1. The purpose of the article

In this article, techbast will guide you on how to install Sophos Endpoint on computers that are locked into internet connection with Sophos’s Update Cache and Message Relays feature.

2. Diagram

Details:

  • We will have a Sophos XG Firewall device connected to the internet at port 2 with IP 172.16.16.100/24 in the WAN zone and connected to the LAN at port 1 with IP 10.145.41.10/24 in the LAN zone.
  • In the LAN zone, we will have 1 server running Active Directory service with domain learningit.xyz and server name adserver.learningit.xyz with IP 10.145.41.10/24.
  • Also in the LAN we have a PC running Windows 10 which has been john domain learningit.xyz and the hostname is client01.learningit.xyz with IP 10.145.41.101/24.

3. Scenario

We will install Sophos Endpoint on a client01 computer that is not connected to the internet through the update cache and message relays installed on the adserver server connected to the internet.

4. Update Cache và Message Relays requirement.

4.1. Update Cache requirement

  • Only supported on Windows Server 2008 R2, 2012, 2012 R2, 2016 and Windows Server 2019 models.
  • A minimum of 7GB of hard drive space is required to configure.
  • TCP port 8191 must be open and accessible for devices that will update from the cache. The Update Cache Installer will open port 8191 in the Windows Firewall. After uninstalling Update Cache, the port will be closed.
  • The DNS must be working to resolve the Update Cache server’s IP address from the hostname.

4.2. Message Relays requirement

  • Only supported on Windows Server 2008 R2, 2012, 2012 R2, 2016 and Windows Server 2019 models.
  • A minimum of 7GB of hard drive space is required to configure.
  • TCP port 8190 must be open and accessible to devices that use Message Relays.
  • DNS must work to resolve the IP address of the Message Relays server from the hostname.

5. What to do

  • Install Update Cache and Message Relays to the server.
  • Install Sophos Endpoint to the client01 computer
  • Result in Sophos Central

6. Configuration

6.1. Install Update Cache and Message Relays to the server.

Before installing the Update Cache and Message Relays we need to install Sophos Endpoint first, the adserver server in this lab has been installed with Sophos Endpoint.

The server is currently running Windows Server 2016 in accordance with the requirements of Update Cache and Message Relays.

Both TCP ports 8190 and 8191 are open and the other devices are accessible by turning off the Windows Firewall.

DNS also worked techbast used the nslookup command to check.

The adserver server also has an internet connection.

Next, to install the update cache and message relays for the adserver we need to login to Sophos Central’s admin page with admin rights.

Go to Global Settings> General> Manage Update Caches and Message Relays.

When you come here you will see adserver in the list that can install update cache and message relays.

Click on adserver and click Set up Cache / Relay, wait a while for the setup to complete.

When completed, the Active status will appear in two columns CACHE STATUS and MESSAGE RELAY STATUS.

6.2. Install Sophos Endpoint to the client01 computer

Before we install Sophos Endpoint on the client01 machine, we need to check the following.

On client01 machine we can resolve DNS hostname to IP and vice versa or not.

Techbast checked with the nslookup command and as a result is able to stand on client01 that can resolve DNS.

Next, this client01 machine is not allowed to connect to the internet, techbast created a policy on Sophos XG to disconnect the internet for this machine.

After checking the required requirements, we need to prepare a Sophos Endpoint installation file and save them to drive C.

Next we open the Command Prompt with admin rights, execute the command “cd /” to enter the drive.

Then execute the following command to install the Sophos Endpoint using adserver’s relays message.

SophosSetup.exe –messagerelays=10.145.41.10:8190

After typing the command, the Sophos Endpoint installation panel will appear, click Install and wait about 10 minutes to install.

After 10 minutes, the installation is complete, we just need to reboot the machine.

As you can see after the reboot, the installation is completed and the computer is still not connected to the internet. This proves that the installation was done via the message relays and update cache feature on the adserver.

6.3. Result in Sophos Central

Going back to Sophos Central we go to Device and we will see that the client01 machine just installed has been updated.

Click on the hostname client01 and scroll down to the Update Caches and Message Relays section, we will see that Sophos Endpoint on client01 is installed through the adserver server, so by default, update cache and message relays server of client01 will be adserver, not. must be Sophos.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.