Allow Sophos Anti Virus Updates from Network Security Group

Question

Hi All, I have 5 Virtual Machines and 3 VDI with 3 virtual networks, all vnets are peering with each other. I have configured 1 NSG for all three vnets and have allowed only https and http traffic for all VM's and VDI's. Now i have blocked internet access adding outbound rule to deny internet access but there is sophos antivirus installed on all the machines and after blocking internet updates are stopped. My question is, how can i allow antivirus and windows updates adding NSG rules? Regards Imran Shaikh

Answer 1

Hi,

For this you will need to use the AzureUpdateDelivery service tags and allow the windows update https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

For Sophos I am not sure the option will be to host update server locally and allow centralised deployment via the server in a DMZ?

Hope this helps. JS

== Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

Hey,

The software will need to have ports 80 and 443 open towards the Sophos update servers. Now, NSG does not support FQDNs, so you can't control this from an NSG point. If you need to deny normal internet traffic but allow Sophos updates, you will need to either use Azure Firewall or create your own IP whitelist for all IPs that Sophos is using for their updates.

You can find the documentation on the link below.

https://doc.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html#recommendations