Using a caching proxy server with Sophos Cloud

  • Article ID: 121131
  • Updated: 11 Aug 2014

This article explains how to configure a caching proxy for Sophos Cloud managed endpoints so that the majority of computers download from a local cache rather than connecting directly to the internet for updates.  This may be required for the following reasons:

  • Decrease bandwidth usage from one or more locations.
  • Speed up the initial installation and future update times for larger updates.

Note: We recommend that if you are using a device such as a UTM which is acting as a proxy you enable caching on that device where possible.  For example, to enable this in the Sophos UTM:

  • Log into the UTM.
  • Navigate to 'Web Protection' > 'Filtering Options' > 'Advanced'.
  • Enable Local caching.

First seen in

Sophos Cloud

What To Do

Two components are required:

  • A proxy server to cache the updates.  This article describes using Squid although the principles can be applied to other proxy servers.
  • Implementation of Web Proxy Auto-Discovery Protocol (WPAD) and an associated Proxy Auto-configuration File (PAC). This is necessary to ensure clients update via the caching proxy server.

Proxy server

A standard proxy server configured with caching:

  1. By default Squid will enable file caching. However, it is recommend to increase the Maximum object cache size so that large updates are also cached. This can be done by adding the following to 'squid.conf':

    #configure squid to cache large files.
    maximum_object_size 64 MB

  2. By default squid will allow all HTTP traffic. To avoid running an open proxy server on your network this should be restricted.

    #only allow access to Sophos domains
    acl sophos-update-sites dstdomain .sophosupd.com .sophosupd.net
    http_access allow sophos-update-sites
    http_access deny all


  3. It is recommended that the cache is configured with at least 2 GB.

    cache_dir ufs /var/spool/squid 2048 16 256

WPAD/PAC

The Sophos AutoUpdate service uses WinHTTP for update requests. WPAD and PAC can thus be used to ensure that updates are downloaded via the proxy server.

Procedure overview:

  1. If you do not already use WPAD in your environment, setup a wpad internal DNS entry, i.e.: wpad.<yourdomain>.

    Notes: 
  2. Configure a web server to serve out a PAC on the hostname wpad.<yourdomain>
    Here is a sample PAC file. If you are not using an existing PAC this can be used directly. If you have one in place it will need modified appropriately.

    function FindProxyForURL(url, destHost)
    {
    var myProxy = "DIRECT";
    if (dnsDomainIs(destHost, "sophosupd.com")) { myProxy = "PROXY wpad.<yourdomain>:3128"; }
    if (dnsDomainIs(destHost, "sophosupd.net")) { myProxy = "PROXY wpad. <yourdomain>:3128"; }
    return myProxy;
    }

Verification

On the next update you can check the configuration is working correctly by monitoring the proxy server log. You should begin to see 'TCP_HIT' messages for the 'sophosupd' domains, for example:

# egrep 'sophosupd\.(com|net)' /var/log/squid/access.log

1403060582.236 0 10.101.101.211 TCP_HIT/200 855 GET http://d1.sophosupd.com/update/cd2a5386-f08c-42b1-8d98-40240059e361/55ca257cbadbfe606fe9b35fd7719e0cx000.xml - NONE/- application/octet-stream
1403060582.240 0 10.101.101.211 TCP_HIT/200 850 GET http://d1.sophosupd.com/update/FF5DF0B0-E558-493f-9B45-A70E89B7A359/a62acc9bf0b27f4126e67301c9ba59dbx000.xml - NONE/- application/octet-stream
1403060582.245 0 10.101.101.211 TCP_HIT/200 857 GET http://d1.sophosupd.com/update/E17FE03B-0501-4aaa-BC69-0129D965F311/b51eb99e12b564ca675a471fc6820248x000.xml - NONE/- application/octet-stream

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments