In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos small business solutions: client firewall rollout guidelines

The Sophos Client Firewall enables only named programs, or types of programs, on your networked computers to access the company network or the internet. By locking down your computers, it protects your network from worms, hackers and virus infection from unprotected computers and the internet.

Sophos Client Firewall is available as part of Sophos small business solutions (subject to the terms of your license). It is installed in conjunction with Sophos Anti-Virus Small Business Edition (SBE).

• Sophos Client Firewall can only run on Windows 2000 Professional and Windows XP. It is not available for server operating systems, or on a workstation running the Sophos Control Center. See System requirements for details.
• You can opt to install Sophos Client Firewall on any individual workstation during setup, or later.
• You are advised to test Sophos Client Firewall on selected workstations before full deployment.
• After initial deployment, you should configure the firewall for your network so as to enhance the protection on your workstations.

For more information, see the Sophos small business solutions installation guide and user manual.

What to do

1. Initial deployment

When you run the 'Protect computers' wizard, in 'Protect Computers - Step 3 of 5' you can select which computers you will install Sophos Anti-Virus and Sophos Client Firewall on. The firewall will be automatically enabled when you reboot.

• The initial configuration is the default configuration. It is equivalent to that of the Windows Firewall. It allows outbound traffic only.
• If your workstations are currently running the Windows Firewall, it will be replaced by the Sophos Client Firewall.
• You can easily add Sophos Client Firewall to your protected workstations later on.

When installing for the first time:

1. Select 'Firewall' for a handful of computers as a test.
2. Complete the installation, and reboot those computers.
3. Check that those computers can carry out their normal functions.

After you are satisfied that those computers are running correctly, you can either

• establish a detailed firewall policy for your whole network on test workstations (this is the recommended option)
• or deploy Sophos Client Firewall in its initial configuration to the whole of your network (this provides rapid network protection, but prevents you from using some deployment options in the Sophos Control Center).

You can now use test workstations to configure a firewall policy for your whole network.

2. The Sophos Client Firewall policy modes

Sophos Control Center can be used to deploy Sophos Client Firewall to your network in three different modes

• outbound traffic only
• named programs
• custom configuration.

The named programs mode can only be deployed from Sophos Control Center. The other modes can also be configured locally.

How you deploy Sophos Client Firewall will be affected by what software you already have installed. Whatever you decide, you should run a test of your planned configuration on a few workstations before deploying to your network.

• Outbound traffic only mode gives equivalent protection to the Windows Firewall. It could replace the Windows Firewall after a short initial test period if, for example, you do not currently use a personal firewall on your network.
• For enhanced protection you should use either named programs, or a full custom configuration. The outbound traffic only mode is best suited to rapid initial deployment where protection is currently poor.
• A full custom configuration gives you the tightest control over your workstations, however it is the most complex to configure.

3. Selecting a Sophos Client Firewall policy mode

Central installation is run from Sophos Control Center. Run a test installation on selected workstations before full deployment.

1. Open Sophos Control Center.
2. In the left hand pane, select 'Configure firewall'.
3. In the welcome screen, click 'Next'.
4. In 'Enable firewall', ensure that 'Turn on firewall (recommended)' is selected.
5. Click 'Next'.
6. In 'Protection type', select 'Custom settings'. (The 'Factory settings' option will retain the outbound only mode.)
7. Click 'Next'.
8. In 'File and print sharing', ensure that 'Allow file and print sharing' is selected. This must be present to allow updating over a local network.
9. Click 'Next'.
10. In 'Rules for network traffic'
    • 'Block inbound and allow outbound traffic' is outbound only mode.
    • 'Block inbound and outbound traffic' is named programs mode.
    • 'Create custom rules' is custom mode.
11. Select either 'Block inbound and outbound traffic' or 'Create custom rules', as you choose. Refer to the section 'Customize firewall configuration' in the Sophos Control Center user manual.

You can now start working on your network firewall configuration.

• While you are working on your configuration you can export and save it, and reimport it.
• If necessary, you can revert to outbound only mode, or even disable the firewall completely.

Separate knowledgebase articles describe how create your own network configuration in the two modes.

• Configuring your network in named program mode.
• Configuring your network in custom mode.

While editing you can move between the two modes.

Note:

• Once you have deployed to your whole network, any change made to the configuration in Sophos Control Center will be implemented on all of your workstations. If you need to change your configuration, test the change on an individual computer, then import it.
• Sophos Client Firewall cannot be removed from workstations by using Sophos Control Center. However, it can be disabled from there.

---

Appendices

1. System requirements
2. Deployment notes

A. System requirements

• Sophos Client Firewall is available only for Windows 2000 and later workstation operating systems, i.e. Windows 2000 Professional and Windows XP, including 32-bit Windows XP on 64-bit computers.
• Sophos Client Firewall version 1.0 is designed to run on workstations connected to an Ethernet-based LAN (local area network) or the internet.
• Sophos Client Firewall requires Sophos Anti-Virus version 6 or higher.

Sophos Client Firewall is not supported on

• server operating systems (e.g. Windows 2000 server, Windows 2003)
• 64-bit variants of Windows XP
• a computer running the Sophos Control Center.

Note: Sophos Client Firewall 1.0 does not support IPv6, however, it lets IPv6 packets through.

B. Deployment notes

Remote shares

It is usual to have multiple shares open across a network, but you may want to restrict access to some, or all, of these shares. The firewall can be configured to allow a connection only to specified network addresses (i.e. computers or network drives). This will allow you to restrict access to all shares on that computer. You can then set the policy for individual groups to specify which addresses they can access.

Remote access to computers

If you use remote access software to monitor and fix computers, you must build rules into your configuration to enable you to work this way.

Identify the technologies that you use to access the computers on your network. For example:

• RDC
• VPN client/server
• SSH/SCP
• Terminal services
• Citrix

Check what sort of access is needed, and create your rule(s) accordingly.

If you need more information or guidance, then please contact technical support.

• Article ID: 16610
• Created: 20 Jul 2006
• Last updated: 8 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement