Manage Update Caches and Message Relays

Getting Sophos Central updates from a cache on a server on your network saves bandwidth, as updates are downloaded only once, by the server.

You can also enable computers to communicate with Sophos Central through a message relay on a server on your network.

A message relay server must also have an update cache set up on it.

This help page tells you how caches and relays work and how you set them up.

Tip Computers can get the latest Sophos agent from a cache the first time you run the Sophos installer on them. You need to set up your caches before installation. If you have endpoints that can't connect to Sophos directly, you also need to set up your update caches as message relays.
Note If you use the Reject network connections feature (for customers with Sophos XG Firewall), it could prevent a cache server from delivering updates. To avoid this, see Reject network connections.

How caches and relays work

When you set up a cache (and optionally relay) on a server, Sophos Central does as follows:

  • Installs Sophos caching software (and relay software).
  • Fetches updates from Sophos and puts them in a cache.
  • Automatically configures computers in your network to update from a cache (and use a relay).

    You can also assign computers to use a specific cache or relay.

Using caches doesn't affect how often or when computers are updated.

Computers that can use caches and relays

You can install caches and relays on Windows Server 2008 R2 or later.

The following computers can use caches or relays:

  • Windows 7 and later (including servers), Macs, and Linux computers can use a cache.
  • Windows 7 and later (including servers) and Linux computers can use a relay.

Set up a cache/relay

You can set up a cache and a relay at the same time, or a cache only. You can also set up a relay on a server that already has a cache.

Before you set up a cache or a relay, ensure that:

  • The server is running Windows Server 2008 R2 or later.
  • The server has at least 5GB free disk space.
  • Port 8190 and 8191 are available and accessible to computers that will update from the cache and use the relays.

    The installers will open ports 8190 and 8191 in Windows Firewall. When Update Cache or Message Relay are uninstalled, the ports are closed again.

If you use the Reject network connections feature (for customers with Sophos XG Firewall), you might need to add the server to the exclusions. See Reject network connections.

To set up a cache or a relay:

  1. In Settings, go to the Manage Update Caches and Message Relays page.
  2. In the filter above the table, click the drop-down arrow and select Cache Capable Servers to see which servers are suitable for a cache and a relay. If you've already set up a cache on some servers, to hide them from view, select Servers without Update Cache. If you want to set up a relay on a server with a cache, select Servers with Update Cache.
  3. Select the server or servers where you want to set up a cache or relay.
  4. Click Set Up Cache/Relay.

Sophos Central automatically configures computers in your network to use a cache or relay. You can also manually assign computers to use a specific cache or relay.

Assign computers to a cache/relay

You can manually assign computers to use a specific cache or relay.

  1. In Settings, go to the Manage Update Caches and Message Relays page.
  2. For the server on which the cache or relay is installed, click the link displaying the number of computers using the Update Cache or Message Relay, in the Updated from cache column or the Using Relay column, respectively.
  3. Click Manual assignment.
  4. Select the computers.
  5. Click Save.

See which computers use caches and relays

On the Manage Update Caches and Message Relays page, you can view which servers have update caches and message relays. You can see how many computers are using them as caches or relays and the update caches' activity.

Click a server to see the details of the computers using its update cache or message relay.

Remove a cache/relay

Note If you want to remove a cache that has computers manually assigned to it you must reassign them first.

When you remove a cache, Sophos Central does as follows:

  • Uninstalls caching software, removes the cache of downloaded updates, and closes port 8191 in Windows Firewall.
  • Uninstalls the message relay software (if installed) and closes port 8190 in Windows Firewall.
  • Reconfigures computers that update from this server to update from another update cache, if you have one.
  • Reconfigures computers that use the relay to use another message relay, if you have one.

If you remove all your caches, computers will update directly from Sophos.

If you remove all of your message relays, computers will communicate directly with Sophos Central.

To remove a cache/relay:

  1. In Settings, go to the Manage Update Caches and Message Relays page.
  2. In the filter above the table, click the drop-down arrow and select Servers with Update Cache to see which servers have a cache set up. You can also select Servers with Message Relay to see which servers have a message relay set up.
  3. Select the server or servers you want to remove a cache/relay from.
  4. Click Remove Cache/Relay.