Deployment Helper

The RED Management > Deployment Helper tab provides a wizard that facilitates setting up and integrating a RED environment. The wizard is meant to be a simple alternative to the normal configuration on the Client Management tab. You only need to fill in the requested fields, if needed also fields marked optional, and to click Deploy RED.

The [Server] tag in front of the page name indicates that this page only needs configuration if Sophos UTM should act as server (RED hub).

Note – For your convenience, with Standard and Standard/Split mode, in contrast to the Client Management tab, the deployment helper automatically creates the following objects: a local interface with the specified IP address; a DHCP server for the remote network, covering half of the available IP address range; access to the local DNS resolver. In Transparent/Split mode, the deployment helper only creates a DHCP client (Ethernet DHCP) interface.

The deployment helper provides short descriptions for every option and a sketch for each of the three operation modes offered by the RED technology.

Below you find a description and use case examples for the three operation modes of RED.

Standard/Unified

Sophos UTM manages the whole remote network. It acts as DHCP server and as default gateway.

Example: You have a branch office and, for security reasons, you want all its traffic to be routed via your headquarter Sophos UTM. That way the remote site becomes a part of your local network as if it were connected via LAN.

Standard/Split

Note – VLAN tagged frames cannot be handled with this operation mode.

As with the Standard mode, Sophos UTM manages the whole remote network and acts as DHCP server. The difference is that only traffic targeted to networks listed in the Split Networks box is redirected to your local Sophos UTM. All traffic not targeted to the defined split networks is directly routed to the Internet.

Example: You have a branch office and you want it to have access to your local intranet or you want to route traffic of the remote network via your Sophos UTM for security reasons, e.g. to have the traffic checked for viruses or to use an HTTP proxy.

Transparent/Split

Note – VLAN tagged frames cannot be handled with this operation mode.

The remote network stays independent, Sophos UTM is a part of this network by getting an IP address from the remote DHCP server. Only certain traffic of the remote network is allowed to access certain networks or local domains of yours. Since Sophos UTM has no control of the remote network, local domains, which are not publicly resolvable, cannot be resolved by the remote router unless you define a Split DNS Server. This is a local DNS server of yours which can then be queried by remote clients.

Technically, the local interface of the RED appliance and its uplink interface to your local Sophos UTM as well as its link to the remote router are bridged. (For RED 20, 50, and 60, LAN ports are bridged only to WAN 1.) Since Sophos UTM is only a client of the remote network, routing traffic to the split networks the same way as with the other modes is not possible. Therefore, the RED appliance intercepts all traffic: Traffic targeting to a network listed in the Split Networks box or going to a domain listed in the Split Domains box is redirected to the Sophos UTM interface. This is accomplished by replacing the default gateway's MAC address in the respective data packets with the MAC address of Sophos UTM.

Example: There is a partner or a service provider who should have access to your intranet or a certain server in your local network. Using a RED appliance, that partner's network will stay completely independent of your network, but they can access a defined part of your network for certain purposes, as if they were connected via LAN.

Note – Using the deployment helper, the uplink mode of the RED appliance is DHCP Client in either operation mode. If you need to assign it a static IP address instead, you need to configure the RED appliance on the Client Management tab.