Sophos Remote Ethernet Device (RED) is a small network appliance, designed to be as simple to deploy as possible. Its main purpose is to provide a secure tunnel from its deployment location to a Sophos UTM firewall.
There is no user interface on the RED appliance. It is designed to be fully configured and managed from a Sophos UTM. RED devices can be shipped to a remote site, connected to any DHCP connection to the internet, and be fully configured by a remote administrator with no prior knowledge of the site, and no need to walk local personnel through technical setup steps.
Sophos Red technical overview
When a RED is configured in a Sophos UTM firewall, the configuration options chosen by the administrator are uploaded to the Sophos provisioning servers. The configuration is little more than the following items:
- Address of the firewall to which it will tunnel
- WAN Uplink Mode (DHCP, Static IP)
- Tunnel operation mode (Standard)
- If static uplink mode is chosen, RED WAN address settings (Address, Netmask, Default Gateway, and DNS server)
- Optionally, mobile broadband connection settings for RED v2 and above hardware
- Unlock code
The unlock code is not stored on the RED appliance, but is used to prevent a RED that is in use from being accidentally or maliciously redirected. The correct unlock code must be supplied for the provisioning servers to accept new configuration for a RED. Initially, the unlock code is blank, until a RED has been connected to a UTM once. The first time a RED device is configured in a UTM, the unlock code should be left blank. Every time a RED is connected to a new UTM, the old unlock code must be entered in the new UTM to move the RED. Once the settings are pushed to the provisioning server, a new unlock code is issued, and displayed in the WebAdmin of the UTM.
The provisioning servers store the configuration provided by the administrator, on a centrally reachable set of servers. RED devices can be centrally configured due to this mechanism. When a RED device has no configuration, or the configuration it has is unsuccessful, it will look to the provisioning servers for updated instructions. A DNS lookup of red.astaro.com will return the closest provisioning server, which it will then securely connect to, and check for new instructions from the provisioning servers. As long as a RED has a working configuration, it will not check back with the provisioning servers again.