Grouping Web Appliances

The Sophos Web Appliance is available in a variety of models, each capable of providing web browsing security and control features for different numbers of end users. As indicated in the table below, appliances differ in their processing capacity and memory.

Larger organizations and those with multiple locations can use multiple Sophos Web Appliances grouped together by a common Sophos Management Appliance to provide web security and control for their various locales and a large number of end users. Management appliances centralize control of policy and configuration data and consolidate reports. In order to group two or more appliances together, you must purchase a Sophos Management Appliance.

Web Appliances and Management Appliances can also be purchased as virtual machines that run on VMware. Their capacity depends on how much CPU, memory, and disk space you allocate. For more information, see “Virtual Appliances” in the product documentation.

For detailed instructions on joining and disconnecting appliances, see “Central Management” in the System section of the product documentation.

Model Processors Memory (RAM)
WS100 dual-core, light-capacity 2 GB
WS500 dual-core, medium-capacity 2 GB
WS1000 dual-core, high-capacity 4 GB
WS1100 quad-core, high-capacity 8 GB
SM2000 quad-core, high-capacity 8 GB
SM5000 quad-core, high-capacity 8 GB
WS5000 quad-core, high-capacity 16 GB
Note The number of end users that an appliance can handle is determined by the frequency at which your organization’s users browse the web throughout the day and the volume and nature of the files that they download and access. The number of users that a grouped deployment supports depends on the number of joined appliances.

Scaling and Deployment

Your organization can either grow to require more than one appliance, or—if your organization is a new Sophos appliance user that is a large, multi-site organization—you can begin by using multiple, grouped appliances. In a grouped Web Appliance deployment, configuration and policy data is distributed from the Management Appliance. If you have an existing standalone appliance, there is also the option of the Management Appliance extracting configuration and policy data from the first Web Appliance to join.

Scenario 1: Your growing organization now requires more than one appliance

If your organization begins with a single standalone Web Appliance and then grows to require a multiple Web Appliances, the deployment of the additional appliances would be as follows:

Preparing to Join a Management Appliance

Before you join an existing Web Appliance to a Management Appliance, take the following steps to ensure that building your group is a smooth and successful process.

  1. Be sure that you perform a backup that includes system configuration data and system logs.
  2. If you want to use the policy and configuration data from an established Web Appliance that you plan to join to a Management Appliance, on the Configuration > System > Central Management page on the Management Appliance, be sure to select the Copy configuration and policy data from the first web appliance to join before joining the established Web Appliance. Ensure that the established Web Appliance is the first Web Appliance that you join to the Management Appliance.

Joining a Management Appliance and Other Appliances

  1. Join your organization’s original, already-configured Web Appliance to the Management Appliance .

    The original Web Appliance’s configuration and policy data are copied to the Management Appliance (shown with blue dotted line).

  2. Join the new Web Appliances to the Management Appliance . This can be done in any order, whether the new Web Appliances are in the same location or in remote locations ( and ).

    The new Web Appliances that are joined—, , and —then receive their configuration and policy data from the Management Appliance.

Scenario 2: Your large or multi-site organization’s deployment starts with multiple appliances

If your organization begins with multiple appliances that are deployed at the same time, the setup is as follows:

  1. Unconfigured Web Appliances, whether they are in the same location and or in remote locations and , are joined (in any order) to the Management Appliance (joins must be performed from each new Web Appliance).
  2. The configuration is done on the Management Appliance, which then distributes this configuration data to the joined Web Appliances (shown with blue dotted lines).
    Note Follow the steps in Scenario 1 if you prefer to configure one of your new Web Appliances for testing purposes first, join it to the Management Appliance, and then distribute the configuration data to the other Web Appliances.

Joined Appliances (Scenarios 1 and 2)

In both scenarios, once all of the appliances are joined, ongoing configuration changes are done on the Management Appliance and distributed to the Web Appliances—, , , —thus providing centralized configuration (blue dashed lines). Also, report data is sent from the Web Appliances to the Management Appliance, providing centralized reporting (red smooth lines).

Appliance Mode and Model Differences

Sophos Web Appliances can operate in standalone or joined mode. You can also join a Sophos Management Appliance to one or more Web Appliances for centralized management.

There are differences in the administrative user interface, depending on which mode the appliance is in or if it is a Management Appliance. For a detailed breakdown of these variations, see “Mode and Model Differences.”