SOPHOS SD-RED 20 Remote Ethernet Device Instruction Manual

: June 5, 2024
: SOPHOS

Table of Contents

Foreword
Security Symbols
Designed Use
Operating Elements and Connections
Interfaces (front)
Power and Port LEDs
Status LEDs
Installation
Mounting Instructions
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

SOPHOS SD-RED 20 Remote Ethernet Device Instruction Manual

Foreword

We are pleased to welcome you as a new Sophos SD-RED customer.

Sophos SD-RED (Remote Ethernet Device) is the ideal solution to easily extend your secure network beyond your main facility to branch offices, retail outlets, and other remote locations.

SD-RED devices are built on the latest enterprise-class, high-speed networking platforms, providing state-of-the art data encryption technology to securely transport your data over the internet.

All configuration and management is done on a Sophos Firewall located at your main facility and requires no technical skills at the remote site.

These operating instructions will help you install and configure the Sophos SD-RED device and provide technical specifications of all SD-RED models. In addition, please also see the following documents:

Hardware Quick Start Guide: Connection to the system peripherals in a few steps
Safety Instructions: Notes on safety regulations and regulatory compliance
Sophos Firewall Administration Guides: Configuring your SD-RED appliance within the central Sophos SG UTM or XG Firewall appliance

The Hardware Quick Start Guide and the Safety Instructions are also delivered in printed form together with the hardware appliance. The instructions should be read carefully prior to using the device and should be kept in a safe place.

You may download all user manuals and additional documentation from the support
webpage at: sophos.com/support and from www.sophos.com/get-started-sd-red.

Security Symbols

The following symbol and its meaning appears in the Hardware Quick Start Guide, Safety Instructions and in these Operating Instructions.

Caution and Important Note. If these notes are not correctly observed:

This is dangerous to life and the environment
The device may be damaged
The functions of the device will be no longer guaranteed
Sophos shall not be liable for damages arising from a failure to comply with the Safety Instructions

Designed Use

SD-RED devices are developed for use in networks. They can only be operated in conjunction with a central Sophos Firewall but not as a standalone appliance. The hardware device can be used in commercial, industrial, and residential environments.

SD-RED models belong to the appliance group B.

The hardware appliance must be installed pursuant to the current installation notes. Otherwise failure-free and safe operation cannot be guaranteed. The EU declaration of conformity is available from the following address:

Sophos Technology GmbH
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany

CE Labeling, FCC and Approvals

The SD-RED appliances comply with CB, CE, FCC, ISED/ICES, VCCI, RCM, UL, CCC, KC, Anatel.

Important note: For computer systems to remain CE and FCC compliant, only CE and FCC compliant parts may be used. Maintaining CE and FCC compliance also requires proper cable and cabling techniques.

Operating Elements and Connections

**SD-RED 20 / SD-RED 60***

Interfaces (front)

LAN Ports| Type RJ45| Speed

10/100/1000 Mbps

| Comment

LAN1/LAN3 ports can be used to power a connected device (e.g. access point, IP camera, or IP phone) via PoE with up to 30W (PoE 802.3at).

---|---|---|---
LAN1–LAN4
WAN1/WAN2

(WAN2 on

SD-RED 60 only)

Micro USB

| Comment _
_You can connect a serial console to the Micro-USB COM port to access the CLI.
The required connection settings are:
Bits per second: 115,200
Data bits: 8
Parity: N (none)
Stop bits: 1
---|---|---
COM
USB| USB 3.0 (Type A)| You can connect a USB 2.0 or 3.0 compatible device to this port (e.g. USB thumb drive, 3G/4G dongles).
Module Slots| Comment
---|---
Expansion slot| Can be used for Sophos 3G/4G or Wi-Fi modules which are optionally available from your Sophos partner.

Power and Port LEDs

Power LEDs

Power 1| Green| Solid| Power Supply 1 Active.
Red| Solid| Power Supply 1 Failure.
Power 2| Green| Solid| Power Supply 2 Active.
Red| Solid| Power Supply 2 Failure.
LEDs on each RJ45 Ethernet Connector

ACT/LNK| Green| Solid| 1. The ethernet port is receiving power.

2. Good connection between the ethernet port and hub.

Flashing| The adapter is sending or receiving network data. The frequency of the flashes varies with the amount of traffic.
Off| 1. The adapter and switch are not receiving power.

2. No connection between both ends of network.

3. Network drivers have not been loaded or do not function correctly.

LEDs on each RJ45 Ethernet Connector

ACT/LNK| Green| Solid| 1. The ethernet port is receiving power.
2. Good connection between the ethernet port and hub.
Flashing| The adapter is sending or receiving network data. The frequency of the flashes varies with the amount of traffic.
Off| 1. The adapter and switch are not receiving power.
2. No connection between both ends of network.
3. Network drivers have not been loaded or do not function correctly.
Speed| Amber| On| If Ethernet port is operating at 1000 Mbps.
---|---|---|---
Green| On| If Ethernet port is operating at 100 Mbps.
Off| If Ethernet port is operating at 10 Mbps.

Status LEDs

LED Booting Codes

System| Router| Internet| Tunnel| Description
| | | | Device is booting.
| | | | Device has finished booting.
| | | | Device is connecting to default gateway/router.
| | | | The default gateway/router is reachable.
| | | | Device is connecting to the internet.
| | | | The connection to the internet has been established.
| | | | The device is connecting to the firewall.
| | | | The connection to the firewall has been established.
| | | | The device is installing a new firmware version.
LED Error Codes

System| Router| Internet| Tunnel| Description
| | | | DHCP or static address settings failed, default gateway not reachable.
| | | | Internet not reachable.
| | | | No connection to firewall.
| | | | No configuration available or firmware update failed.
LED 3G/4G Failover Codes

This LED pattern will only be seen once the tunnel is established.

PoE LEDs on SD-RED 60 Only

PoE1| Green| Solid| LAN1 providing power to connected device.
Blinking fast*| LAN1 has an internal hardware failure.
Blinking slowly*| LAN1 is denied power (e.g. connected device requesting power above max. power capacity) or is detecting a fault on connected device.
off| LAN1 not providing power to connected device.
PoE2| Green| Solid| LAN3 providing power to connected device.
Blinking fast| LAN3 has an internal hardware failure.
Blinking slowly**| LAN3 is denied power (e.g. connected device requesting power above max. power capacity) or is detecting a fault on connected device.
off| LAN3 not providing power to connected device.

The blinking behavior is an on/off cycle approx. once every 1.3 seconds.
The blinking behavior is an on/off cycle approx. once every 2.5 seconds.

Installation

Preliminary steps

Make sure that the SD-RED device has been shipped to the branch office/remote location.
Ask the person who is going to put the SD-RED appliance into operation at the branch
office to provide the unique SD-RED ID, which is printed on the bottom of the device. Note
that the SD-RED device requires a working internet connection at your branch office.

Configuring the SD-RED device

Configure the SD-RED device in your central SG UTM or XG Firewall as described in the respective Sophos Firewall Administration Guides. After completion, the configuration will be uploaded to the cloud-based Sophos broker service.

Connecting the SD-RED at the remote site

Connect the SD-RED device to your router or cable at the remote site as described within the Quick Start Guide and power it on.
After the system has booted, it will connect to the internet to retrieve its configuration from the Sophos broker service.
The status LEDs “System,” “Router,” “Internet,” “Tunnel” should then turn on one after the other.
If you don’t see all four status LEDs turned on or the “System” LED is blinking red, please refer to the LED table above to identify possible error states and contact your administrator.
Important note: If all four status LEDs are blinking in a rotatory sequence the device is installing a new firmware version.

DO NOT POWER IT OFF. The device will reboot automatically.

Powering off the device at this stage could render it inoperable and require its return to the reseller.

Connecting PoE power devices to a SD-RED 60

On SD-RED 60 models, Ports LAN1 and LAN3 are able to provide power over ethernet (PoE) to a connected PoE device which conforms to the standards 802.3af (max. 15.4W) or 802.3at (max. 30W). Each port can provide up to 30 watts max. However, if PoE power is provided to both ports concurrently then the total power drawn should not exceed 30 watts. You can connect either one 802.3at or two 802.3af devices at the same time as shown below:

Powered Ports| LAN1

Max. 15.4 watts

| LAN3

Max. 15.4 watts

---|---|---
Option 1
Option 2| Max. 30 watts| None
Option 3| None| Max. 30 watts

Please consult the documentation of your PoE powered device to identify its correct power class.

Important note: If you accidentally connect one 802.3at and one other 802.3at or 802.3af device at the same time, power for the device on LAN3 (lower priority) will be disabled and the connected device will lose power. The PoE LED of this port will start blinking, indicating a PoE power error, until you remove one of the devices from the LAN1 or LAN3 port (please also see PoE LED table above).

Adding an optional 3G/4G or Wi-Fi expansion module

Both SD-RED models have an expansion bay at the back allowing you to add either a Sophos 3G/4G or a Wi-Fi module, which are available from your Sophos partner.
Both modules are shipped with two antennas (for 3G/4G or 802.11 ac 2×2 Wi-Fi). The wireless module allows you to connect wireless devices to your local LAN at the remote site.
The 3G/4G module can be used as an alternative mobile WAN connection.
For installation instructions, please refer to the documentation available at www.sophos.com/get-started-sd-red.

Connecting devices to the SFP port

Both SD-RED models provide an SFP port which can be used to connect the unit to the local router/cable modem or other set-top box via fiber or other standard SFP mini-GBICs (transceivers).
This port is a combo port shared with the WAN1 port. Therefore, you can only use one of these ports at any time.
If cables are connected to both ports, the SFP port will take precedence.

Using redundant power supplies

Both SD-RED models are shipped with a single power supply, but provide a connector to add a second redundant power supply, allowing you to keep your appliance up and running even if one power supply fails.

The power LED for the respective power supply on the front of the device will only be activated once you have connected a second power supply for the first time, i.e. it will turn red in case the connected power supply fails or there is no power supply connected to the second connector at all.

Serial console

You can connect a serial console to the Micro-USB COM port of the SD-RED devices. You can use, for instance, the HyperTerminal terminal program which is included with most versions of Microsoft Windows to log on to the appliance console. Use a Micro-USB to USB-A adapter cable to connect the console to your SD-RED device.

The required connection settings are:

Bits per second: 115,200
Data bits: 8
Parity: N (none)
Stop bits: 1
Flow Control: N (none)

Access via the serial console is activated by default on ttyS1. The connections of the appliances and the respective functionality are listed in the chapter “Operating Elements and Connections.”

Mounting Instructions

There are various options available allowing you to hang your SD-RED appliance on the wall or mount it to a DIN Rail or into a rack. The following sections provide detailed instructions for the various options.

Warnings and Precautions
The appliance can be operated safely if you observe the following notes and the notes on the appliance itself.

Rack Precautions

Ensure that the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on them.
In a single rack installation, stabilizers should be attached to the rack.
In multiple rack installations, the racks should be coupled together.
Always make sure the rack is stable before extending a component from the rack.
You should extend only one component at a time – extending two or more simultaneously may cause the rack to become unstable.

General Server Precautions

Review the electrical and general safety precautions that came with the components you are adding to your appliance.
Determine the placement of each component in the rack before you install the rails.
Install the heaviest server components on the bottom of the rack first, and then work up.
Allow the hot plug hard drives and power supply modules to cool before touching them.
Always keep the rack‘s front door, all panels and server components closed when not servicing to maintain proper cooling.

Rack Mounting Considerations

Ambient operating temperature: If installed in a closed or multi-unit rack assembly, the ambient operating temperature of the rack environment may be greater than the ambient temperature of the room. Therefore, you should install the equipment in an environment compatible with the manufacturer’s maximum rated ambient temperature.
Reduced airflow: Equipment should be mounted into a rack with sufficient airflow to allow cooling.
Mechanical loading: Equipment should be mounted into a rack so that a hazardous condition does not arise due to uneven mechanical loading.
Circuit overloading: Consideration should be given to the connection of the equipment to the power supply circuitry and the effect that any possible overloading of circuits might have on overcurrent protection and power supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
Reliable ground: Reliable grounding must be maintained at all times.
To ensure this, the rack itself should be grounded. Particular attention should be given to power supply connections other than the direct connections to the branch circuit (i.e., the use of power strips, etc.).

Wall mount

You can either hang the unit on the wall by using the wall mount keyholes on the rear of the unit or by using the rackmount kit which is available as an optional accessory.

The following procedure explains how to use the keyholes.

Please note: For wall mounting we recommend using wall plugs and screws with dimensions shown below:

Use the wall mount template to mark the screw mounting positions on the wall.
Drill two wall anchors into the wall at the marked positions and screw two screws into them. Make sure they stand out 4-8mm. We recommend using wall plugs and screws with the dimensions shown below.
Hang the SD-RED unit on the wall by aligning the key holes with the mounted screws

Wall mount

SD-RED Wall mount template

Do not shrink to fit when printing

SD-RED Wall mount template

Rackmount

To mount the SD-RED appliance to a rack (1U), you need the model specific rackmounting kit, which is available as an option from your Sophos partner.

Please note: There are two different rackmounting kits available. Both kits fit with both models. However, only the SD-RED 60 specific kit provides additional bracket(s) to hold the desktop-type power adapter(s). These are not included with the SD RED 20 specific kit since this model uses wall mount type power adapters which are directly plugged into the wall outlet or power strip.

Make sure you only use the screws supplied with the rackmount ears. Using the wrong screws could damage the hardware appliance and would invalidate your warranty.

In addition to the rackmounting kit contents, you will need a long-handed Phillips-head screwdriver.

SD-RED 60 mounting instructions

Remove existing screws from the chassis
Remove the three screws from each side of the chassis.
Install the rackmounting kit device holder to the chassis
Please note: You can mount the unit into a rack either with the front or with the back side facing to you (see figures below). Secure one device holder to each side of the appliance using three of the screws included with the box.
Install the adapter bracket
Attach the power adapter bracket either to the left or right side of the rackmounting kit by using four of the supplied screws. If you are using redundant power supplies fix the second adapter bracket on the other side.
Install the power adapter
Place the adapter(s) on the bracket(s) The PADs supplied with the rackmount kit are only needed with SG 105/115 appliance models which use smaller power adapters (4a).
For SD-RED 60 models a PAD is not required (4b).
Install the unit
You can either install the unit into a rack (5a) or you can hang the unit on a wall (5b).
Use appropriate screws (not supplied with this kit) for this purpose.
For wall mount installation we recommend using wall plugs and screws with dimensions shown below (5c).

mounting instructions

SD-RED 20 mounting instructions

The required connection settings are:

Remove existing screws from the chassis
Remove the three screws from each side of the chassis.
Install the rackmounting kit device holder to the chassis
Please note: You can mount the unit either with the front or with the back side facing to you (see figures below).
Secure one device holder to each side of the appliance using three flat head M3 screws from the scope of supply.
The device holders must only be fixed to the appliance by means of the supplied screws. Screws with other dimensions might damage the appliance.
Install the unit
You can either install the unit into a rack (3a) or you can hang the unit on a wall (3b).
Use appropriate screws (not supplied with this kit) for this purpose.
For wall mount installation we recommend using wall plugs and screws with the dimensions shown below (3c).

DIN Rail Mount

The DIN rail mounting kit is available as an option from your Sophos partner. It includes:

DIN Rail Mount

Install the mounting adapters to the chassis
Place one adapter on each side at the bottom of the chassis and secure it using three of the supplied screws.
Mount the chassis to the DIN rail
Hold the chassis to the DIN Rail and hang it with the fixed parts of the adapters on one side of the DIN Rail. Push the chassis towards the DIN Rail until the flexible part of the adapters snaps into the DIN Rail.
Make sure the chassis is securely fixed.
Removing the chassis from the DIN rail
To remove the chassis from the rail just pull it back on the flexible side of the adapters.

DIN Rail Mount

United Kingdom and Worldwide Sales
Tel: +44 (0)8447 671131
Email: [email protected]

North American Sales
Toll Free: 1-866-866-2802
Email: [email protected]

Australia and New Zealand Sales
Tel: +61 2 9409 9100
Email: [email protected]

Asia Sales
Tel: +65 62244168
Email: [email protected]

© Copyright 2020-21. Sophos Ltd. All rights reserved.
Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.