Sophos Apx 530

Configure security, backend authentication, client connection, quality of service (QoS), network availability, and captive portal.

Sophos APX; Sophos RED How to find the revision number of a Sophos network appliance. APX 530 ETSI: P12: Rev.1: APX 530 ROW: P13: Rev.1: APX 740 FCC: P21: Rev.1. Sophos APX 530 Access Point (FCC) plain, no Power Adapter/PoE Injector. Currently available for management in Sophos Central. The Sophos APX Series is a growing portfolio of Synchronized Security ready access points. With 802.11ac Wave 2 technology, they are custom-built for increased throughput at load and better performance. Having a hard time finding reviews on the APX lineup. We are looking at the APX 530's, meraki, and aruba APs. I know meraki and aruba are likely much better and have features the APX's lack, but they are also 3-4x the price. We currently operate a mix of XG 330, 230, 135, and 115's in our environment, all on 17.5 currently.

Go to Wireless > SSIDs and click Advanced Settings.

  • Sophos APX 530 Access Point (ROW) plain, no power adapter/PoE Injector 3x3 MIMO, internal antennas. Includes mounting bracket for wall and 15/16', 9/16', 3/8' ceiling T-bar. No power adapter/PoE Injector, 16.7W max. Power consumption. 5-Year warranty, no extended warranty available.
  • Congratulations on the purchase of your Sophos APX Series access point. This Quick Start Guide provides you with instructions to connect the access point and do the initial configuration. 2 Quick Start Guide APX 320/530/740. Supports 15/16', 9/16', 3/8' ceiling tracks. The displayed image is of APX 740 device. Other APX models may vary.

Security

Define settings to make your network more secure.

Synchronized Security: Enable to ensure that clients with Sophos Endpoint Protection and Sophos Mobile Protection can communicate with Sophos Central Wireless access points. If Synchronized Security is enabled on both Sophos XG Firewall and Sophos Central Wireless, the settings on Sophos XG Firewall take precedence.

To use this feature, you need to have an Endpoint Advanced Protection license for your endpoints. For mobile protection, go to Mobile > Set up > System setup > Network Access Control, and select Sophos Wireless.

Note Available only for APX 320, APX 530, and APX 740.

Security Heartbeat green: Indicates that the endpoint is healthy and all traffic is allowed.

Security Heartbeat yellow: Indicates that a potentially unwanted application (PUA) or inactive malware has been detected. All traffic is allowed.

Security Heartbeat red: Indicates that active malware or ransomware has been detected or the access point is unable to receive Security Heartbeat messages from the endpoint’s Sophos Endpoint Services. The access point blocks all internet traffic. Only traffic from the secured browsing environment (walled garden or safe URLs list) is allowed.

Sophos Mobile (UEM): Turned on by default. Allows heartbeat information to be sent from Sophos managed mobile devices. You can also manage policies for these devices in Sophos Central.

Sophos Central Endpoint Protection: Turn on if you want to manage endpoint policies in Sophos Central. Alternatively you can manage endpoint policies in XG Firewall.

Restrict SSID to Sophos Managed Devices: When an unmanaged device connects to the SSID, after authentication, we determine that the device is unmanaged and display a landing page, which you have to configure. The device is put behind a walled garden. The behavior of this device is similar to having a red security heartbeat status. The device is allowed to access only Sophos websites or those URLs and IPs that are on the allowed list.

A managed device is a mobile or endpoint device protected by Sophos.

When you enable this option the landing page configuration is shown. Enter the following information:

  • Page Title
  • Welcome Text
  • Message to appear
  • Company logo

Allowed domains: Enter domains here that you still want clients to access, along with any .sophos.com domains, when they have a red Synchronized Security status. These domains will also be accessible by unmanaged devices if you have turned on Restrict SSID to Sophos Managed Devices. Both IP addresses and domain names are supported.

Hidden SSID: Hides the SSID for network scans. When hidden, the SSID is still available and you need to know the SSID name for a direct connection. Even if an SSID is hidden, you can assign the SSID to an access point.

Note This is not a security feature. You still need to protect hidden SSIDs.

Client isolation: Blocks communication between clients within the same radio frequency. This is useful in a guest or hotspot network.

MAC Filtering: Provides minimal security by restricting Media Access Control (MAC) address connections.

  • None: No restriction on MAC addresses.
  • Blocked List: All MAC addresses are allowed except those that you enter here.
  • Allowed List: All MAC addresses are prohibited except those that you enter here.

Client Connection

LAN: Bridges a wireless network onto the network of an access point. The wireless clients share the same IP address range.

VLAN: Directs the client traffic to specific VLANs. The uplink switch must be configured to accept VLAN packets.

RADIUS VLAN Assignment: Separates users without having multiple SSIDs. Available with encryption mode WPA/WPA2 Enterprise.

Users will be tagged to a VLAN provided by a RADIUS server. Traffic is untagged if the RADIUS server does not provide VLAN.

Note IPv6 is blocked in SSIDs if dynamic VLAN is enabled. If IPv6 is not blocked, devices may end up with multiple IPv6 addresses and gateways from multiple VLANs.

Enable Guest Network: Enables a guest network. A guest network provides an isolated network for the clients with some traffic restrictions. Access points can have one guest network at a given time. The following modes are available:

Bridge Mode: Uses the DHCP server from the same subnet.

It filters all traffic and only allows communication to the gateway, DNS server, and external networks. You can add a guest network to an environment without VLAN and still have an isolation. As the DHCP server is still on your network, roaming between access points will work.

Note By using VLAN for your guest network, you can have a separate guest VLAN additional to the guest network.

NAT Mode: Uses the on-board DHCP server on the access point. This provides local isolated IPs to the guest network clients. Clients are unaware of the internal IP scheme.

In NAT mode, a DNS server is optional for a client address. If a DNS address is not assigned to the client by the DNS server, they will be assigned the same DNS address as of the access point.

Bridge mode has a higher throughput, whereas NAT mode has more isolation.

Network Availability

Define SSIDs which are only available for a certain time of a day or certain days in a week. The SSIDs are not visible in the meantime.

Always: Select to make SSID available at all times.

Scheduled: Select the weekdays and timeframes for the network to be available.

Quality of Service

Configure settings to optimize your network.

Multicast to unicast conversion: Optimizes the multicast packets to unicast packets. The access point converts multicast packets to unicast packets individually for each client based on the Internet Group Management Protocol (IGMP).

It works best when fewer clients are connected to one access point.

The conversion to unicast is preferred for media streaming as it can operate at higher throughput rates.

Proxy ARP: Enables the access point to answer Address Resolution Protocol (ARP) requests intended for the connected wireless clients.

Fast roaming: Optimizes the roaming times when switching between different access points. SSIDs with WPA2 encryption use the IEEE 802.11r standard to reduce roaming times (with enterprise authentification). It applies when the same SSID is assigned to different access points. Clients also need to support the IEEE 802.11r standard.

Keep broadcasting: Ensures that the access point keeps broadcasting when it is not able to re-connect to Sophos Central after a restart. If this is turned on, clients will still be able to connect to the access point and (or) to the internet and the access point works with its old configuration.

Note The SSID will be broadcasted in all cases of connection loss to Sophos Central, regardless if this function is turned on or not.

Band Steering: Distributes clients based on the load on two radio bands and the client's capability between the 2.4 GHz and 5 GHz bands. Dual-band capable wireless clients will be routed to 5 GHz, if possible, to improve the client experience. This is done by rejecting the initial association request sent by the client in the 2.4 GHz band. This will cause a dual-band client to then attempt to negotiate at 5 GHz. If it does not associate in the 5 GHz band, it will be marked as “steering unfriendly” and will not be routed again. If a client is too far away from the access point, routing will not be attempted. This prevents routing clients to 5 GHz when the range is usually less than in the 2.4 GHz band. Band Steering is done on a per access point level and will affect all SSIDs on that access point.

Captive Portal

Activate and configure a hotspot.

Enable hotspot: Turns the SSID into a hotspot. This allows cafés, hotels, or companies to provide time and traffic restricted internet access to guests.

Warning In many countries, operating a public hotspot is subject to specific national laws, restricting access to websites of legally questionable content. For example, file sharing sites or extremist websites.

Page Title: You can define a title for the landing page. It is visible to the users when they accept terms of service.

Sophos Apx 530 Download

Welcome Text: You can define welcome text for the landing page.

Terms of Service: Users have to accept the terms of service before authentication.

Backend Authentication Vmpk download chip. : With this authentication type, users can authenticate via Remote Authentication Dial-In User Service (RADIUS).

Note Backend authentication requires PAP (Password Authentication Protocol) policy on the RADIUS server. All user credentials transmitted to the RADIUS server will be encrypted with HTTPS by Sophos Central.

Password schedule: You can create a new password automatically on a fixed schedule. If the schedule is set to weekly or monthly, you can also select a weekday or week. The old password expires when the scheduled time is reached and current sessions are cut off. The new password is sent as a notification to the specified email addresses.

Voucher: With this hotspot type, vouchers with time limitations can be generated, printed, and given to customers. After entering the code, users can directly access the internet.

Sophos Apx 530

Social Login: You can allow your users to authenticate using their social media accounts. You can let them use their Facebook or Google accounts. To set up Google authentication, go to the Google Developer Console and get the Client ID and Secret for Google. Enter this information here. To set up Facebook authentication, go to Facebook Developer Account and get the Application ID and Secret for Facebook. Enter this information here.

To retrieve the Google client ID from the Google developer console you will need to do as follows:

  1. Create a new project.
  2. Go to the OAuth Consent screen and enter the application name. You can enter anything in this field. Then enter the authorized domain, which has to be 'myapsophos.com'.
  3. Go to credentials > create credentials > OAuth client ID.
  4. Choose application type as web application.
  5. Under the restrictions, enter the authorized javascript origins and authorized redirect URIs as given below.

    Authorized JavaScript origins: https://www.myapsophos.com:8443

    Authorized redirect URIs: https://www.myapsophos.com:8443/hotspot.cgi

Note If a user signs in with a social media account they are asked to accept the certificate and continue. They must click the Google button to do this.
Note If a user authenticates with a social media account, we don't store personal information from that account.

Session Timeout: Restricts the users internet access time.

Re-Login Timeout: Enabling this will prevent the user from re-logging into the network for 24 hours from the time of initial connection to social login.

Note A maximum of 8 devices can connect using the same email ID.

Redirect URL: You can define the URL to which users will be redirected from the landing page. Users can be redirected to the default website of the mobile device or a specific website of your choice. For example, your company page.

Customer's Please Note: A Wireless Protection subscription is required for all Sophos Access Points
Please Note: All Prices are Inclusive of GST

Sophos APX 530 Access Point (ROW) plain, no power adapter/PoE Injector
3x3 MIMO, internal antennas. Includes mounting bracket for wall and 15/16', 9/16', 3/8' ceiling T-bar. No power adapter/PoE Injector, 16.7W max. power consumption. 5-Year warranty, no extended warranty available.
Central Wireless Standard (for APX) - 1 Access Points - 1 Year
Central Wireless Standard (for APX) - 1 Access Points - 2 Year
Central Wireless Standard (for APX) - 1 Access Points - 3 Year
PoE-Injector 802.3at (Gbit/30W) - with AU Power Cord

More pricing below, click here!
Please Note: All Prices are Inclusive of GST

Overview:

Sophos APX Series

Currently available for management in Sophos Central.

The Sophos APX Series is a growing portfolio of Synchronized Security ready access points. With 802.11ac Wave 2 technology, they are custom-built for increased throughput at load and better performance and security.

APX Series - Product Benefits

  • Security Heartbeat™ ready to connect with other Sophos Central managed products
  • Significant performance improvement over legacy 802.11 Wave 1 models
  • Optimized for both wall- and ceiling-mount
  • 5-year warranty as standard, Advance Replacement RMA included in subscription

APX 740 - our flagship 4x4:4 product for high-density, high-capacity environments

APX 530 - high-performance 3x3:3 access point for typical office environments of all sizes

APX 320 - 2x2:2 access point, dual 5 GHz capable, ideal in high-density school environments or small retail scenarios

Highlights

  • Managed from Sophos Central
  • Superior visibility into wireless health
  • Simple deployment and administration
  • Synchronized Security-ready
  • Enhanced security with rogue AP detection
  • Multi-site management and cloud scalability

Features:

The smarter way to simple, secure Wi-Fi

Sophos Wireless provides an easy, effective way to manage and secure your wireless networks. You can use it on its own or as part of your Sophos Central portfolio of cloud-managed security solutions.

Manage all your security on a single platform

Sophos Central is a highly scalable management platform which gives you a single pane of glass for all of your cloud-managed security solutions. Using Sophos Central, you can manage Sophos Wireless on its own, or alongside your Endpoint, Mobile, Email, Encryption and Server Protection.

Superior visibility into wireless health

The Sophos Wireless dashboard puts all the key information about the health of your wireless networks and connecting clients directly at your fingertips. Not only can you see if there are potential threats you need to deal with, such as rogue APs, but you can also quickly identify clients with compliance or connectivity issues.

Simple deployment and administration

Using the step-by-step guidance in our on-boarding wizard, creating networks, registering one or more access points, and adding sites is child's play. Our solution is built to be simple to use, even for non-wireless experts, but that doesn't mean you forfeit functionality. Schedule firmware upgrades to keep your network up to date and benefit from new features and enhancements in every release.

Intelligence connected with Security Heartbeat™

Sophos Apx 530 Indoor Access Point

When using our Security Heartbeat™ enabled APX Series access points, you can monitor the health status of any Sophos Central-managed endpoint or mobile device and so automatically restrict web access on trusted Wi-Fi networks. Users with serious compliance issues see a splash screen to alert them to their walled garden status but receive full connectivity again, once health is restored.

Security enhanced for your trusted Wi-Fi networks

Our Enhanced Rogue AP Detection classifies neighboring Wi-Fi networks to identify threats and prevent attempts to infiltrate an organization via Wi-Fi.

Sophos Apx 530i

Additionally, you can keep your networks secure by providing controlled internet access and hotspots for visitors, contractors, and other guests on your network. Use enterprise-grade backend authentication for a seamless user experience.

Multi-site management and cloud scalability

Whether you have just one growing network, or multiple sites, extending your Wi-Fi is as simple as adding an additional access point.

Sophos APX Series Access Points - at a glance

The Sophos APX Series is a growing portfolio of Security Heartbeat-enabled access points. With 802.11ac Wave 2 technology, they are custom-built for increased throughput at load and better performance and security.

Unboxing Video:

Unboxing the Sophos APX Series Access Points

Join us as we unbox one of our brand new Sophos APX Series access points. The APX Series is a growing portfolio of Synchronized Security ready access points. With 802.11ac Wave 2 technology, they are custom-built for increased throughput at load and better performance and security. Oh, and they look GREAT.

Specifications:

APX 320APX 530APX 740
802.11ac Wave 2
ManagementSophos Central
XG Firewall planned for late 2018
Sophos Central
XG Firewall planned for late 2018
Sophos Central
XG Firewall planned for late 2018
Deployment *Indoor; desktop, wall, or ceiling mountIndoor; desktop, wall, or ceiling mountIndoor; desktop, wall, or ceiling mount
WLAN Standards802.11a/b/g/n/ac802.11a/b/g/n/ac802.11a/b/g/n/ac
Radios1x 2.4 GHz / 5 GHz dual-band
1x 5 GHz single band
1x Bluetooth low energy (BLE)
1x 2.4 GHz single band
1x 5 GHz single band
1x Bluetooth low energy (BLE)
1x 2.4 GHz single band
1x 5 GHz single band
1x Bluetooth low energy (BLE)
Antennas2x internal dual-band antenna for Radio-1
2x internal 5 GHz antenna for Radio-2
1x internal 2.4 GHz antenna for BLE
3x internal 2.4 GHz antenna for Radio-1
3x internal 5 GHz antenna for Radio-2
1x internal 2.4 GHz antenna for BLE
4x internal 2.4 GHz antenna for Radio-1
4x internal 5 GHz antenna for Radio-2
1x internal 2.4 GHz antenna for BLE
Performance2x2:2 MU-MIMO3x3:3 MU-MIMO4x4:4 MU-MIMO
Interfaces1x RJ45 connector console serial port
1x RJ45 10/100/1000 Ethernet w/PoE
1x RJ45 connector console serial port
1x RJ45 10/100/1000 Ethernet port
1x RJ45 10/100/1000 Ethernet w/PoE
1x RJ45 connector console serial port
1x RJ45 10/100/1000 Ethernet port
1x RJ45 10/100/1000 Ethernet w/PoE
Power (Max.)11.5 W16.7 W22.4 W
Power-over-Ethernet
(Min.)
PoE 802.3afPoE+ 802.3atPoE+ 802.3at
Dimensions155x155x38 mm183x183x39 mm195x195x43 mm
Weight0.474 kg0.922kg1.012 kg
Certifications **CB, UL, CE, FCC, IC, RCMCB, UL, CE, FCC, IC, RCMCB, UL, CE, FCC, IC, RCM
ComplianceAll APX models have a plenum-rating and comply with EN 60601-1-2
WarrantyAll APX models have a standard 5-year warranty included in the purchase price
SupportA Central Wireless Standard Subscription for APX includes Enhanced Support with Advance Replacement RMA
* A bracket for wall- and/or 15/16', 9/16', 3/8' T-bar ceiling-mount is included with every APX. Further mounting kits will be available for purchase in the near future.** Further certifications for some models are currently in progress, e.g. MIC for Japan and Anatel for Brazil. APX models are not sold in China, Taiwan and Malaysia at this time.

Documentation:

Download the Sophos APX Series Access Points Data Sheet (PDF).

It appears you don't have a PDF plugin for this browser. No biggie.. you can click here to download the PDF file.

Pricing Notes:

  • All Prices are Inclusive of GST
  • Customer's Please Note: A Wireless Protection subscription is required for all Sophos Access Points
  • Pricing and product availability subject to change without notice.
  • Management in Sophos Central only. XG Firewall support planned for late 2018.
Sophos APX 530 Access Point (ROW) plain, no power adapter/PoE Injector
3x3 MIMO, internal antennas. Includes mounting bracket for wall and 15/16', 9/16', 3/8' ceiling T-bar. No power adapter/PoE Injector, 16.7W max. power consumption. 5-Year warranty, no extended warranty available.
Sophos Central Wireless Standard (for APX) - 1 Year
Central Wireless Standard (for APX) - 1 Access Points - 1 Year
Central Wireless Standard (for APX) - 2-4 Access Points - 1 Year
Central Wireless Standard (for APX) - 5-9 Access Points - 1 Year
Central Wireless Standard (for APX) - 10-24 Access Points - 1 Year
Central Wireless Standard (for APX) - 25-49 Access Points - 1 Year
Central Wireless Standard (for APX) - 50-99 Access Points - 1 Year
Central Wireless Standard (for APX) - 100+ Access Points - 1 Year
Sophos Central Wireless Standard (for APX) - 2 Year
Central Wireless Standard (for APX) - 1 Access Points - 2 Year
Central Wireless Standard (for APX) - 2-4 Access Points - 2 Year
Central Wireless Standard (for APX) - 5-9 Access Points - 2 Year
Central Wireless Standard (for APX) - 10-24 Access Points - 2 Year
Central Wireless Standard (for APX) - 25-49 Access Points - 2 Year
Central Wireless Standard (for APX) - 50-99 Access Points - 2 Year
Central Wireless Standard (for APX) - 100+ Access Points - 2 Year
Sophos Central Wireless Standard (for APX) - 3 Year
Central Wireless Standard (for APX) - 1 Access Points - 3 Year
Central Wireless Standard (for APX) - 2-4 Access Points - 3 Year
Central Wireless Standard (for APX) - 5-9 Access Points - 3 Year
Central Wireless Standard (for APX) - 10-24 Access Points - 3 Year
Central Wireless Standard (for APX) - 25-49 Access Points - 3 Year
Central Wireless Standard (for APX) - 50-99 Access Points - 3 Year
Central Wireless Standard (for APX) - 100+ Access Points - 3 Year
Sophos Central Wireless Standard (for APX) - 1 Year Renewal
Central Wireless Standard (for APX) - 1 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 2-4 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 5-9 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 10-24 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 25-49 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 50-99 Access Points - 1 Year - Renewal
Central Wireless Standard (for APX) - 100+ Access Points - 1 Year - Renewal
Sophos Central Wireless Standard (for APX) - 2 Year Renewal
Central Wireless Standard (for APX) - 1 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 2-4 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 5-9 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 10-24 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 25-49 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 50-99 Access Points - 2 Year - Renewal
Central Wireless Standard (for APX) - 100+ Access Points - 2 Year - Renewal
Sophos Central Wireless Standard (for APX) - 3 Year Renewal
Central Wireless Standard (for APX) - 1 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 2-4 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 5-9 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 10-24 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 25-49 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 50-99 Access Points - 3 Year - Renewal
Central Wireless Standard (for APX) - 100+ Access Points - 3 Year - Renewal
PoE-Injector 802.3at (Gbit/30W) - with AU Power Cord
Sophos APX Mounting bracket kit for plenum & flat ceiling mount (for APX 320, 530, 740 only)
Sophos APX Suspend mount kit (for APX 320, 530, 740 only)