Sophos Central endpoints has possibility, to update themselves, or send messages status, to a LAN server (that operate as Sophos Update Cache and Message Relay)
Alternatively Endpoints updates, themselves, to internet.
Here they are ports that are necessary to be opened (to permit previously behaviors)
https://support.sophos.com/support/s/article/KB-000035367?language=en_US