Reply
Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0
Accepted Solution

Air-gapped Network Configuration

Hello,

 

I am trying to configure an air-gapped solution and am getting the following problem.

 

I currently have a live server configured to download and deploy to my network, but need another solution for my air-gapped network.  I have therefore created a new Windows 2008 server on the air-gapped network and followed the instructions in the sophos article 64899

 

1. Install Enterprise Console on one of the servers in the air gap to centrally manage and update the endpoint computers in the air gap.

  1. Follow the instructions in the Quick Startup Guide to install the management software and cancel the installer when it reaches the Download Security Software wizard.
  2. Create a new folder on the desktop to be used as your update source. Call this folder Update Source and share the folder as SophosUpdateManager.
  3. Ensure that the update manager is not currently an performing an update, otherwise the files copied in the step below will be incomplete and you will have a folder that appears corrupt to the air-gapped update manager. You can view update activity with the Logviewer.exe program. Note: If an update is in progress when copying the files you will see the error could not create catalogue sdds.local when configuring the air-gapped update manager.
  4. Copy the Warehouse directory from the non-air-gapped network onto a removable storage device or CD and submit this medium to your required verification:- On the non-air-gapped network, the Warehouse directory containing the packages is as follows.
    • Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
    • Windows Server 2008: C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
  5. Paste the Warehouse directory to the folder Update Source (i.e., the one you created in step 2 above), which is on the desktop in the air-gapped network.
  6. On the air-gapped Update Manager, on the 'Sources' tab, set the primary source to be the UNC path to the 'SophosUpdateManager' share, e.g., \\servername\SophosUpdateManager
  7. Configure your software subscriptions to use the appropriate packages.
  8. Once your update manager has downloaded the packages, deploy them to the air-gapped network.

I have done as above, however when I recheck my subscriptions I get no available software.  Thus I am unable to deploy the software to the clients on this network.

 

The update manager was disable on both servers during the transfer of the warehouse, I have also included the CIFS in the transfer. 

 

I have checked the logviewer and cannot see any errors.

 

Can anyone point me to what is going wrong.

 

Thanks

 

Garry

Executive VIP
QC
Posts: 4,483
Registered: ‎Mon 23-Nov-2009
0

Re: Air-gapped Network Configuration

Hello Garry,

 

what does the Log Viewer show (apart from the fact that there are no obvious errors? Also on the new server - what are the contents of the columns in the Update Managers view?

 

Christian

 

Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0

Re: Air-gapped Network Configuration

Hi Christian,

 

The update manager is showing the following:

 

Servername

Last update: 09/01/0213 14:54

Last checked: 09/01/2013 15:19

Configuration: Matches

Version: 1.3.1.168

Number of shares: 1

 

Logviewer

09/01/2013 15:29:20 Success The decode operation was successful, but no new files were decoded.
09/01/2013 15:29:20 Success The decoding of product release 'Sophos Update Manager' version RECOMMENDED was successful, but no new files were decoded.
09/01/2013 15:29:19 Success The decode operation was successful, but no new files were decoded.
09/01/2013 15:29:19 Success Deployment to share 'C:\ProgramData\Sophos\Sophos Endpoint Management\5.1\Updates\Secure\SDFs\SophosPA' was successful, but no changes were needed.
09/01/2013 15:29:19 Success The decode operation was successful, but no new files were decoded.
09/01/2013 15:29:19 Success Deployment to share 'C:\ProgramData\Sophos\Sophos Endpoint Management\5.1\Updates\Secure\SDFs\SophosMA' was successful, but no changes were needed.
09/01/2013 15:29:18 Information Synchronization of protection data was successful.
09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Patch Server' was successful, but no new data was found. Product release version: RECOMMENDED
09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Enterprise Console' was successful, but no new data was found. Product release version: 0.0.0
09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Update Manager' was successful, but no new data was found. Product release version: RECOMMENDED

 

Executive VIP
QC
Posts: 4,483
Registered: ‎Mon 23-Nov-2009
0

Re: Air-gapped Network Configuration

Thanks, Gary - so basically it does work.

You say when you open the Recommended subscription there is no data? Could you perhpas provide a screenshot? BTW: I assume the server you copied from is also SEC 5.1?

 

Christian

 

 

 

 

Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0

Re: Air-gapped Network Configuration

The screen shot is a bit difficult but when you check the subscriptions I get the following

 

Software Subscription: Recommended

License: Endpoint Protection - Advanced

Software: Nothing listed

 

On my live server I get the following

 

Software Subscription: Recommended

License: Endpoint Protection - Advanced

Software

Windows NT, Version 4 Recommeded, Status Retired

Windows 2000 and above, Version 9.7 Recommended

 

Yes i'm running 5.1

Executive VIP
QC
Posts: 4,483
Registered: ‎Mon 23-Nov-2009
0

Re: Air-gapped Network Configuration

These are the checked products on the live server?

 

As the license information is there it looks like something's missing from the Warehouse. Please make sure the copy is complete.

 

Christian

Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0

Re: Air-gapped Network Configuration

Yes these are the checked products on the live server.

 

I have tried copying he warehouse over twice, but can give it another go.

 

The only difference between the two servers are as follow

 

Live Shares

SophosUpdate: D:\Sophos_Updates\Update Manager

SUMInstallset: D:\Sophos\Enterprise Console\SUMInstaller

UpdateManager: D:\Sophos_Updates\Update Manager

 

Air-Gapped Shares

SophosUpdate: C:\PrograData\Sophos\Update Manager\Update Manager

SUMInstallset: C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller

UpdateManager: \\"RemoteServer"\UpdateManager

 

I have copied the containt of the live server (Warehouse & CIDs) and loaded them onto \\"RemoteServer"\UpdateManager  The Enterprise server update manager is conigured to search this source location for updates.

 

Executive VIP
QC
Posts: 4,483
Registered: ‎Mon 23-Nov-2009
0

Re: Air-gapped Network Configuration

Hello Garry,

 

before copying another time (you don't need the CIDs BTW, I'd rather not copy them) please check the current contents of the Warehouse on the air.gapped server. What's the path on disk for \\"RemoteServer"\UpdateManager?

 

Christian

Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0

Re: Air-gapped Network Configuration

The warehouse looks the same as the one on the live server.

 

The path on the remote server is E:\Update Manager, Shared out as SophosUpdateManager.

 

It was located on my Domain controller, but I have now relocated it to the file server on the domain.  However when I try to add the new source I get the following error

 

The operation failed. Details: Failed to create a warehouse check action! SDDM returned 0xffffffff

Would you like to use these source details anyway ?

Advisor
garryb73
Posts: 14
Registered: ‎Wed 06-Jun-2012
0

Re: Air-gapped Network Configuration

Re-starting the SUM has cleared this error, however when I run the update nothing changes.