Sophos Complete Security Suite

Hi,

To answer you questions:
 

You can certianly install Enterprise Console (SEC) in a VM.  That is supported.

It's very easy to deploy to endpoints and can be done in a variety of ways.  The push from the console with SEC 5.1 is much more likley to succeed than with previous versions.  It's also easy to script the install, as you can just run setup.exe with the required switches. http://www.sophos.com/en-us/support/knowledgebase/12570.aspx.  Incorporate install commands into AD startup scripts for example.

A good tip to obtain an install string is to deploy to a template command whilst monitoring the scheduled tasks, once the install task is created you can look at the properties.  This will give you the full command line and save having to obfuscate the usrname and password switches yourself.  You can also add on additional switches such as -g to add the machines to a group in SEC at install.

Performance wise, it should be fine out of the box, but you can always customise the scanning options and add exclusions where neccessary.  I've not had any problems.

The layered approach is always going to be your best bet, defense in depth really is the key.  If you can put the web appliance infront of users that's a powerful tool to control what is likely to get as far as the client from the web as a route in.  The web has to be the main entrypoint.

App Control, Device Control, Data Control, patch, Web control (client based), tamper protection, Firewall are all helpful to reduce risk also so using them in comination where required is the way to do it.  Encryption is also vital for laptops leaving the site.

As for installing SEC, the main thing I would recommend is to create two service accounts before you start, e.g:

1. SophosManagement
2. SophosUpdate

They can be regular users, just untick, user must change password at next logon as password never expires.  The SophosManagement account needs to be able to logon to the management server machine, so that is worth testing.  this way when you run the installer you're ready.

Any questions, ask away.

Hope that helps,

Regards

Jak

When I install Sophos Enterprise Console(SEC), what exactly am I getting with it?  Is it just the console to manage the application?  Or do I get the AV, Device Control, Data Control.....with it?

For testing purposes, I plan on installing this on a physical Win 2008 R2 server that is in a workgroup.

Is there an agent that needs to be installed on the computers that will be protected by Sophos?

HI,

Yes, you install on your chosen management server Enterprise Console.  This installs the software that can manage your endpoints from a point of view of defining groups and policies, etc..

During the server install it also installs an application called Sophos Update Manager (SUM).  You also configure SUM through Enterprise Console.  SUM is the component that downloads the updates from Sophos and ultimately ends up creating a share that contains the client software  (\\server\sophosupdate).

Once complete you need to protect your clients and server from this location to install the endpoint software.

Hope that helps.

Regards,

Jak

HI, 

I assume the client hasn't been protected yet and therefore hasn't communicated with the server.  The computer record was added by performing a search which found it.  It next needs the Remote Management System (RMS) to communicate.

There are 2 approaches:

1. Create a new SEC group, call it "Clients" for example.

2. This new group will have the "Default" updating assigned to it as well as all the other "Default" policies.

3. You should be able to move the computer to this new group and then right click on the computer and choose protect.  You can't protect a computer until it's in a group as when it's in unnasigned it doesn't have any policies assigned to it.

So this is the push from SEC to the client.  The other option is to perform a pull install by running setup.exe from the server share on the client.

So at the client, browse back to the server:

\\<server>\SophosUpdate\CIDs\S000\SAVSCFXP\setup.exe

In SEC you can see the View - "Bootrap Locations" dialog to see these locations.

You can then enter the details required to perform the install.  (To script the pull method for use in scripts, see: http://www.sophos.com/en-us/support/knowledgebase/12570.aspx )

Once RMS is installed (This is the first endpoint package to be installed by Sophos AutoUpdate) the machine should show up in SEC as connected.   You can move it to a group as required.

To ensure RMS works correctly, you should ensure that  the firewall on the server allows TCP 8192 and TCP 8194 Incoming.

Ideally you would also configure the client to allow 8194 TCP incoming,  If you use the Sophos Client Firewall, This will allow the RouterNt.exe process anyway.

Regards,

Jak 

Hi,

I've not run through the eval recently but during the eval setup you should have been emailed some credentials I would think. These are the credentials that are used by Sophos Update Manager (SUM) to pull down the updates you are licensed for.

You can see in the Update Managers list view, your SUM, if you edit that config, on the "Sources" tab you can add Sophos and the connection details including a user name and password.  When you first launch SEC after installing, the wizard you mention is essentially configuring this.

I would think if you check your emails from Sophos one might have some update credentials.  If not, you could contact Support or run through the eval pages on the website.

Regards,

Jak

HI,

The NAC part is the only component not installed by the SEC installer.  If you wish to use NAC, then that is a separate installation as in effect it is a separate product with minimal linkage between SEC and NAC server component. The integration of NAC into SEC is you can configure a link to the web admin console and it also has a couple of default policies.

I'm not sure if you intend on using NAC, if not no need to worry.

Regards,

Jak