This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to know in which system sophos safeguard is not installed

Dear Team,

Our company is having Active Directoty and Workgroup user environments.

 

We have deployed the Sophos Safeguard 8.1 in one server & sync all AD user & Computer in the Safegurad.

 

We need  your help in following outputs:

 

1. Suppose if AD is having 100 user and computers active, and out of 80 system is having Sophos Safeguard Software in their systems.

ANd we need to know which systems (20 System Data from the SQL Query )is don't have installed sophos Safeguard software .

So that we can installed the software on this systems.

 

 

2. Does Sophos Safeguard support NAT(Public IP/Alternate Host) for outside clients.

-If yes then share us the procedure for the same and it will helpful if the romaming  client is outside public network to sync the Safeguar policy at the client level.

Thanks. 

 

 

 



This thread was automatically locked due to age.
Parents
  • Dear Team,

    Our company is having Active Directoty and Workgroup user environments.

     

    We have deployed the Sophos Safeguard 8.1 in one server & sync all AD user & Computer in the Safegurad.

     

    We need  your help in following outputs:

     

    1. Suppose if AD is having 100 user and computers active, and out of 80 system is having Sophos Safeguard Software in their systems.

    ANd we need to know which systems (20 System Data from the SQL Query )is don't have installed sophos Safeguard software .

    So that we can installed the software on this systems.

     

     

    2. Does Sophos Safeguard support NAT(Public IP/Alternate Host) for outside clients.

    -If yes then share us the procedure for the same and it will helpful if the romaming  client is outside public network to sync the Safeguar policy at the client level.

    Thanks. 

     

     

     

     

     

    Sophos Safeguard Center Version- 8.1

    Client - 8.1 

  • Hi Paresh - This forum is a community and not the best place perhaps for urgent assistance. We'll all do our best of course, but work, family, life allowing!

    I would suggest raising a ticket, or better still - calling Sophos if you need more urgent help than the community can sometimes offer.

     

    That said - It's not the Sophos product that supports NAT, you'll need to adjust routing on your network/firewalls to allow access.

    I personally (and did) setup a secondary server and placed this within the DMZ network, and then adjusted routing so traffic could flow.

    My config and certs therefore have TWO servers defined. One for internal use and then the DMZ server for outside/off network use.

    This setup works well and is the Sophos recommended config.

     

    There's a few ways you can find out what clients are installed/not installed.

     

     

    This SQL query will list all machines, names, features and version installed.

     

     

    /* SGN Client Native device Encrypion and its version number */
    use yourdbnamehere
    SELECT
    SAFE_GUARD_DIR.SGD_name as 'Machine name',
    IVT_INST_FEATURES.IIF_FEATURE as 'Feature Installed',
    IVT_INST_FEATURES.IIF_FEATURE_VERSION 'Version Installed'
    FROM IVT_INST_FEATURES INNER JOIN
    SAFE_GUARD_DIR ON IVT_INST_FEATURES.IIF_MACHINE_ID = SAFE_GUARD_DIR.SGD_ID where IVT_INST_FEATURES.IIF_FEATURE like 'Bit%'
    order by SAFE_GUARD_DIR.SGD_name

     

    You can paste this query into SQL Management Studio once you've connected/authenticated against your DB.

    I would then compare this against what you have in AD/OU's and you'll quickly be able to patch a report together.

     

    Or - write a few more queries....

     

    There's lots of different queries you could do - a good few examples here (you'll need to check the DB name each time)

     

    https://community.sophos.com/kb/en-us/109925

     

  • Hello Micheal,

     

    Hope you are doing well & safe.

     

    Thanks for the reply.

     

    Can i understand the below things:

    1. How u connect the second NAT Sophos server database to the primary Sophos Server.

    Basically NATTING is done on the firewall level and public ip is mapped to inside private Ip with 443,80 port

    EG-> If we have pubic ip 3.4.566 which natted to the internal sophos server ie 192.168.1.11 with specific port 443,80 for communication of outside client.

    Can i Understand how client is communicating with secondary server if the client is connected WAN network?

     

     

    2. Suppose we have AD environment in our office and AD is having total 100 user and computer in the AD environment.

    If the 60 user and computer present in the Active directory and having the sophos safeguard clients and can we get the remaining 40 user and laptop list in the sophos safeguard like via SQL Query OR Sophos Inventory.

     

    [Note . Here we have sync all Active directory computer ad user in the sophos management center

    Does Safeguard database shows the uninstalled sophos safeguard client OR client which is don't have any sophos safeguard via Inventory OR SQL query.]

     

     

     

     

     

     

     

     

  • When you install the management side on the extra server, you then create a configuration on the primary server to then install on the additional servers. 

    I've just allowed 443/SSL to get through, you could skip this if you wanted unsecure traffic too, but I've forced SSL on all my clients.

    If you log in to the console as a MAINMSO  - Launch the Configuration Package Tool - Add a server. You will need the cert that you either created on the server, or a CA minted for you.

     

    Give it a friendly name

     

    Once this is added you can assign it a role if needed. I didn't assign any roles to my DMZ server.

     

    You can then create the Server configuration package. You create one for each server. 

     

     

    2 - Your clients will appear in Sophos SafeGuard console IF they have the Sophos SafeGuard client installed. If you go into an OU that contains PC's but they are NOT listed within the console - the agent is NOT installed.

     

    The easiest mode for this is the Inventory tab that appears on each OU. If when you select the OU and then the Inventory displays "No entry!" - it is just that. No clients in that OU have the agent installed. If the  "Including subcontainers" is ticked it will display the clients within the sub-OU's of that one.

     

     

    Hope this helps?

     

     

     

  • Hi Micheal,

     

    Thanks for your reply.

     

    For scenario 1 ,

    1.We need to install the Management Center role on the second server(Test 2) .

    2. Need to map this second server on primary server(Test 1) "Configuration Package Tool" >>>> Server Tab >>Add second server instance.

    What about the client to Management Center communication as basically the client configuration is installed at the system.

    Please suggest here if I am follow any wrong steps.

     

     

    For Scenario 2,

    If we have sync all Active directory users & computer to the Sophos Management Server then 

    Can we the get the list of Computers here  where the Sophos Safeguard client is not installed from the sophos Inventary Tab

     

    And

    Does the Safeguard keep the uninstalled,installed and not installed any safeguard client in the inventory tab  as I can see only the list of installed feature can get via SQL Query

     

     

     

     

     

     

  • How you define the SGN server as NAT Alternate Server

  • I think you're missing my point Paresh - You don't do any NAT on the server, that's down to your routing/switching/firewall.

     

    You add a secondary server as I've described. 

     

    Setting up your infrastructure can be found here if you've not read it yet?

     

    https://docs.sophos.com/esg/sgn/8-0/admin/win/en-us/PDF/sgn_8_aheng.pdf

Reply Children
No Data