Migration Sophos Enterprise Console 5.50 to Sophos Central Cloud

Hi Ccloud 

We have a few articles and documentation for Migration using the Sophos Migration tool. Please refer to this article for more information. Also, you mentioned about 2003 servers, do you have extended support for 2003 servers?

Thanks for you reply! 

I need some suggestion on Infrastructure & design basis. We are planning migration from Sophos Enterprise console 5.5.0 to Sophos Central Admin.

      1.  Currently all client machines are in two different data centers & we have only one standalone Sophos Enterprise Console 5.5.0 antivirus server.

      2.  We have around 1000 servers including few 2003 servers. FYI, all client machine don’t have internet access. Also, I heard Sophos cloud don’t support 2003 clients . is this true ? or             it is supportable after extending 2003 server  the support.

      3. How client machine will talk to Sophos Central admin? What is the best solution & design?

  As per my current setup, I want to keep One cache & one relay server only in one data center which will work like upgrade , updates & reporting  etc.  /or we have other option as well.  Please confirm.  

Below is the rough diagram I made. Please suggest.

Hi Ccloud 

Please find the below suggestions for your queries:

Currently, all client machines are in two different data centers & we have only one standalone Sophos Enterprise Console 5.5.0 antivirus server. - I am assuming here that all the client machines, from both the data centers, are reporting to this single standalone Enterprise console. 

• If you are going to migrate the machine through the migration tools, you need to refer to this article and you need to make sure that you have achieved all the pre-requisites for this migration through the migration tool.
• Once the Sophos Central AV is installed on all the machines, you can use one or two update cache and message relay servers per data centers, so they can balance the load.
• Message relay and update cache can be configured on the same server. Please refer to this article which explains them.
• As you mentioned, there are a few machines which don't have an internet connection, there this migration will fail because they will not be able to make the connection directly to Sophos cloud to download data and register the machine on the Sophos cloud but you can remove this error through this article where you need to mention proxy server through which you server/client can make internet connection for a temporary. Once the installation is done, you can remove them.
• To go through the above point, you need to manually add proxy on all the machines where internet is not available but if machines can communicate to the machines of other data center, I'd suggest you assign a single proxy server in the Sophos Central through this article.
• For Windows 2003 server machines, you need to purchase extended support for them as mentioned by Shweta.

please suggest. 

Currently, all client machines are in two different data centers & we have only one standalone Sophos Enterprise Console 5.5.0 antivirus server. - I am assuming here that all the client machines, from both the data centers, are reporting to this single standalone Enterprise console : Yes from both data centers all client are reporting to single standalone server & we are using only Sophos antivirus in our environment 

If you are going to migrate the machine through the migration tools, you need to refer to this article and you need to make sure that you have achieved all the pre-requisites for this migration through the migration tool : ----What are the other option? and,  In case if we go with migration tool Do we need to install on migration tool on separate server. I believe no but just want confirmation. 

Once the Sophos Central AV is installed on all the machines, you can use one or two update cache and message relay servers per data centers, so they can balance the load : ---So , we need to install Sophos cache & message relay server later on after updating the Sophos client.

Message relay and update cache can be configured on the same server. Please refer to this article which explains them: OK.

As you mentioned, there are a few machines which don't have an internet connection, there this migration will fail because they will not be able to make the connection directly to Sophos cloud to download data and register the machine on the Sophos cloud but you can remove this error through this article where you need to mention proxy server through which you server/client can make internet connection for a temporary. Once the installation is done, you can remove them :- Can we place cache & message relay server first. so that all clients contact cache & relay server instead of opening internet.

To go through the above point, you need to manually add proxy on all the machines where internet is not available but if machines can communicate to the machines of other data center, I'd suggest you assign a single proxy server in the Sophos Central through this article. : -I belive this way the load on the server will be double like DC1 client machine will connect to other machine DC2 machine client & then that client will communicate to Cache server.

For Windows 2003 server machines, you need to purchase extended support for them as mentioned by Shweta :- Ok, so Sophos central support

Hi Ccloud 

What are the other options? and,  In case if we go with migration tool Do we need to install on migration tool on a separate server. I believe no but just want confirmation. - Another option is to remove the Sophos endpoint installed through Sophos Enterprise console from all the machine manually and then install Sophos Central Endpoint/Server protection on them. If you choose to go with the migration tool, you don't need a different server for the tool.

So, we need to install Sophos cache & message relay server later on after updating the Sophos client. -  Ideally, you can first install the Sophos Central server protection on the servers which you want to make Cache and message relay and promote them to message relay and update cache. After that, install endpoint/server protection on the clients/Servers from the update cache, so it will automatically install protection on them without the internet connection.

I believe this way the load on the server will be double like DC1 client machine will connect to another machine DC2 machine client & then that client will communicate to the Cache server. - It will not go in the above manner. All the installation will go through the server which you'll mention in the proxy server setting as mentioned in this article.

So, we need to install Sophos cache & message relay server later on after updating the Sophos client. -  Ideally, you can first install the Sophos Central server protection on the servers which you want to make Cache and message relay and promote them to message relay and update cache. After that, install endpoint/server protection on the clients/Servers from the update cache, so it will automatically install protection on them without the internet connection. : Do we need to install Sophos endpoint client manually on each (client) server ? or we can deploy client from Sophos central server /or portal as well.

Also, I heard about SecurityVM : Is this something it work like a Cache  & proxy server. 

Hi Ccloud 

Do we need to install Sophos endpoint client manually on each (client) server ? or we can deploy client from Sophos central server /or portal as well. - You need to install clients on the machines manually. You can't push the AV on the clients like Sophos Enterprise console because of the internet and many other restrictions.

Also, I heard about SecurityVM : Is this something it work like a Cache  & proxy server. - No, it totally different than Cache and relay server. It is only for Virtual environments like VMware, Citrix, Hyper-V not for Endpoint or physical machines.

 You need to install clients on the machines manually. You can't push the AV on the clients like Sophos Enterprise console because of the internet and many other restrictions : Machine will require a server reboot after client installation ? I believe no. just want to confirm except exceptional cases.  And, what about old client "Sophos Endpoint Security and Control" Do we need manually uninstall ?

No, it totally different than Cache and relay server. It is only for Virtual environments like VMware, Citrix, Hyper-V not for Endpoint or physical machines.: Didn't understand we have 90% machines are VM machines ,9% are physical 1% servers on different platform like ovm. However on all the servers we have windows OS.

Hi Ccloud 

The machine will require a server reboot after client installation? I believe no. just want to confirm except exceptional cases. - The reboot is required for servers and endpoint as well after uninstallation of "Sophos Endpoint Security and Control" and installation of Central Endpoint/Server protection. 

And, what about the old client "Sophos Endpoint Security and Control" Do we need manually uninstall? - It depends on you. If you choose to do everything manually, uninstallation need to be performed manually for "Sophos Endpoint Security and Control". In Sophos Cloud migration tool method, it will automatically uninstall from the machine.

Didn't understand we have 90% machines are VM machines,9% are physical 1% servers on different platform like ovm. However, on all the servers we have windows OS. - You can use Sophos for Virtual environments for virtual machines but SVE will not cover all the features provided by Sophos Intercept X advanced such as Cryptogurad, Exploit mitigation, etc. SVE is useful for performance enhancement. For laptop/desktops, you need to have Sophos Endpoint protection. You can contact your partner or reseller to know the products better with feature differences.

he reboot is required for servers and endpoint as well after uninstallation of "Sophos Endpoint Security and Control" and installation of Central Endpoint/Server protection : - As i said we have around 1000 servers. 

You can use Sophos for Virtual environments for virtual machines but SVE will not cover all the features provided by Sophos Intercept X advanced such as Cryptogurad, Exploit mitigation, etc. SVE is useful for performance enhancement. For laptop/desktops, you need to have Sophos Endpoint protection. You can contact your partner or reseller to know the products better with feature differences: -like I said we have mix environment VM machine on VMware, HP & Dell Physical Servers,  OVM machine. so, Security VM is good solution for us? /or security VM is only for VMwareEsxi & HyperV only  & we need to go  different setup for Physical machine  (Cache & Message relay).

what is main difference between Security VM &  Cache Message relay servers.  What is your recommendation? Below is my setup.

Two Datacenter on different region .

Sophos Entperise Console 5.5.0 on standalone server. 

VM , Physical & OVM enviroment, VM esxi is 6.0 & 6.5

Total 1000 Servers & these servers are for different-2 customers. so servers are in different sub net & all servers don't have internet access. 

OS : Windows Server 2003, 2008, 2008R2, 2012 Stand & 2016.  No desktop client only Servers.