For customers that wish to automatically deploy the Sophos Central Server agents onto Azure there are a few currently supported methods detailed in this KB. The methods described take advantage of start up scripts which can be used to ensure that new VMs are launched with the Sophos Server agent installed.
This may not be ideal for some larger organizations that already have an existing estate in Azure or for those that have set up multiple accounts with distributed administration which may result in situations where users are able to launch VMs without attaching the proper deployment scripts, leading to decreased host security across their estate. To address the issue we created the below procedure which relies on some Azure automation services, and uses the customers' unique Sophos Central agent download URL's to make sure the Sophos Server agent is pushed to all VMs in a specified Azure account.
Please note that this is not an officially supported method at this time so is provided 'as is'.
In order to apply the instructions below, you'll need the following:
The following process will install the Sophos Server Agent on all Virtual Machines found in the customer's Azure Subscription. If the customer has any Sophos XG Firewalls or other kind of preconfigured VMs present in their account, the script will fail trying to install the agent on those workloads and could have an impact on the services associated with that VM. Please be aware of this before running the script.
If you need help modifying the script to run only on a specific Resource Group or set of VMs, reach out the Public Cloud team (firstname.lastname@example.org) and we will be happy to assist you.
Download the following file: sophos-deploy-server-agent.zip
Included files are:
To get your Windows VM extension script in your Sophos Central account, follow these steps:
4. Rename the file to: sophos-script-deploy-windows-agent.ps1
To create your Linux VM extension script, follow these steps:
apt-get update -y
wget <LinkToInstaller> -P /tmp/
chmod +x /tmp/SophosSetup.sh
nohup /tmp/SophosSetup.sh --automatic --acceptlicence y > /dev/null 2>&1 &
To create a container in the Azure portal, follow these steps:
To upload the block blobs to your new container in the Azure portal, follow these steps:
The runbook that you have created needs to be published before you can run it in production.