Auto deploy Sophos Server protection onto Azure Instances using Azure Automation and VM Extensions

Special thanks to for providing this content!


For customers that wish to automatically deploy the Sophos Central Server agents onto Azure there are a few currently supported methods detailed in this KB. The methods described take advantage of start up scripts which can be used to ensure that new VMs are launched with the Sophos Server agent installed.

This may not be ideal for some larger organizations that already have an existing estate in Azure or for those that have set up multiple accounts with distributed administration which may result in situations where users are able to launch VMs without attaching the proper deployment scripts, leading to decreased host security across their estate.
To address the issue we created the below procedure which relies on some Azure automation services, and uses the customers' unique Sophos Central agent download URL's to make sure the Sophos Server agent is pushed to all VMs in a specified Azure account.

Please note that this is not an officially supported method at this time so is provided 'as is'.

Prerequisites

In order to apply the instructions below, you'll need the following:

  • An Azure subscription.
  • An Automation account to hold the runbook and authenticate to Azure resources.
  • At least one Azure VM.
  • A storage account.

Important note

The following process will install the Sophos Server Agent on all Virtual Machines found in the customer's Azure Subscription. If the customer has any Sophos XG Firewalls or other kind of preconfigured VMs present in their account, the script will fail trying to install the agent on those workloads and could have an impact on the services associated with that VM. Please be aware of this before running the script.

If you need help modifying the script to run only on a specific Resource Group or set of VMs, reach out the Public Cloud team (publiccloud@sophos.com) and we will be happy to assist you.

Step-by-step guide

Installation Files

Download the following file: sophos-deploy-server-agent.zip

Included files are:

  1. readme.txt
  2. sophos-azure-automation-script.ps1 main runbook

Step 1 - Get your Windows VM extension script

To get your Windows VM extension script in your Sophos Central account, follow these steps:

  1. In Sophos Central, navigate to Server Protection > Protect Devices (direct link).
  2. Under Server Protection on Microsoft Azure, select Get your VM extension script.
  3. Select Download script and then Download to confirm.

         

      4. Rename the file to: sophos-script-deploy-windows-agent.ps1

Step 2 - Create your Linux VM Extension script

To create your Linux VM extension script, follow these steps:

  1. In Sophos Central, navigate to Server Protection > Protect Devices (direct link).
  2. Right click on Download Linux EDR Installer and click on Copy link address. Paste this into notepad.




  3. Create a new plain text file with the code below, replacing the <LinkToInstaller> with the link to the correct Server Installer taken from Sophos Central as part of the previous step:

    #! /bin/bash
    apt-get update -y
    wget <LinkToInstaller> -P /tmp/
    sleep 5
    chmod +x /tmp/SophosSetup.sh
    nohup /tmp/SophosSetup.sh --automatic --acceptlicence y > /dev/null 2>&1 &
  4. Save the file with the name: sophos-script-deploy-linux-agent.sh

Step 3 - Create a container

To create a container in the Azure portal, follow these steps:

  1. Navigate to your storage account in the Azure portal.
  2. In the left menu for the storage account, scroll to the Blob service section, then select Containers.
  3. Select the + Container button.

  4. Give the container the name sophos-container-deploy-server-agent
  5. Set the level of public access to Private (no anonymous access).
  6. Select Create to create the container.

Step 4 - Upload the block blobs

To upload the block blobs to your new container in the Azure portal, follow these steps:

  1. In the Azure portal, navigate to the container you created in the previous section.
  2. Select the container to show a list of blobs it contains. This container is new, so it won't yet contain any blobs.
  3. Select the Upload button to open the upload blade and browse your local file system to find the sophos-script-deploy-windows-agent.ps1 file.



  4. Select the Upload button.
  5. Repeat the process for the sophos-script-deploy-linux-agent.sh file.
  6. Click the sophos-script-deploy-linux-agent.sh just uploaded.
  7. In the Blob blade, make a note of the Linux Script Block Blob URL. This URL should have the following format:
               https://<storage-account-name>.blob.core.windows.net/sophos-container-deploy-server-agent/sophos-script-deploy-linux-agent.sh         

Step 5 - Create the runbook

  1. In the Azure portal, open your Automation account.
  2. Select Runbooks under Process Automation to open the list of runbooks.
  3. Create a new runbook by selecting Create a runbook.



  4. Give the runbook the name sophos-runbook-deploy-server-agent
  5. In this case, you're going to create a PowerShell runbook. Select PowerShell for Runbook type.
  6. Click Create to create the runbook and open the text editor.

Step 6 - Add code to the runbook

  1. Your runbook is currently empty. Copy the content of the sophos-azure-automation-script.ps1 and paste it in the body of the script.



  2. Save the runbook by clicking Save.

Step 7 - Publish and start the runbook

The runbook that you have created needs to be published before you can run it in production.

  1. Click Publish to publish the runbook and then Yes when prompted.
  2. Scroll left to view the runbook on the Runbooks page, and note that the Authoring Status value is set to Published.
  3. Scroll back to the right to view the page for sophos-runbook-deploy-server-agent
  4. Select Start and provide the parameters required for run the runbook:
    1. Azure Subscription ID
    2. Windows Script Name: sophos-script-deploy-windows-agent.ps1
    3. Linux Script Name: sophos-script-deploy-linux-agent.sh
    4. Storage Resource Group Name
    5. Storage Account Name
    6. Storage Container Name: sophos-container-deploy-server-agent
    7. Linux Script URL
  5. Select Ok.
  6. A job pane is opened for the runbook job that has been created. Although you can close this pane, leave it open right now so that you can watch the job's progress. The job status is shown in the Status field under the Essentials sector.
  7. Click All Logs to open the Streams pane for the runbook job.
  8. Click Refresh till the Status field shows Completed.
  9. Close the Streams pane and the Job pane to return to the sophos-runbook-deploy-server-agent page.

Step 8 - Validate the installation process

  1. In Sophos Central, navigate to Server Protection > Servers > Azure VMs (direct link).
  2. Validate if all your running VMs are shown in the list.


.
[edited by: FloSupport at 9:45 PM (GMT -7) on 21 Apr 2021]