Deploying Sophos Central Endpoint/Server in Citrix App Layering environment

One common request of Sophos is for best practices on how to deploy the Sophos Central Endpoint/Server in a Citrix App Layering environment. Our Engineering team have recently spent some time investigating and with some guidance from the team at Citrix we are happy to share the steps below which seem to work well and we’d like customers to test out and provide feedback. If you have any feedback or suggestions please provide in the comments so that we can look to update and improve. Our ultimate goal is to end up with a fully supported process for customers using Citrix App Layering.

In the documented steps below we have used VMware vSphere as our choice of hypervisor for publishing images.

Pre-Requisites:

  • Knowledge of using Citrix App Layering to create layers - OS, Platform and App layers.
  • Access to a version of Enterprise Layer Manager (ELM) for this scenario. We have used 22.8.0.# in this instance.

Creating the app layer with Sophos Endpoint installed

1. In the App Layering management console, navigate to Layers > App Layers > Create App Layer. The Create App Layer wizard opens

2. Complete the Create Layer Wizard and click on the Confirm and Complete button and Create when reviewed and happy to create.

3. View the current tasks in the App Layering management console from the Tasks option from the left hand menu

At first, confirm that “Running” is shown in the status tab in the Creating Application Layer <layer_name> task. When the status of the task changes to ‘Action Required’, log on to the hypervisor and locate the temporary packaging machine.

4. From the Protect devices page in Sophos Central, download the endpoint or server installer and make it available on your packaging machine.

5. Run the Sophos installer and confirm that the machine appears in your Sophos Central console once the installation has completed.  If creating a Gold Image for new clone creation, run the Sophossetup.exe from the command line with the following switches: Sophossetup.exe --goldimage --goldimagetimeout=90

For more details on creating gold images and clone creation see Create gold images and clone new devices.

6. You should check that the client in the system tray is showing as successfully installed and wait at least 5 minutes for the first update check to complete

7. Open the registry editor and browse to the following key - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Unirsd

  • Add a new Multi-String value with the name: PreStartKeys
  • Set the Value Data to be this path: \Registry\Machine\System\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Components

Note: If the registry value mentioned above is not added, this will cause issues with services starting with Tamper Protection enabled.

8. Reboot and log back into the machine once the registry value has been added.

9. Double click the “Shutdown For Finalize” shortcut on the desktop to start finalizing the app layer and complete App Layer for deployment. 

10. Once the finalization process is completed and showing in the Tasks menu as Done, the App Layer is now ready for deployment.

11. Create an image template using this new app layer and publish this template to create your master image.

Note: If your master image is a gold image that will be used for clone creation it is important that you don't start the master image once created as this will cause the device to be renamed which causes it to turn into a clone.  To ensure the device remains a gold image, apply updates to the different app layers that need to be updated.

Known Issues:

  • The Central events logged for a new clone device may contain some events from the gold image before the clone was created.  These past events may also reference users. 
  • Testing has indicated that adding Sophos to the OS layer can cause issues when trying to creating app layers
  • Sometimes a warning may appear when trying to finalize the layer. See Citrix article:  Debugging Layer Integrity Problems in Citrix App Layering


Editing logging known issue.
[edited by: Kevin Kingston at 12:11 PM (GMT -7) on 14 Apr 2023]
Parents
  • Hi Kevin,
    many thanks for this post. Is this procedure stable when we replace the deployed VDAs in a non-persistent environment with a newer or older version? We had recently problems with the registered sophos agent in central, when we replaced already deployed VDAs with the same fixed-term or an older version of sophos agent in the image during the agents in central reporting an actual version. We got errors like duplicated devices and cannot retrieve policies. 

    kind regards

    Ralph

Reply
  • Hi Kevin,
    many thanks for this post. Is this procedure stable when we replace the deployed VDAs in a non-persistent environment with a newer or older version? We had recently problems with the registered sophos agent in central, when we replaced already deployed VDAs with the same fixed-term or an older version of sophos agent in the image during the agents in central reporting an actual version. We got errors like duplicated devices and cannot retrieve policies. 

    kind regards

    Ralph

Children