The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Location Roaming is a method of intelligent updating for roaming laptops where updates are performed from a ''best'' update location and updating does not rely solely on the primary and secondary update locations specified in the laptops' updating policy.
This article answers some of the frequently asked questions regarding location roaming.
First seen in Sophos Endpoint Security and Control 9.7
Some laptop users may roam extensively or internationally within an organization. When location roaming is enabled (on an updating policy for roaming laptops), roaming laptops attempt to locate and update from the nearest update server location by querying other (fixed) endpoints on the local network they are connected to, minimizing update delays and bandwidth costs.
A roaming laptop gets update server locations and credentials by querying fixed computers on the same local network. If multiple locations are returned, the laptop determines which is nearest and uses that. If none work, the laptop uses the primary (then secondary) location(s) defined in its updating policy.
When location roaming is enabled, the following happens:
Note: If you need to revert back to using the primary and secondary update locations specified in the updating policy (for example, if you wish to roll out customizations from the update location specified in the policy), you will need to disable location roaming.
This functionality applies only to endpoints managed by the same Console and updating from locations within the same subscription policy. An updating policy can be made to use location roaming only if a primary update location is specified in the Console. This is to avoid the possibility of having a group of endpoints with location roaming switched on that don’t have an update location to reply with.
The fixed endpoint always replies with its primary policy update location.
Yes, port 51235 is the default, and will be in listening mode.
Yes. The port used for the broadcast can be modified if you need to define the port used due to a clash or because of your company's security restrictions. The port can be changed locally in the registry, locally in iupd.cfg or more centrally in sauconf.xml. The port used by default is 51235. Full details of how to change this are given in the knowledgebase article How to configure the Location Roaming port in Sophos AutoUpdate
You should only enable location roaming on groups of machines that frequently move from office to office.
To enable location roaming:
Repeat this step for each group that uses this updating policy.
Yes, the broadcasting can be switched off on the endpoint by going into the SAU configuration file iupd.cfg and setting the flag ‘Enabled’ under [global.IntelligentUpdating] to 0. Note this applies only to the endpoint asking; the endpoints replying will always reply, even if their configuration for IU is switched off.
If a user wants to enable roaming for an endpoint it must be protected by the Console that is managing the endpoints/location where the local CID is. Also, for example, a visitor who plugs their computer in to another network will NOT pick up updates because their computer configured to be managed from a different Enterprise Console.
The nature of the location detection (gateway MAC addresses comparison) means that on a wireless network, the availability of the connection can result in the endpoint believing it has moved location, thus causing repeated local broadcasts. If this proves to be a problem, it can be controlled indirectly by reducing the updating frequency, as a check is only made when the endpoint updates.
Sophos has incorporated additional security measures to hide sensitive information:
As explained above, the endpoint will continue communicating with the Console; therefore, if you right-click the affected computer and select 'Comply with Policy', it will go back to its original settings.
Jeder hier hinterlassene Kommentar wird von einem Mitarbeiter gelesen, wir antworten jedoch nicht auf spezifische technische Fragen. Wenn Sie technischen Support benötigen, posten Sie bitte eine Frage in unserer Community. Alternativ können Sie für lizenzierte Produkte auch ein Support-Ticket öffnen.