This article provides answers to the frequently asked questions about Sophos Central Update Cache.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central Admin
Sophos Update Cache enables the computers to get their Sophos updates from a cache server in the network, as well as directly from Sophos. This saves bandwidth because updates are downloaded only once, by the server.
The Update Cache does not:
The following are the prerequisites for the Update Cache:
Note: It is recommended to use servers that have a multi-core processor.
Computers updating from a cache server should have:
The following are the recommended server specifications for the Update Cache:
The Update Cache serves updates via HTTPS TCP port 8191 so this port should be set to allow in the firewall. If the Windows Firewall is used, the following rule is configured automatically during the installation to allow inbound connections:
Name: Sophos Update Cache Description: Inbound rule to allow Sophos Update Cache to server updates Profile: All Enabled: Yes Action: Allow Override: No Program: System Local Address: Any Remote Address: Any Protocol type: TCP Local port: 8191 Remote port: Any Allowed Users: Any Allow Computers: Any
Note: If a third-party firewall is used, manual configuration of the rule to allow connections may be needed. Sophos cannot assist in configuring these firewalls. It is recommended to contact the manufacturer for assistance.
All cache servers are evaluated by the Windows and Linux computers when they update, so it is recommended for the remote sites to have a local server configured as cache. This reduces bandwidth requirements and potentially cross-branch traffic.
To set up the Update Cache:
The following actions then takes place:
When an update cache is available, all Windows and Linux computers are configured to update from it and from Sophos.
Every time a Windows or Linux computer updates, the IP addresses of the Update Cache servers are compared to the endpoints' IP addresses. The update caches are ordered according to the calculated numerical distance. Then, the closest update cache server will be used as the update location.
However, this can be affected with the following instances:
The cache is stored in this directory on the server: C:\ProgramData\Sophos\UpdateCache\www\warehouse\
Yes, Sophos Central will provide details of the computers that have updated from the cache over the last 7 days. There are multiple ways to view the information:
The cache reports a download failure if it has not updated for 12 consecutive attempts within an hour. This prevents the endpoints to update from an outdated cache. If this happens, the endpoints receives an update to remove the affected cache from the available update locations. A Failed to download cache status is then shown in the Sophos Central dashboard:
Once the cache has performed a successful update, it will be configured again as the available update location for the managed endpoints.
Note: If the Update Cache server loses network connection, the Cache Status will not change. However, since it is not able to return a response time when evaluated, it will no longer be used an the update location.
To remove the Update Cache:
The following actions then takes place:
Below are the issues needed to be aware of:
Error: [InstallCertificateStateHandler::NewCertInstallation:71] Caught exception installing certificate. Error - CX509Enrollment::InstallResponse failed: [0x800b010a] A certificate chain could not be built to a trusted root authority.
The CertEnroll control does not work on unpatched Windows 2008 R2 servers. To solve this issue, install the hotfix from Microsoft.
To solve this issue, delete the server from the Sophos Central dashboard. This forces a policy refresh to remove the server as an available update cache.
To solve this issue, restart the Sophos Update Cache service. This successfully creates the firewall rule.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.