This FAQ article provides information on Sophos Central Update Caches.
Applies to the following Sophos product(s) and version(s) Sophos Central Admin
An Update Cache enables your computers to get their Sophos updates from a cache on a server on your network, as well as directly from Sophos. This can save you bandwidth, as updates are downloaded only once, by the server.
An Update Cache does not:
For Update Cache we recommend:
To set up a cache:
As all servers configured to host a cache are evaluated by all Windows computers when they update, it is recommended that remote sites have a local server configured as a cache. This will reduce bandwidth requirements and potentially reduce cross-branch traffic.
The cache is stored in the following location on the server:
The Update Cache serves updates via HTTPS TCP port 8191 so may need allowing through a firewall. When using the Windows Firewall the following rule will be configured automatically during the installation in order to allow inbound connections:
Name: Sophos Update Cache Description: Inbound rule to allow Sophos Update Cache to server updates Profile: All Enabled: Yes Action: Allow Override: No Program: System Local Address: Any Remote Address: Any Protocol type: TCP Local port: 8191 Remote port: Any Allowed Users: Any Allow Computers: Any
Name: Sophos Update Cache
Description: Inbound rule to allow Sophos Update Cache to server updates
Local Address: Any
Remote Address: Any
Protocol type: TCP
Local port: 8191
Remote port: Any
Allowed Users: Any
Allow Computers: Any
Note: If using a 3rd party firewall you may need to manually configure a rule to allow connections. Sophos cannot assist with the configuration of these firewalls and advise to follow the manufactures guidelines/help.
When an update cache is activated, all Windows computers are configured to update from the server hosting the update cache as well as from Sophos.
Every time a Windows computer performs an update, the IP address of the update cache server is checked and the update cache with a corresponding local IP will be used as the update location. The following can affect the update cache being used:
Yes, Sophos Central will provide details of the Windows computers that have updated from the cache over the last 7 days. There are multiple ways to view the information:
To prevent Windows computers updating from a 'stale' cache, the cache will report a download failure if it hasn't updated for 12 consecutive attempts (1 hour). All Window computers will be sent an update to remove the affected cache from the available update locations. Sophos Central will report the following 'Cache Status' against the server:
Once the cache performs a successful update, it will again be configured as an available update location for all Windows computers,
Note: If a server loses its network connection, the 'Cache Status' will not change. However, as the cache will not return a response time when evaluated it will not be used as an update location.
To remove a cache:
Error: [InstallCertificateStateHandler::NewCertInstallation:71] Caught exception installing certificate. Error - CX509Enrollment::InstallResponse failed: [0x800b010a] A certificate chain could not be built to a trusted root authority.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.