This article describes how to set up and maintain an air gapped network. You will need to follow the instructions in this article if your Sophos Update Manager (SUM) is installed on a network which is not connected to the internet.
Important: The version of Enterprise Console should be the same on either side of the air-gap. If it is not this can lead to errors such as that described in article: 117736.
Known to apply to the following Sophos product(s) Enterprise Console
Follow the instructions in the Quick Startup Guide for installing Enterprise Console on your non-air-gapped network. Ensure that you subscribe to the software packages that you require on both the air-gapped and non-air-gapped networks.
To install Endpoint Security and Control on your air-gapped network, you have two options:
could not create catalogue sdds.local
C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
Note 1: If you choose this option, you will not be able to ensure compliance with policies on the endpoint computers in the air gap, nor will you be able to take advantage of all the features of Endpoint Security and Control, because Application Control, Device Control and Data Control policies are all configured using Enterprise Console.
Note 2: To verify the CID can be copied in a consistent state (is not being updated at the time fthe copy is taken) ensure the update interval is at least 15 minutes then wait for any current updates to finish - wait for the ‘Downloading Binaries’ message to change to ‘Last checked for updates on…’ on the SEC machine – should be sufficient to avoid copying the CID in an inconsistent state.
If the update manager is performing any actions, these actions can be viewed using the Logviewer.exe program with log level set to DEBUG.
Each time the Update Manager has finished any operations, ‘Dispatcher Programs-2017-03… have completed’ appears on the log viewer, and ‘Downloading Binaries’ changes to ‘Last checked on… ‘ on the SEC machine.
To completely ensure the CID is in a consistent state an option is to wait for the update manager to finish operations, then stop the update manager service before taking the copy.
When restarting the service SUM should continue without error.
-Installing Endpoint Security and Control is described in the Endpoint Security and Control standalone startup guide.
Once you have followed this guide and the standalone version is installed on each of the computers in the air gap, you will have to configure them to update from a shared folder in the air gap, as follows:
C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
Linux Server : C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\savlinux
To update the air-gapped network, you will have to manually copy the update files from the non-air-gapped network using a removable device or CD. After you have subjected this medium to your necessary checks, copy the contents to the shared folder on the air-gapped network. We recommend that you update your air-gapped network once a day.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.