This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to set up separate definition updates and application upgrades in air-gapped network?

I'm figuring out how to set up Sophos within an air-gapped network: it has no internet connection and the machine with Enterprise Console installed is not part of this network. I've already read community.sophos.com/.../64899 so distribution of updates should be possible in this setup.

The thing is: virus definition updates need to be maintained regularly by the end user's admin, but application upgrades may only be performed by our admins. Also, due to the time testing may take for larger system updates switching from Recommended to Previously Recommended is not an option (PR may switch to the newer version too soon).

My questions:
- If I understood correctly both virus definition updates as well as application upgrades are pushed through the same update procedure. Is that correct?
- Is it possible to block application upgrades on the endpoints while definitions are still updated?
- Is there a way in which our admins can upgrade the endpoint applications themselves (for example with their own Enterprise Console installation)?

Thank you in advance.



This thread was automatically locked due to age.
Parents
  • Hello CloudSora,

    the article suggests to install a full management server in the air-gapped network.Together with using fixed versions (not just Previous) it should provide sufficient flexibility. Please note that the source SEC/SUM must subscribe to the desired package.

    Christian

Reply
  • Hello CloudSora,

    the article suggests to install a full management server in the air-gapped network.Together with using fixed versions (not just Previous) it should provide sufficient flexibility. Please note that the source SEC/SUM must subscribe to the desired package.

    Christian

Children
  • Thanks, good to know that a Fixed Version subscription is possible as well.

    While studying support documentation I get the idea that Enterprise Console isn't required at all, as long as at least one Endpoint has an internet connection to download the updates. Are Endpoints able to download updates as well?

    This seems at least possible for SAV for Linux if I'm reading the Configuration Guide correctly (section 13).

    Is this also possible with SAV for Windows / Endpoint Security and Control?

    (Perhaps this is what community.sophos.com/.../64899 is about, as this article contains Windows paths.)

  • Hello CloudSora,

    endpoints can download endpoint updates for their platform (and provide them to other endpoints), but version control is all but impossible. You'd need at least a full SEC install "outside". Depending on the size of the segregated network you don't even need a server OS for the air-gapped SEC/SUM.

    Christian