Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 5201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Sync Automatic Deployment Retry

platham

Hello, we are looking to migrate from McAfee VSE 8.7/EPO 4.5 to Sophos ES&DP 9.5/EC 4.5. At the moment I have our EPO server set to synchronise with AD at 1AM, run a query to see what systems are discovered are unmanaged by the server, then every two ours it tries to push out the McAfee agent to any unmanaged systems in the database. This works great, even catches the people with laptops who rarely plug them in to the network for more than a few hours a month. I've set up a 30 day trial Sophos server and can't seem to replicate this functionality. I set up a Container, set it to Synchronise with an OU in AD, Automatically protect clients etc, Synchronise every 60 mins (also set it to 5 for testing). If the PC is turned off or not on the network when EC first discovers it via AD sync it then logs an error 0000002e but then that's it, it never tries again - is this correct? Is there no way to get the EC to re-try the push either next synchronisation or every two hours or something? If not then it will require us to manually contact the user, get them to plug it in, then Right click > Protect computers (or delete all the errored devices several times a day) - this is obviously no good. Another option of course is AD logon scripts or deploy with Zenworks or SMS but that's just rubbish compared to the EPO set up, I want as much automation as possible with little administrator interaction.

Anyone any ideas?

Thanks,

Paul

:3728


This thread was automatically locked due to age.
  • 0

    Hi Paul,

    Unfortunately all I can tell you is that the last time I worked on this with Sophos support it was NOT possible and all I could do was put in a feature request (which I never heard back on).  This was at EC 3.0 I believe and I know that this feature wasn't available in 4.0 and probably is not on 4.5 as it sounds like you are running 4.5.

    As you said before, the other option was with a logon script which we didn't want to do either.  So far we've just dealt with deleting the objects from the console and re-trying it if it was't able to install on sync on a valid machine.  However, it sounds like you might have a much bigger environment with more "problem" machines that you would need it to re-try on.  Hopefully Sophos support can chime in with a better solution.

    :3791
  • 0

    Hi Paul,

    There is in existance a feature request for this issue of having a AD sync attempt to install more than just the first time a machine is found. If you or any other customer would like this as a feature in a future release you can always add your weight to the feature request by raising this with the support team.

    :3808
  • 0

    Hello, thanks for getting back to me on this both of you. It looks like i'm going to end up spending a whole lot more time managing antivirus for the next six months! I'd certainly like to add our weight to the feature request, can you let me know how I can do this/who to contact?

    Thanks,

    Paul

    :3847
  • 0

    No need to submit any additional feature requests, this is a feature that we are looking at for a future release, at present I can't say which release, but it is currently being looked at for next year.

    :3986
  • 0

    Funny, I thought that SEC does retry the install - never gave it much thought though (we don't use AD Sync due to "a convoluted AD structure").

    Reading privan's post I remembered that I had had an issue with automatic protection during the SEC3.0 Beta. At this time the problem was that SEC did retry the install if the client's RMS didn't register before the next sync. If you set the sync interval to the minimum (10 minutes) installation was forced over and over again ... don't tell me this feature isn't here because of my complaint :smileysurprised:

    Christian     

    :3997
  • 0

    I find it bizarre this feature request isn't gettting more attention, it is the biggest flaw in an otherwise great product. It's a big enough flaw to make a lot of potential customers using AD sync bail out at eval stage. I purchased the product after a very rushed evaluation, and frankly couldn't believe it when I discovered SEC couldn't handle what appears to be such a simple function post purchase.

    What's the use in great endpoint protection if you cannot be confident it is actually getting deployed to the endpoint? The amount of time I have to waste chasing rebuilt, newly added or mobile endpoints around in the console is ridiculous. Deployment via GPO/MSI would be a far better solution, but there appears no support for this.

    :5617
  • 0

    http://www.sophos.com/support/knowledgebase/article/13090.html

    or something like it Is the best bet to capture all machines as they come on-line.

    Now setup.exe supports the group on bootstrap feature it guarantees machines end up in the right group and get the policies as well,

    Jak

    :5622
  • 0
    jak wrote:

    http://www.sophos.com/support/knowledgebase/article/13090.html

    or something like it Is the best bet to capture all machines as they come on-line.

    Jak,

    For those with AD Sync in place, would the above (GPO + Scripts) cause any conflicts with there already being something in place to "sync?"

    I'm currently in the planning stages of our console upgrade, and had my eye on AD Sync. After reading through this thread, I'm hesitant with setting up AD Sync- and kinda feeling premature heartaches about it. :smileysad:





    :6775
  • 0

    You could run ADSync to keep the structure synced in SEC and use start-up scripts, it wouldn't be worth using the auto-deploy part of ADSync as well though in my opinion.

    Auto protect from within ADsync will not attempt deployment to a machine that has been protected or attempted to be protected.  

    The downside for me using AD sync is, unless your AD container hierarchy mirrors your intended policy assignment you might have to create additional AD containers and move machines to them just to be able to assign new policies.  

    For example purposes, if I you have an AD container: "\germany\servers\".  That container might have a SQL server and an AD server.  This means you can only apply one AV policy to both machines.  So you have to exclude all the files you need to exclude on each for both in the one policy.  Unless you start creating:

    \germany\servers\SQL\

    \germany\servers\AD\

    create 2 SAV policies and link them, which might be fine or might end up making your AD more complex than needed.  This is just one example.

    Also unless you create single sync points on specific containers you'll be creating more groups in SEC than you require and I've found increasing the number of groups can slow down Enterprise Console GUI.  We're talking 1000+ but on a large AD structure this could happen.

    Ultimately the decision to use AD sync depends on the individual company structure in AD and if based on that structure it is possible to have one Sophos policy of each type per container.

    Jak

    :6779
  • 0

    Thanks for the info!

    When it comes to AD Sync for us, I decided to leave Servers out of it. They just don't get added to the domain as often as workstations, and they are the ones that typically require more customization with policies anyhow.

    Since policies can't be managed through some sort of global policy management feature within the console, making any sort of "same" changes (ex: exclusions) to specific sets of policies becomes tedious IMO. With a large environment like ours 1000+, it's almost a given that strategic planning has to be processed beforehand- like major consolidation of policies.

    You mentioned the mirroring of AD hierarchy, and I have a question about that. Does it really have to be mirrored to work?...or do you simply have to know/point which group ties in with which group?

    For example...

    Let's say I've got AD looking like this for three locations (Germany, Paris and Roosendaal):

    EU\germany\workstations\laptops

    EU\germany\workstations\desktops

    EU\paris\workstations\laptops

    EU\paris\workstations\desktops

    EU\roosendaal\workstations\laptops

    EU\roosendaal\workstations\desktops

    In Sophos, I've got 2 EUROPE groups that would (currently like this with older console) house all EUROPE based laptops and desktops:

    Europe\Laptops

    Europe\Desktops

    The question is... would AD Sync be able to work in this fashion... without an identical "mirror" so-to-speak?

    Like this essentially:

    [AD]                                                                              [Sophos]
    EU\germany\workstations\laptops       <------>   Europe\Laptops

    EU\germany\workstations\desktops   <------->  Europe\Desktops
    EU\paris\workstations\laptops              <------>  Europe\Laptops
    EU\paris\workstations\desktops          <------>   Europe\Desktops

    I have not upgraded yet, so forgive me if this is a "well, duh!" thing that's obviously understandable after upgrading. :smileyhappy:

    :6875
Unfiltered HTML