Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New to Sophos - looking for tips

MurphysLaw

I've recently been put in charge of Sophos at my corporation, the individual who has done it before is retiring. He's done his best to transfer his knowledge over - but I feel a lot of the way he has done things could be improved. I am also looking at redesigning the architechture. (oh we're using product 9.5)

Are there any Sophos 'best practices' for the way the SUM servers should be built? Any product technical guides I could look at for ways to design/maintain/build Sophos?

Would anyone share how they have it designed in a largish corporation? We have about 15,000 computers we are protecting.

Thanks!

ETA: Clarification

:5756


This thread was automatically locked due to age.
  • 0

    Wow, where to start... :)

    If I was tasked with a 15,000 deployment, here are some of the first questions I would want answering.  I'm not sure if you're looking to start afresh but here goes.

    1. Establish the topology of Sophos deployment, distributed / compact install.

    For 15,000 I would be looking at a distributed install, that is dedicated database server and dedicated management server.

    Without that the specification of a single box would have to be quite pretty impressive to support 15,000 machines and even then relays would have to be used. 10K is the "supported" case for a single box.  After which it goes up to 25K with message relays.

    I would suggest 2008R2 for SEC and 2008R2 running SQL 2008 sp2.  I would avoid plain Windows 2008 for the SEC machine and choose 2003 R2 over that if R2 wasn't available. 4GB of RAM would be a minimum for each.  Dedicated physical drives for SQLdata and possibly event logs, i.e. mdf and ldf.

    So at this point, I have SEC 4.5.1 installed with a remote database.

    If 2003 R2 was used following:

    http://www.sophos.com/support/knowledgebase/article/14243.html

    should be done.

    2. Next I would want to know the packages I need to service all my endpoints.  E.g. Linux. Windows 2000+, Mac.

    The next question is if I require the latest in all cases or to stick on latest -1 as a more cautious approach.  I guess the "importance" of the machines being covered is one reason for choosing a fixed version.  Bandwidth might be another, as a fixed version would not have such a large monthly download.  Having said that, the number of subscriptions includes complexity so I would try and keep the number of subscriptions to a minimum.

    So for this example, I will have Windows, Mac.  I will choose the latest for Mac, I will choose the latest for Windows plus a fixed version of the windows package.  This should be 2 subscriptions.  I would label them something like:

    "Recommended" (default)
    "Fixed 9.5.3 Windows 2K+"

    I would apply these to the local SUM, wait for the distribution points to be populated and using the "bootstrap locations" dialog in SEC make a note of the update paths and the versions they have.

    3. As I foresee multiple SUMs in this environment I would then make this SUM the Authority as per:

    http://www.sophos.com/support/knowledgebase/article/57638.html

    It is important to note that, the SUM that is authoritative should be subscribed to all subscriptions throughout.

    4. Not sure if ADSync is appropriate but I would suggest avoiding it if possible.  Enabling it fixes you with applying policies to AD containers essentially, so unless your AD tree divides everything up in "AV policies", "updating policies" etc, it's probably not for you.

    The next step would be to protect the SEC server and database server with Sophos.  I would recommend exclusions for the database server. So I would first create groups in SEC at least.  

    \Site1\Sophos\SEC

    \Site1\Sophos\DB

    For example, I would assign the DB group and AV policy for SQL servers.  This mainly includes following:

    http://www.sophos.com/support/knowledgebase/article/60468.html


    Once both the servers are protect and managed in SEC, I know RMS and everything is working so a good platform to build from.  I appreciate I have the distribution points on the SEC server.  This should be ok depending on a number of factors.  E.g. Updating interval, server location, other roles (hopefully none other than Sophos).  If this becomes a problem I would want to offload the distribution points to a filer or dedicated file server/web server.

    5. The next task is setting up RMS and updating infrastructure for the clients.

    With 15,000 machines, we need message relays:
    http://www.sophos.com/support/knowledgebase/article/14635.html

    I will assume for this example there are 3 sites of 5000 machines.  In this case I would be looking to install a Sophos server at each site.  It would run a SUM and a message relay.  

    I would advise for the most elegant solution, that message relays are used throughout so even at the SEC server site, a relay is put in.  This will enable the SEC server to have a low number of connections to the message router.  The danger of having the local 5000 clients all reporting to the server along with the 2 remote relays is that the 2 relay connections are just treated like clients, so if there is any contention for resources, the remote sites will suffer.  It also makes troubleshooting easier.  Plus during an outbreak you can potentially shut off reporting independently of site.

    At this point I now have:

    At the main site 3 servers: SEC, DB, RelayServer. (possibly a file server)

    At 2 the child sites, 1 machine. SUM and Relay.  The 2 child SUMs should be subscribed to the same subscriptions as on the parent.  Creating subscriptions per SUM is not required.

    Again, if 2003 R2 was used for the relays:

    http://www.sophos.com/support/knowledgebase/article/14243.html

    should be done.

    In creating the relays, Sophos would be installed, so in SEC I should see all 5 machine managed and appropriate groups created.  At this point the updating and messaging infrastructure should be setup.

    6. Now comes the task of finding machines, creating groups, defining policies and protecting the clients.  The techniques for this can be varied to "catch" them all.

    AD search should be used if AD is well managed and current.  This is a fast way of getting the machines records.

    Once happy with the group structure and the majority of machines records are in the right groups, I would start defining policies.  This way as soon as the machines are protected they should pickup their intended policy.

    For machines that aren't on much, e.g roaming Sales laptops (not a dig at Sales people :)), I would think about AD start-up scripts, something along the line of:

    http://www.sophos.com/support/knowledgebase/article/13090.html

    this is also acceptable in my view for machines being imaged.  Typically they go through a test phase after being imaged, so at this point Sophos should be installed by the start-up script and I can ensure it is in the right SEC group and thus have the right policy before shipping it to a user.

    When setting up deployment scripts, the first step is establishing the deployment string required.  As I've mentioned before in another post, protecting a test machine and grabbing the deployment string from the created scheduled task is my preferred method.  It saves messing about with obfuscationutil and ensures I get all the right switches.  Having said that, looking at:
    http://www.sophos.com/support/knowledgebase/article/12570.html

    is worth while, as there are a few extra ones that might be added.

    I would probably use SEC to deploy to machines that are typically always on, like servers and workstations.  Remembering that the account you deploy with in SEC needs:

    1. To be able to log onto the SEC server.

    2. Needs admin rights on the target machine, best test is if it can create a scheduled task on the machine and access the registry remotely.

    I think that's about it.  I've possibly glossed over the setting up of the message relay CIDs but as long as you don't start protecting clients before they are all setup and working you can take your time ensuring this part of the infrastructure is working.  After protecting the first client from the "relay" CID, check the parent address of the machine in the registry key under:

    hklm\software\sophos\messaging system\router\parentaddress.

    This should point to the relay and not the SEC server.

    That's about all I can think of for now.  If I can offer one piece of advice, keep it as simple as possible and ensure the updating and messaging infrastructure are in place and working before moving on to clients.

    Good luck,

    Jak

    :5760
  • 0

    Jak, Im intrigued at the point you said about not using 2008 and only use R2. We currently have our sophos server running on 2008. I cant see many noticeable problems with it but would be interested to know whats better with R2!

    Cheers

    Dave J

    :5762
  • 0

    Hello MurphysLaw,

    Here is my Welcome to Sophos Template:

    What are system requirements to run Sophos software products?

    http://www.sophos.com/products/all-sysreqs.html

    Understanding Sophos Updating Credentials on your License Schedule:

    http://www.sophos.com/support/knowledgebase/article/12194.html

    Where do I download Sophos products from?

    https://secure.sophos.com/support/updates/

    Where can I find Sophos documentation?

    http://www.sophos.com/support/docs/view-all-documents.html

    How do I acquire technical assistance?

    - Via phone at +1 888 SOPHOS 9 (24 hours)

    - Via e-mail at support@sophos.com

    - Via our support web form at http://www.sophos.com/support/query/.

    - We also have the SophosTalk forum at http://community.sophos.com/.

    What types of technical assistance are available from Sophos?

    Break/Fix: http://www.sophos.com/support/services/technical.html

    Consulting: http://www.sophos.com/support/services/proservices.html

    Training: http://www.sophos.com/support/services/training.html

    Where can I subscribe/unsubscribe to communications from Sophos?

    https://secure.sophos.com/security/notifications/

    Where can I go to find out about upgrades for Sophos products?

    http://www.sophos.com/support/upgrades/

    What are best practices for Sophos Endpoint Security and Control?

    http://www.sophos.com/support/knowledgebase/article/63556.html

    What network ports do Sophos products use?

    http://www.sophos.com/support/knowledgebase/article/38385.html

    Where can I find how-to guides for Endpoint Security and Control?

    http://www.sophos.com/support/knowledgebase/article/62133.html

    What preparations should be made on the endpoints to be protected via an install from the Enterprise Console? (articles reference specific errors, but have excellent bullet-point lists for each OS)

    Windows XP/2003: http://www.sophos.com/support/knowledgebase/article/29287.html

    Vista/2008: http://www.sophos.com/support/knowledgebase/article/15027.html

    Windows 7: http://www.sophos.com/support/knowledgebase/article/62730.html

    Are there any recommended items to exclude from scanning?

    http://www.sophos.com/support/knowledgebase/article/35970.html

    Where can I find out more about malicious detections, controlled applications, and controlled devices?

    http://www.sophos.com/security/analyses/viruses-and-spyware/

    http://www.sophos.com/sophos/docs/eng/papers/sophos-threatsaurus-a-z-en.pdf

    How do I submit a suspicious file or files to Sophos for evaluation?

    http://www.sophos.com/support/knowledgebase/article/11490.html

    :5779
  • 0

    First of all, thank you all very much! much to read and to come back to.

    A little more info.

    We are currently running Windows Server 2003 R2, our boxes seem to be plenty strong. Quad core, 4 gb ram. We have SQL on a separate box. We have 3 servers, one houses the enterprise console and a SUM server, the other two are SUM with message relays. All 15k are in one location.

    We support Windows and Mac, fixed versions for our servers, recommended for normal workstations.

    Currently, we have different subscriptions on 3 different servers. Some clients update straight to SUMserver 1, some to SUMServer 2 and so forth. This to me seems like a strange way to to handle this. Can you tell me more about this authoritative update manager? This seems like the way to go.

    THANKS!

    :5782
  • 0

    Hi,

    The authoritative SUM server is the one the Sophos Management Service chooses as the authoritative with regards to the package information as sent in with a status message from the SUM.  This can be hard coded to be one server using the registry key.

    Say you have 3 SUM servers and 3 subscriptions.  Each SUM server has a different subscription for example:  "9.5.1", "9.5.2" and "9.5.3".  The management server would need to be aware of all 3 subscriptions and store package information for all 3 in the database. Say you have 3 clients updating from those distribution points, when the clients send in their status messages, they would need to match the package information in the database in order for a comparison for up to date status to work.

    So for example on the SEC server you would subscribe to all 3 subscriptions and make the SEC SUM, the authoritative.  That way as soon as it has finished updating the CIDs for those subscriptions it sends in a status message which is treated by the management service as authoritative and writes the package information into the database.

    That way any clients that have already picked up the update can be correctly classified with regard to their up to date status.

    This post has more info on the up to date status:

    Thanks,

    Jak

    :5798
Unfiltered HTML