Hi,
Has anyone gone through this process in a live environment? Care to share your experience?
Paul
This thread was automatically locked due to age.
Hello pdl,
not counting the beta I have migrated to management servers and one additional child library early in November so what I say is to the best of my recollection but not necessarily accurate.
What's new?
Sophos Update Manager (SUM) which is the successor to EM Library
- a new user SophosUpdateMgr is created (you will not be asked for a password and if you have only management server this is not a problem. Using SophosUpdateMgr as search term you'll find two articles (61397 and 65318) which could be of interest
- this new user will also be used by default in the updating policies
- there could be an issue with this account (see this post)
- EM Library will be upgraded to 1.3.3 during the install (and it's install location will change), settings will be migrated
- SUM uses a new location for the CIDs and a new naming scheme
Device control
- the configuration is moved into its own policy (from application control)
Roles and Sub-estates
... and some more. Best Practices contains some useful links.
Migration Process
- backup your database (SOPHOS3) and EM Library settings (just in case :smileywink:)
- When SEC4 is run for the first time it will try to migrate your updating policies. It will work only with "simple" configurations (i.e. no WebCIDs, no FQDNs or IP-adresses and the same CID-host for all platforms, no custom packages). A failed migration is not the end of the world though (you'll have to write the new policies by hand). No change is made to the existing policies and assignments, it continues to run as before.
- Due to the restructuring of the CIDs and depending on the original policies new Software Subscriptions (which replace the "packages") will be created. This might result in a product downloaded more than once and since EM Library is still present space requirements will increase significantly. Furthermore the download process has changed and uses some (a lot of?) extra working space - so make sure you have ample free disk space.
- If you have customised packages or made changes to the CIDs (e.g. mrinit.conf) you have to re-apply the changes
- do not forget Device Control policies
Child libraries
- All Updates Managers can now be managed from the central console (therefore it is expected that the servers running the childs communicate with the parent via RMS)
- The same share is used for downloads by SUM and client-updates
WebCIDs
- changes to the update location require changes on the webserver
These are the topics which immediately came to mind. Feel free to ask if you have specific concerns.
Christian
Hi,
we have migrated our production library to 4.0. There was one problem which took some time to diagnose and sort out: Our library communicates with Sophos through a proxy.
What we found out (support was very helpful with the debugging - yes, Mr. Maul, if you read this, that means you :-) is that SUM has issues with proxycommunication. At first we attempted to allow anonymous proxyaccess towards Sophos, but that didn't help. Our firewallguys found that the SUM did not communicate with the proxy at all. It seems that SUM tries local DNS-resolution of the uplinkaddress before accessing the proxy, and that is not successful in our environment.
The temporary solution: We have allowed SUM to do outbound http on port 80 through the firewall towards the dedicated addresses, and we entered the IP-addresses for the Updateserver into the local host-file of the machine.
In an environment where clients are able to resolve DNS for internet addresses, this will not happen.
The addresses for which we had to allow outbound access and which had to be put into hosts:
d1.sophosupd.com
d2.sophosupd.com
d3.sophosupd.com
d1.sophosupd.net
d2.sophosupd.net
d3.sophosupd.net
dci.sophosupd.com
dci.sophosupd.net
es-central-3.sophos.com
These addresses will resolve differently as they are hosted by Akamai. Actually, there were only two IP-addresses behind these names, so the work for our firewall-guys was bearable. :-)
Afaik, this should be fixed with a new release of SUM in the near future, so we might switch back to proxy communication.
Best regards,
Detlev