This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Update Manager - WebCID based on Apache HTTPD instead of IIS?

I think the title pretty much says it all... Is it possible to set up a WebCID using Apache on Linux rather than IIS (and therefore Windows)?

if it *is* possible, is there any support/documentation on the process?

thanks

:55843


This thread was automatically locked due to age.
Parents
  • Thanks for the input. After a few hours, I've got it run. Here are some steps if you want to do it with apache.

    1. Read the official manual to understand the updates: https://community.sophos.com/kb/en-us/38238
    2. synchronise the folder from the sophos server, where "CIDs" and "Warehouse" is visible. (default: "C:\ProgramData\Sophos\Update Manager\Update Manager\")
      You can do it with WinSCP. Install WinSCP on the sophos server and create a script. The following script needs to be changed with your settings.
      Save the script and create a window task on the sophos server. I've planned a scheduled task it for every 15minutes. The Sophos server get updates every 10 minutes - but I don't want to upload so often.
    3. We use the apache server of our hostingprovider. It works perfectly. On the apache I needed to add the mime type "application/sophos-x" for every file extension (for example: bdl) manually. See https://community.sophos.com/kb/en-us/61560 for the full file extension list.
    4. In the Sophos Enterprise Console: Open the Updating-Rule and add the link to the Folder where "CIDs" and "Warehouse" is visible (something like: http://<server>/<foldername if needed>).
      Important HTTPS is NOT supported. In my opinion that's not great, but it works. Details: https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/172/sophos-endpoint-updates-over-https/296#296

     

    EDIT 10.01.2019: Important. The following WinSCP-Script is not working perfectly.

    1. Obsolet files are not deleted on the web server. (I guess it is the option "-delete": https://winscp.net/eng/docs/scriptcommand_synchronize)

    2. Log files are raising to 1.3GB within 5 days. (solution: https://winscp.net/eng/docs/commandline#logging)

    3. 84 files are different. Could be a transfer mode issue: https://winscp.net/eng/docs/transfer_mode

    I'm going to analyse and test this issues. Maybe someone else has a finished and functional winscp script?

     

    WinSCP-Scriptcode of step 2 (change settings for your needs)

    # 05.01.2019, Michael Nydegger, ft systems gmbh
    # Upload Sophos-Update-Files to hoster for downloading them over the internet.
    # Manual for scheduled file transfers: winscp.net/.../guide_schedule

    # open session
    open ftpes://<username>:<password>@<server>/ -certificate="*****"

    # command: winscp.net/.../scriptcommand_synchronize
    # Sync Folder (mirror = newer and older files)
    synchronize remote -mirror "C:\ProgramData\Sophos\Update Manager\Update Manager"

    exit

    # Execute the script using a command like:
    # "C:\Program Files (x86)\WinSCP\WinSCP.exe" /log="C:\<path>\WinSCP.log" /ini=nul /script="C:\<path>\sophos-update.txt"

     

    We monitor new file extensions on the sophos server in the folder "C:\ProgramData\Sophos\Update Manager\Update Manager\" in case sophos adds a new file extensions. Then we need to expand the new extention in the mime type list of the apache configuration. I've written a powershell script which is checked trough our monitoring system.

     

    I hope this helps others to implement sophos web cid apache based.

    Michael

  • Hello Michael,

    great!

    Two comments:
    HTTPS is NOT supported
    it's not really a big problem (the mechanism used in Central and by SUM in SESC already does it though) since catalogs and hashes are used to assure a CID's integrity
    synchronise the folder
    if an update is in progress while you copy the WebCID might be inconsistent resulting in failed downloads 

    Christian

Reply
  • Hello Michael,

    great!

    Two comments:
    HTTPS is NOT supported
    it's not really a big problem (the mechanism used in Central and by SUM in SESC already does it though) since catalogs and hashes are used to assure a CID's integrity
    synchronise the folder
    if an update is in progress while you copy the WebCID might be inconsistent resulting in failed downloads 

    Christian

Children
  • Hi Christian

     

    Thanks for your response.

     

    >if an update is in progress while you copy the WebCID might be inconsistent resulting in failed downloads

    Good point. I haven't thought about it. How would you solve this issue? I guess the Sophos-Client will just try again - doesn't it?

     

    Michael

  • Hello Michael,

    the Sophos-Client
    the AutoUpdate component to be exact will of course continue to regularly check for updates. It will "tolerate" one failed update before presenting the red cross on the taskbar icon. You should perhaps adjust the AutoUpdate interval.

    There's no interface to synchronize the copy. Most of the time there are only a few changes to the CID so it shouldn't be much of a problem most of the time. It's just something you should be aware of.

    Christian