This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Control a standalone non-domain client with domain SEC

I have SEC on my domain with about 40 clients. I have a server in the DMZ that is not part of the domain. I was able to show it to SEC by giving it the IP but I cannot install the client on it? The "Protect" option is grayed out. I want AV on that machine. I tried a bunch of free ones but none will run on "server" OS. Is there any way to push a client to it from my SEC?



This thread was automatically locked due to age.
Parents
  • Hello Sys Admin1,

    at first I thought your query is an oxymoron - Control a standalone [...] client but perhaps it's a pleonasm standalone non-domain. Or perhaps standalone is rightfully there as you want it to update from Sophos?

    If you want the server to be managed (seemingly you do) you need to open the required ports for the Remote Management System (RMS) and also the endpoints must be able to update from somewhere - normally your management server via either UNC or HTTP. The quick startup guide summarizes the necessary steps in chapters 15 and 16. It's not necessary (and it might not be possible) to push a client to it, if you can't browse to the bootstrap/update location (CID) you'd have to create a package. Anyway you have to provide this server access to the update location.

    Christian 

  • Wow, this is certain "learn something new every day" kind of a thing. Pleonasm. Never heard that one before, had to look it up ;-)

    Anyway, it looks as tough controlling the non-domain client on a DMZ is just way too much, including opening common firewall ports, such as 80. You suggested updating from Sophos directly. If this is possible, making the client truly standalone, how to I do it? Do I need to create a package?

  • Hello Sys Admin1,

    the stand-alone package that you can download from Sophos is truly SA. You can only manage it from the local GUI though. Lacking access to a local update location it has to update from Sophos (not the intended but a "tolerated" use). Drawback is you have no control over version changes. Features that require central management (mainly those with Control in their name) are unavailable.
    Creating a stand-alone package with the deployment packager would enable you to use these features (except Web Control) as well by exporting the desired policies.

    Christian

Reply Children
  • The initial step is to run DeploymentPackager.exe. However, such file doesn't exist on my SEC server.

  • Hello Sys Admin1,

    the Deployment Packager is an extra download.

    Christian

  • Got it. However, I reviewed the instructions (sdp_13_ugeng.pdf) but they are very generic and don't say much. All of the fields are empty and I do not know how to fill them. Starting with the Source Folder, I have no idea where Endpoint installation files are located. I tried a few folders in the Sophos folder but none worked. The Update Location for a standalone client is also a mystery. I assume it's a Sophos URL, but the address is not present in the instruction guide. It also asks for Username and Password? The guide also say to "always specify group membership using the -g option" but this will be a standalone client so it will not be part of any groups.

  • Hello Sys Admin1,

    Source Folder - in a SEC Updating Policy the Initial Install Source,  a CID, \\...\SophosUpdate\CIDs\Snnn\SAVSCFXP\
    Update Location - as with SEC policies you can't use Sophos as Primary and you'd have to set something there (best option is some HTTP address with a definitely non-existing hostname like not.here.yourdomain.com/.../) and then check Use a secondary locationa Sophos URL, but the address is not present - never use an explicit URL when referring to Sophos as update location, where it's possible to use it the GUI provides Sophos in a drop-down
    Username and Password? - when updating from Sophos your license credentials

    You're correct regarding the group option

    Christian 

  • Excellent, thank you. The Source Folder path I had was a bit different: C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP

    But I found it based on the "SAVSCFXP" string you gave.