This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade SEC from 5.4.0 to 5.5.0

Hi,

I would like to do a standalone, in-place upgrade of SEC from 5.4.0 to 5.5.0. Reading through the installation and release notes, I came across this KB (https://community.sophos.com/kb/en-us/124873) regarding TLS 1.2.

The article states, 'Windows - All supported versions are compatible'. How do I find out which are the supported versions and if we have any clients running unsupported versions?

Thanks for any help.



This thread was automatically locked due to age.
Parents
  • Hi warnox,

    The below table might help you with the TLS 1.2 supported Windows OS.

    Windows OS Version SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
    Windows XP & Windows Server 2003 X X
    Windows Vista & Windows Server 2008
    Windows 7 & Windows Server 2008 R2
    Windows 8 & Windows Server 2012
    Windows 8.1 & Windows Server 2012 R2
    Windows 10 & Windows Server 2016

    Hope it helps

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks, I wasn't sure if it was referring to a Windows version or Sophos client version.

    So basically, if there are 2003/XP machines in the environment we can't upgrade past 5.4.0?

  • Hell warnox,

    according to the unsupported RMS article (note it's from January) all current Windows versions (certainly 10.6.4+ with RMS 4.0.8+) are compatible. XP SP3 have upgraded to 10.7.2.

    Christian

  • Thanks Christian. Maybe I'm missing something but I can't see a mention of 10.6.4+ with RMS 4.0.8+ being compatible with SEC 5.4.1+ in that article?

    I guess the question is, at what Endpoint/RMS version did TLS 1.2 become compulsory, because then I would just need to make sure all the endpoints are at that version or above.

  • Hello warnox,

    sorry for the delayed reply, I've been away.

    I can't see a mention of 10.6.4+ [...] being compatible
    SEC 5.4.1 came out a year ago, at this time All supported [SESC for Windows] versions (you've quoted this in your initial post) definitely included even 10.6.3.

    at what Endpoint/RMS version did TLS 1.2 become compulsory
    compulsory is perhaps not the right word and it's not the RMS version that mandates TLS 1.2 but SEC. The SEC 5.4.1 - Use of ... article has more details. The simple conclusion is though: Any Windows endpoint that is up-to-date is "compatible" with SEC 5.4.1/5.5.0.

    Christian

  • No problem, thanks for your reply.

    Ok, so basically the installer checks if you have any devices using endpoint software which doesn't support TLS 1.2? And fails if this is the case.

  • Hello warnox,

    the installer checks
    yes, the bootstrapper queries the database. With 5.4.1 it and the Server MSI didn't absolutely agree on the check and if you had endpoints with an empty AV version the MSI was started but subsequently failed.

    Christian

  • Thanks, hopefully in 5.5.0 they do agree :)

  • Hi 

    So I’ve been back and forth with Sophos support, and they won’t help me until we upgrade our version of Sophos Enterprise server from 5.2.0 to 5.5.0.

     I ran the 5.5.0 installer on our server, and I hit an issue regarding RMS. 

    You have managed computers running a version of RMS unsupported by Enterprise Console

    Looking on the net, Windows XP and Server 2003 can't run TLS 1.2.

    https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/

    I have extended support for XP & Server 2003, I'm worried if I upgrade SEC to 5.5.0, the XP and Server 2003 will stop receiving there updates.

    Has anyone upgraded to 5.5.0 and can confirm the XP and Server 2003 machines can still receive updates?

    Look forward to hearing from you.

    Regards

    Thomas

     

  • Hello Thomas,

    anyone [...] can confirm
    anyone other than yours truly who said so late December 2017? Note that RMS comes with its own libraries, it doesn't rely on OS support.
    In addition, RMS is "only" the management component, it doesn't affect updating. If RMS fails you would, of course, neither get the status of the endpoint not be able to change its policies but if updating has worked before it would continue to do so.

    Christian

  • Hi Christian,

    I see thanks for clearing that up. I was worried that the legacy XP & Server 2003 machines would stop communicating when upgrading to 5.5.0, updates & policies.

    Thanks for all your help.

    Regards

    Thomas

  • I managed to update mine from 5.4.0 to 5.5.0 and 2003 machines are still reporting in but I didn't get any warnings during pre-checks. Suppose you need to update the RMS component on the affected machines before upgrading SEC.

Reply Children
  • Hello warnox et al.,

    update the RMS component
    just as AutoUpdate and the other (sub-)components you can't selectively update RMS - their version is determine by the Anti-Virus version. In addition as the relevant articles say all "current" Windows versions already fulfilled the requirement when SEC 5.4.1 was released.

    Christian

  • Our 2003 servers are running 10.7.6 so I guess the latest Anti-Virus version still supports this legacy OS.

    "all "current" Windows versions already fulfilled", is a bit confusing as 2003 isn't a current (or supported) version of Windows.

  • Hello warnox,

    version of Windows
    my bad, should have said "current" Sophos Anti-Virus for Windows versions. And supported can have three meanings: Relating to support of the SAV version by Sophos, relating to support of the platform by SAV/Sophos, and relating to support of the platform/Windows version by Microsoft.
    As already mentioned there's also a lot of confusion regarding RMS and its protocol support vs. Windows and supported SSL/TLS versions.

    Christian

  • Hi Christian,

    I tried to proceed with the install, but it won't let me get past this point.

    What version of Sophos Anti Virus contains the old version of RMS?

  • Hello Thomas,

    if it's due to an old version of SAV then these should be only Mac OS X or Linux endpoints that also are out-of-date.
    More likely you have endpoints that show an empty SAV version.

    Christian

  • I found out that it was three Mac OS X machines in the console that was preventing the installer for continuing.

    Thanks for your help Christian.