Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 9945 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Q: Two Mgmt Consoles - Newly inherited!

JonPinball
Hi, I have inherited a setup which looks like this.

1. 200 user site, has around 5 small site to sites over VPN tunnels - adding further 50 users
2. 100 user site, with further site to site VPN, adding further 75 users

Around 500 end points in total inc servers, laptops (all windows)

However, at each of the two locations, there is a management console running and each 'manages' it's own end points plus it's own nearest sites over VPN...clients are pushed from each mgmt point and update from same etc

There is no overall view of estate and all seems a bit confusing

Completely new to Sophos and still getting used to it so really wanted to ask if anyone had any pointers to the best route to go to have a single management point managing all clients (with maybe two update points?) and what would be best steps to take. Not sure if I still need more than one local update point, sites have reasonable links so probably not

is it a case of just re pushing to all clients on the console we want to keep so it effectively takes over? Client also look to have been added manually rather from ad...lots of stale objects

Again, any pointers or good docs to read would be really appreciated as unfortunately previous it team who configured are no longer and very little documentaion, previously have used macaffee / epo

Thanks
:56423


This thread was automatically locked due to age.
  • 0

    Hello JonPinball,

    if it's possible to apply Protect Computers to the "other" endpoints from the server you want to keep this will consolidate your endpoints. How to redirect Windows endpoints to a new management server describes an alternative method.

    Whether you want one or more UNC update locations depends on the available bandwidth, security (e.g. whether SMB/NetBIOS is acceptable over the site links), and reliability and availability of the connections.

    lots of stale objects

    You can synchronize with AD, it has some advantages but some drawbacks as well. It'd still require some manual housekeeping. But I'd recommend that you first make yourself familiar with the product, it's features (and limitations) and the current installation before considering AD sync.

    Apart from the manuals on the Sophos site there's the knowledgebase and this forum. As you're new to Sophos it's probably not that easy to use search effectively - so feel free to post your further questions here.

    Christian

    :56424
  • 0
    Thanks for reply. I am spending day tomorrow going through the setup, so thanks for advice/links. What confuse me at moment is update points. Clients have 2 at moment, one local magmt server and presume a fallback to sophos FTP. However, if we migrate all end points to one server, then how do I tell the end points previously on the second server (at the remote site) that they need to still update from their local box....does it work it out on ping or is it simply a case of creating additional packages to send to those clients ( so management is one point, but updates are another) - sorry for long explanation....
    :56434
  • 0

    Hello JonPinball,

    fallback to sophos FTP

    the address is likely just Sophos, though the protocol is not FTP but HTTP and furthermore it's a nifty mechanism which does more than just download some files.

    how do I tell the end points [...] they need to still update from their local box

    Endpoints are organized in groups, all the groups except the special (topmost) Unassigned have policies assigned, one of them is the Updating policy which defines a (required) Primary location (UNC or HTTP), an optional Secondary (UNC, HTTP or the special Sophos address) and an Initial Install Source.

    [excursus] creating additional packages to send - while you can create packages for deployment the Protect computers from the console works differently [/excursus]

    The Initial Install Source (which is only needed for deployment from the console) defaults to the Primary location, you can optionally specify a different valid UNC path and you have to specify one if the Primary location is HTTP.

    Thus: AutoUpdate is installed from the applicable UNC location in the policy, it is configured to update (i.e. perform the rest of the installation) from the Primary, after RMS has connected to the server the complete policy is sent to the endpoint. In other words - the policy applied to the group the endpoint belongs to tells the endpoint where it should update from. 

    Of course, if you want them to update "locally" at the remote site you must first install an additional SUM there. Don't want to add to your confusion but you should also look into Enterprise Console: configuring message relay computers (and if you intend to use one please see Configure message relay in ver 5.2.2).

    Christian

    :56436
Unfiltered HTML