Deploying SVE agent after redeploy of security VM with secured public share

Hi Cory IT 

Could you please confirm few things here: 

How are you trying to deploy the agents? In case you are trying to re-deploy the agents via remote tools, then please check "Deploy software via remote deployment tools" in the article. Also, I would request you to PM me the case number you have registered with Support so that I can take a look. 

Hi Cory IT 

To add to the above query, installing the Guest Agent regularly via group policy is not part of the intended design. Once the guest agent is installed once it should update itself. You can take a copy of the guest agent and put it at the location with a non-password protected share. Install once using Group Policy from there and then let the GVMs update by themselves from that point onwards. 

Hi Shweta,

Historically, we simply have a GPO that ran a startup script, running the installer directly from the public share of the SVM.

We want to continue in this fashion as it has been working without issue, but as the public share is now password protected, it does not work.

Support have advised me that it is best practice to install directly from the public share, as the installer gets updated with the SVM, which makes perfect sense and is what I want to do.

It looks like now though, if this is what we want to do and via GPO, we have to have a far more involved script that uses mapped drives to work around the credential issue.

What we want to do, is tell the GPO to simply run the following script:

\\FLX-CL-FS01\System\Installation Packages\Sophos\SVE-Guest-Installer.exe SVMIPAddress=10.0.0.30 /install /passive

Why has the new version of the SVM deployment tool, secured the public share with a password? Surely that means it is no longer "public"?

Many thanks.

James

Hi Shweta,

Historically, we simply have a GPO that ran a startup script, running the installer directly from the public share of the SVM.

We want to continue in this fashion as it has been working without issue, but as the public share is now password protected, it does not work.

Support have advised me that it is best practice to install directly from the public share, as the installer gets updated with the SVM, which makes perfect sense and is what I want to do.

It looks like now though, if this is what we want to do and via GPO, we have to have a far more involved script that uses mapped drives to work around the credential issue.

What we want to do, is tell the GPO to simply run the following script:

\\FLX-CL-FS01\System\Installation Packages\Sophos\SVE-Guest-Installer.exe SVMIPAddress=10.0.0.30 /install /passive

Why has the new version of the SVM deployment tool, secured the public share with a password? Surely that means it is no longer "public"?

Many thanks.

James

Hi Cory IT 

I have checked this with our team here and it seems that the public share does not require a password - only the logs share. This article lists out the supported deployment methods. Let us know if you have any further concerns

Hi Shweta,

That used to be the case yes, but in the latest deployment tool, you are prompted to enter a password for the public share during deployment.

When I then try to access the public share via its UNC path, I am prompted for those credentials "sophospublic" and the password entered during deployment.

Unless I enter that password, I cannot access the share.

I would not expect the public share to require a password, as that's surely the whole point of it being public?
It has broken our existing working deployment method.

Many thanks

James

Hi Cory IT 

In that scenario, I would request you to open a support case as it might require further investigation. Please PM me the case details once done. 

Hi Shweta,

I did already (will PM the case no. to you), but the suggestions on how to work around this are mixed and don't really make sense to me.

Thanks.
James

Hi Cory IT 

Thank you for providing the case number, I have reached out to the concerned team and they will be following up with you in this case. Please DM me if you face any challenges. 

We have just gone against the support recommendation of running the install direct from the SVM share, and have instead just copied the installer off to another unrpotected share and will run via our existing script from there.

Thanks

James

Hi Cory IT 

Glad to know that the issue has been resolved for you and thank you for updating this thread with the steps you have performed. 

Hi James,

We've updated our KB here; https://community.sophos.com/kb/en-us/125589 to specifically note:

'We would recommend that you copy the Guest VM Agent installer to a share available to all Guest VMs prior to creating your startup scripts.'

Regards,

Stephen