This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploying SVE agent after redeploy of security VM with secured public share

Hi,

Due to a really annoying limitation of the security VM, where I couldn't change a basic network settings without redeploying the VM (and therefore all of our previously deployed guest VM agents), I have had to deploy a new security VM using the latest deployment tool.

After completing deployment, I find the new VM has a password on the public share, which has broken our existing agent deployment method, of a startup script.

Can someone tell me how we are now supposed to deploy the agent, as group policy does not account for providing credentials for a share, when running a program from a share.

Support aren't really providing much in the way of answers, leaving our environment completely unprotected.

Thanks.

James

This thread was automatically locked due to age.

Parents

0 Shweta over 4 years ago

Hi Cory IT

Could you please confirm few things here:

How are you trying to deploy the agents? In case you are trying to re-deploy the agents via remote tools, then please check "Deploy software via remote deployment tools" in the article. Also, I would request you to PM me the case number you have registered with Support so that I can take a look.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Shweta

Hi Cory IT

To add to the above query, installing the Guest Agent regularly via group policy is not part of the intended design. Once the guest agent is installed once it should update itself. You can take a copy of the guest agent and put it at the location with a non-password protected share. Install once using Group Policy from there and then let the GVMs update by themselves from that point onwards.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Cory IT over 4 years ago in reply to Shweta

Hi Shweta,

Historically, we simply have a GPO that ran a startup script, running the installer directly from the public share of the SVM.

We want to continue in this fashion as it has been working without issue, but as the public share is now password protected, it does not work.

Support have advised me that it is best practice to install directly from the public share, as the installer gets updated with the SVM, which makes perfect sense and is what I want to do.

It looks like now though, if this is what we want to do and via GPO, we have to have a far more involved script that uses mapped drives to work around the credential issue.

What we want to do, is tell the GPO to simply run the following script:

\\FLX-CL-FS01\System\Installation Packages\Sophos\SVE-Guest-Installer.exe SVMIPAddress=10.0.0.30 /install /passive

Why has the new version of the SVM deployment tool, secured the public share with a password? Surely that means it is no longer "public"?

Many thanks.

James
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Cory IT

Hi Cory IT

I have checked this with our team here and it seems that the public share does not require a password - only the logs share. This article lists out the supported deployment methods. Let us know if you have any further concerns

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Cory IT over 4 years ago in reply to Shweta

Hi Shweta,

That used to be the case yes, but in the latest deployment tool, you are prompted to enter a password for the public share during deployment.

When I then try to access the public share via its UNC path, I am prompted for those credentials "sophospublic" and the password entered during deployment.

Unless I enter that password, I cannot access the share.

I would not expect the public share to require a password, as that's surely the whole point of it being public?
It has broken our existing working deployment method.

Many thanks

James
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Cory IT

Hi Cory IT

In that scenario, I would request you to open a support case as it might require further investigation. Please PM me the case details once done.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Shweta over 4 years ago in reply to Cory IT

Hi Cory IT

In that scenario, I would request you to open a support case as it might require further investigation. Please PM me the case details once done.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Cory IT over 4 years ago in reply to Shweta

Hi Shweta,

I did already (will PM the case no. to you), but the suggestions on how to work around this are mixed and don't really make sense to me.

Thanks.
James
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Cory IT

Hi Cory IT

Thank you for providing the case number, I have reached out to the concerned team and they will be following up with you in this case. Please DM me if you face any challenges.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
+1 Cory IT over 4 years ago in reply to Shweta

We have just gone against the support recommendation of running the install direct from the SVM share, and have instead just copied the installer off to another unrpotected share and will run via our existing script from there.

Thanks

James
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Cory IT

Hi Cory IT

Glad to know that the issue has been resolved for you and thank you for updating this thread with the steps you have performed.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
+1 StephenMcKay over 4 years ago in reply to Cory IT

Hi James,

We've updated our KB here; https://community.sophos.com/kb/en-us/125589 to specifically note:

'We would recommend that you copy the Guest VM Agent installer to a share available to all Guest VMs prior to creating your startup scripts.'

Regards,

Stephen
Cancel
Vote Up 0 Vote Down

Cancel