cannot deploy SVM to ESXi 6.7

thank you very much

Hi Maytee Meng 

I discussed this with our product specialist team and as StephenMcKay has mentioned, Installations of Sophos for virtual environments are not supported with Message relay.

So, now the customer has to open a connection to Central from the host he is trying to install Security VM. Unfortunately, it is the only option.

If they want to open the connection for a specific host, they need to disable DRS for it as if DRS is enabled Security VM could move to a different host in future and will not be able to communicate with Sophos cloud for the updates.

Hi Maytee,

The SVM does not support Message Relay and so the device will need to be able to communicate directly with the MCS server at 

Would you please confirm whether you have update cache also installed on the message relay server?

MT: Yes

Please provide the command you are using to install security VM on the ESXi host

MT: I using GUI that running from windows 10 client

I'd suspect installation of security VM may not work if you are installing it on ESXi server as update cache installation only supports below operating systems only:

• Windows 7 and later
• Windows 2008 and later
• Linux distributions supported by Sophos Anti-Virus for Linux
• Mac version 9.7.4 and later

I'll also confirm whether it is supported or not once you confirm the OS and above questions.

MT: ESXi host isn't in the supported list. is this the reason?

p.s. I'm waiting customer feedback about the firewall block some connection from ESXi host to the central or not.

Hi Maytee Meng 

Would you please confirm whether you have update cache also installed on the message relay server? Please provide the command you are using to install security VM on the ESXi host as it is trying to connect to Sophos central server(cloud.url = "mcs-cloudstation-us-east-2.prod.hydra.sophos.com/.../ep") as per the above logs.

I'd suspect installation of security VM may not work if you are installing it on ESXi server as update cache installation only supports below operating systems only:

• Windows 7 and later
• Windows 2008 and later
• Linux distributions supported by Sophos Anti-Virus for Linux
• Mac version 9.7.4 and later

I'll also confirm whether it is supported or not once you confirm the OS and above questions.

Hi Maytee Meng 

Sophos Central managed installations do not need these certificates since Sophos Central generates it for its managed endpoints. You can follow the article provided by Jasmin on this post. Using the message relay should not be an issue. However, you can take a look into this article just to confirm the setup and configuration.

customer environment is using sophos central with message relays server. 

all the endpoint will connect the central through MessageRelay. is this the reason? 

due to my implementation is on central. do i have to try this KB127562 ? 

Hi Maytee Meng 

Your SVM configuration is getting failed and because of that SVM installation is giving you the error.

As SVM setup has been downloaded from the Sophos Central, SVM is trying to fetch the TLS certificate from the Sophos Central but it is not able to contact Sophos Central itself and because of that MCS communication is also not happening as mentioned in the Syslog.

I'd suggest you to analyze how many firewalls are in place between this host and internet and on those firewalls, please allow the domains and ports mentioned in this article as any of the domain is getting blocked while the communication process.

Even after that if it failing, please follow the article provided by Shweta above.

Hi Maytee Meng 

Thank you for the logs. Please check this article and see if it helps. Meanwhile, I will be checking this with my team if there are other steps that we can perform.