PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
Is CryptoGuard in Central Server Protection Advanced working on a terminal server or a Citrix server?
We are currently completing the testing of RDS/XenApp for CryptoGuard on Central Windows Servers; we hope to have documented this official support for our CQ2 release.
If you are using Citrix, I would be interested to know which elements you are using (XenApp, XenDesktop) and which versions.
In reply to StephenMcKay:
So am I right in thinking that although CryptoGuard is already available in the latest release of Server Protection Advanced, it's not currently certified as ready for use if the server is an RDS server, but fine otherwise? I've just installed Protection Advanced on an RDS server in my test environment and enabled CryptoGuard in the policy assuming it would then work as expected, protecting ransomware activity from any user on the RDS server?
Also, could you confirm that the CryptoGuard feature built in to Server Protection includes the rollback of encrypted files?
In reply to Matthew Harris:
Correct, we dont support RDS/XenApp environments currently because we havent done the testing to confirm the functionality. The setup you have in your test environment should work as expected but we cant confirm that the functionality (alerts, events etc) will work as it does outside of RDS environemtns.
I can confirm that the CryptoGuard feature built into Central Server Protection includes the follback of encrypted files.
We have a small opp with the following question around RDS.
Thanks for that… so if I’m understanding that correctly, in reality all we need is the “Central Server Advanced” license to cover ransomware protection? (which is what I was hoping for originally… result!)
Which means the 9 user licenses are superfluous? Since I’m not really concerned with massive protection on the desktops, there’s nothing stored on them apart from remote app icons.
What about any licensing points for needing the full intercept x functionality in RDS.
Hi Matthew, (sorry for the delay, I have been away).
Our EULA refers to the following: ''User' means an employee, consultant or other individual who benefits from the Product licensed to Licensee.'
Therefore, any users accessing the server, and benefitting from its protection, will need a license. In your example you would need 1 server advanced licnese and 9 end user licenses.
I hope this helps.
Thanks for the clarifying. Can I ask a few follow up questions?
Which license(s) would be required for each end user? I'm not entirely sure as Server Protection Advanced contains components that are included in both Endpoint Protection Advanced and Intercept X (in the case of CryptoGuard). Would the end user's require one or both of these?
Say for example if we we'd purchased Server Protection Advanced and installed on an RDS server, but chose not to enable CryptoGuard on that server. Would we then need to purchase Intercept X for each workstation to be compliant because the server product on the server they are accessing includes the CryptoGuard functionality?
From what you mentioned, it sounds as though from a licensing point of view, licenses are "per person" rather than "per device" - have I got that right? The Sophos Cloud portal seems to work on the principle of assigning them to devices. Normally it's not too much of an issue if there is one person per device, but it does make me wonder how we should handle the situation if the two numbers are different (say in the case of shared computers).
Presumably these licenses for endpoints would need to be purchased, even if they're not actually installed on the endpoints so you're covered from a licensing point of view when accessing the server?
What's the best place to grab a copy of the most up to date EULA for each of the products?
Apologies for lots of questions - thanks again for you help!
In reply to Dan Briley:
I'll do this in reverse order; https://www.sophos.com/legal.aspx is where you can find the EULA and Licensing Guidelines. I will be reviewing both of these before we launch official support so there might be a few minor updates to what you see today.
If the users are using Endpoint protection on their devices, then we dont double count and you would purchase the license suitable for the protection they need on their device. In the situation in which the users wont be running Sophos on their endpoints, then we will use any available enduser license.
Thanks for that. Can I just check to ensure I'm understanding correctly? If RDS is the only requirement, it doesn't matter which endpoint licenses you purchase, as long as you have one for each user? Your users would still be covered by all the Server Protection Advanced features while logged in to RDS, including CryptoGuard, even if you've only purchased Endpoint Standard for each user? You could, for example:
Purchase and install 1 x Server Protection Advanced for each RDS serverPurchase (but don't install on the endpoints) 1 x Endpoint Protection Standard for each user of that RDS platform
...and that would ensure they are protected, including for ransomware, within their RDS session? They wouldn't need to also purchase Intercept X for each end user, even though that's the only equivalent endpoint product that includes the CryptoGuard feature? I just want to double check I've got that right as the customer is specifically asking what licenses he needs to ensure his RDS users are protected within their session, and CryptoGuard is a key requirement.
This is all assuming CryptoGuard has been QA'd on RDS before they go ahead obviously.
[EDIT] I should have mentioned - in the back of my mind I have Microsoft Office licensing and how that works with regards to terminal services. MS require you to license each device that accesses the terminal services environment with a copy of Office that is the exact same edition as that which runs on the terminal server. You couldn't, for example, license the endpoints with Office Standard and install Office Pro Plus on the server as that would mean the users would have access to additional functionality for which they are not licensed. My worry would be that the same issue would apply with Sophos - to cover the feature set of Server Protection Advanced would require features that are spread across Endpoint and Intercept X (in the case of CryptoGuard).[/EDIT]
As you highlight with the Microsoft example, we are looking to achieve parity between the Endpoint and Server licenses. Therefore, if you are running Central Server Advanced on the RDS server, the users would require Central Endpoint Advanced licenses. The exception is CryptoGuard, as this is included in the Server Advanced license you would get this benefit with Endpoint Advanced, you are not required to purchase Intercept X.
Many thanks for your questions and feedback on this.
Thanks again for taking the time to reply - that clears everything up nicely. Sorry to have fired so many questions at you!
is it possible to buy Central Server Advanced and use only the Cryptoguard Feature on an RDS-Server (Citrix ......) to prevent for ransomware ?
My customer uses another antivirus-product on the rds-server and we need only the cryptoguard feature.
I think we have to license intercept x then for all users connected to the rds-server.
In reply to GerdNesch:
At this time, CryptoGuard is part of the Sophos Server protection agent, we are looking at plans to offer an Intercept X for Servers that would allow you to run alongisde traditional AV. Until then, you would need to replace the existing anti virus product on the server.
thanks for your fast answer !!
If I replace the existing AV with Sophos Server Protection then I have to license also Sophos Endpoint Protection for the RDS-Server users ?
And it is not possible to license only Intercept X for these users ?
You are correct, and I should have made that clear in my response. The users connecting to the RDS server would also need a licence, again this would be Central Endpoint license, not Intercept X.
thanks now it is clear !
Is there a timeline for intercept x for servers ?