SlideShare uma empresa Scribd logo

Manual Sophos

Olavo Dalcorso
Olavo Dalcorso

Manual Sophos

Tecnologia
1 de 21
Baixar para ler offline
Sophos Endpoint Security and Control on-premise installation best practice guide Endpoint Security and Control 10 Enterprise Console 5 May 2014Document date:
Contents 1 About this guide........................................................................................................................................3 2 What software is installed as part of Endpoint Security and Control?..................................................4 3 What features require planning?..............................................................................................................5 4 General installation planning considerations..........................................................................................6 5 Main installation scenarios.......................................................................................................................7 6 Additional configurations.......................................................................................................................16 7 Technical support....................................................................................................................................20 8 Legal notices............................................................................................................................................21 2
1 About this guide This guide is for you if you are a network administrator who will be installing Enterprise Console and Endpoint Security and Control on your company network. The guide is designed to answer your preliminary questions and suggest the ways that Endpoint Security and Control can be best adapted for your network. It begins with a few general questions to set the context and then describes more specific network scenarios. For more detailed advice on installing and configuring Enterprise Console and Endpoint Security and Control, see Best Practices for Endpoint Security and Control. 3 on-premise installation best practice guide
2 What software is installed as part of Endpoint Security and Control? The Endpoint Security and Control on-premise option includes the following software: ■ Management console: Enterprise Console. ■ Anti-virus and other software on your endpoint computers: Endpoint Security and Control (Sophos Anti-Virus, Client Firewall, software to handle updates and messaging, etc.). ■ Management database that stores information about the configuration of your endpoint computers. ■ Management server (and management service) that handle communications between the console, the database, and the endpoint computers. 4 Sophos Endpoint Security and Control
3 What features require planning? 3.1 Installation locations and methods The location of the management database, management server and management consoles can be customized to suit your needs. For instance you could install: ■ All components on the same server – this is referred to as a "standard" or "default" installation throughout our documentation. ■ Each component on a separate server. ■ Only the databases on a separate server, possibly on a dedicated SQL cluster. ■ Enterprise Console on your local computer and the other components on a separate server. ■ The whole product on VMWare to be managed from within a virtual machine. ■ All components on a server in a server room and you use Remote Desktop sessions to use Enterprise Console from your local computer. We don’t describe each of these installation configurations in this document, but we do explain generally how to install the management software and the software on your endpoint computers in each of the network configuration scenarios that follow. 3.2 Other features Some features in the management console require a little foreplanning as well. The considerations that go into each are described in this document for each network configuration scenario: ■ Update Manager. This component creates a structure for updating the anti-virus (and other) software on your endpoint computers. It will automatically create a central location for your network to update from, but you can choose to create more update locations as you see fit. Update locations can either be set up as a UNC path or a web folder. ■ Role-Based Administration. This is an optional feature that allows you to subdivide the management of your network so that other users can monitor the network's health and perform actions. 5 on-premise installation best practice guide
4 General installation planning considerations In general, if you consider the following items before you read this document, you’ll get the most out of this guide: 1. Think about the numbers. The number of end users you have will determine how many sub-estates and update locations you should set up. 2. Think about your network configuration.Your network configuration will determine how you should install the software on your client computers, how you will distribute updates, and how many sub-estates you should set up. 3. Think about who will manage your network. The number of IT staff who will monitor and respond to malware alerts and firewall events will determine the number of sub-estates you should set up. 4. Think about how you would like to deploy updates. There are countless ways of doing this. Think about whether you would want everyone on the network downloading from one shared folder,or whether you want every department to have their own update location with a failover location as well. The rest of this document describes various deployment scenarios (like WANs, remote users, or networks with no servers) that we have anticipated. 6 Sophos Endpoint Security and Control
5 Main installation scenarios 5.1 Single-site network 5.1.1 Installation Management software Install Enterprise Console on one server (to be used to manage the network) or install the database(s) on a separate server if you have a large network. For more information on installing the Enterprise Console database on a SQL cluster, please see Installing Enterprise Console databases in a clustered SQL Server environment. If you use Active Directory, use it to import containers (OUs) first. Then, once you’ve adjusted your groups and created the subgroups that you need,synchronize with Active Directory to import the computers. If your network has more than 10,000 computers (4,000 if you use Windows Server 2008), you should set up at least one message relay to reduce the load of communications to and from the management server. See Enterprise Console: configuring message relay computers for more information. Client software You have many options for deploying Endpoint Security and Control to your client computers: ■ Deploy directly from Enterprise Console, as described in the Sophos Enterprise Console quick startup guide (for smaller networks) or the Sophos Enterprise Console advanced startup guide(for larger networks). The guides are available from http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx ■ Use SMS/SCCM (Microsoft recommends that you use SCCM to distribute software when you have 250 or more client computers in your network).For detailed instructions,see Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus). ■ Create a script to invoke special features when running the installation with setup.exe. You can then use a Group Policy Object to deploy the script and installation file. 7 on-premise installation best practice guide
5.1.2 Role-based administration Consider whether you would like to use sub-estates to divide up the day-to-day management of your network.Consider who will have what roles and install Enterprise Console on their computers when you are ready. We recommend that you have at least one sub-estate at each of your locations, with more than one IT person assigned to each one. That way, they can manage two networks when one person is off sick or on vacation. 5.1.3 Updating structure There are many considerations that go into planning an update structure. When planning, remember that the update manager pushes the files to each share in turn, so the number of shares should be tailored to fit your network bandwidth. Also remember that you shouldn’t put a share on a computer that may go into standby or otherwise be unavailable for long periods of time. How big is your network? On a network with fewer than 1,000 computers,you can install a single update manager and create one or more update locations for your client computers to download updates from. On a network of 1,000 or more computers, you’ll want to design your update structure to take advantage of the best network architecture and the most effective servers. If you use a UNC path for your update location, it should be used by a maximum of 1,000 computers, unless it is on a dedicated file server. If you set up a web location for updating, it can handle somewhere between 5,000 and 10,000 computers updating from it. You could also set up additional update managers to spread the load. They could either update from the primary update manager or directly from Sophos. This kind of scenario could also be used for designing failovers.For detailed instructions about installing an additional update manager, see section 7 of the Sophos Enterprise Console advanced startup guide (available from http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx). As a general rule,you should install an additional update manager for each 25,000 client computers on your network. What computers are on your network? Your update shares can publish software for all the different supported operating systems. Consider whether you may want more than one update location for a specific operating system. For example, you might want half your Windows 2000+ operating systems to use one update location and the other half to use another, and use a separate server for Mac OS X, Linux, and UNIX updates. You can also download software for NetWare and set up a share on any server for these computers to update from. This is described in an appendix to the Sophos Enterprise Console advanced startup guide. 8 Sophos Endpoint Security and Control
Do you have roaming or remote users connecting to your network? We’ve tried to illustrate the most common "additional network configuration" scenarios in the rest of this document. Refer to the type of installation that applies to your situation to learn how to install Endpoint Security and Control on the client computers and how to structure your updating structure to support them. 9 on-premise installation best practice guide
5.2 WAN Note: The following sections apply to both single-domain and multiple-domain (or workgroup) networks. Choose the scenario that best applies to your situation: ■ Scenario 1: Sites are managed independently. In this scenario, there is an administrator at each site who will administer their own site independently. ■ Scenario 2: Sites are primarily centrally managed. ■ There is admin or helpdesk staff who will administer groups across the two domains/sites, or ■ There is one administrator who will administer both domains/sites from site A. 5.2.1 Scenario 1: Sites are managed independently There is an administrator at each site who will administer their own site independently 5.2.1.1 Installation Install Enterprise Console at each site and use Active Directory to synchronize with the local domain only. 5.2.1.2 Role-based administration If there is only one person responsible for checking the network at each site, set up the other site administrator with the right to monitor alerts and events to ensure that there is coverage to deal with malware outbreaks and other security events in the event that the local admin is not present. If there are several people at each site who can check the network, set them up with roles and sub-estates as required. 5.2.1.3 Updating structure If you wish, you could configure the update manager on site B to download its updates from site A, but you could also have it download its updates directly from Sophos. Read the advice for the "standard" scenario described above to see what other issues you should consider before installing Endpoint Security and Control at each site. 10 Sophos Endpoint Security and Control
5.2.2 Scenario 2: Sites are primarily centrally managed There is admin or helpdesk staff who will administer groups across the two domains/sites OR There is one administrator who will administer both domains/sites from site A 5.2.2.1 Installation Install Enterprise Console at site A and use RDP or TS to manage the computers at site B. If you have staff at site B who should be allowed to perform certain tasks, install Enterprise Console only at site B. If the sites are on different domains, remember that once you install Enterprise Console, you will need to set it up for multiple domains.For more information,see Protecting computers in a multiple domain environment. Ensure that your web filtering equipment allows the following ports for Sophos communications: Network: allow ports 137-139 and 445 Weblink: allow port 80 5.2.2.2 Role-based administration This depends on how the IT department is structured. If all the IT staff is on one site, you’d probably want to break down the network into sub-estates based on location. If there is IT staff at each site, you could divide each site into sub-estates as well. It’s up to you. 5.2.2.3 Updating structure Wherever possible, we recommend that you install an additional update manager in a remote location. There are a few reasons, but most important is the amount of bandwidth needed to update the shared folders on site B and the danger that the shares would be incomplete if the link went down. Your updating structure would depend on whether or not there is a server or other suitable Windows computer on site B which could be used to distribute updates. Note: Suitable computers are those running Windows 2003/Vista/Windows 7/2008/SBS 2011. For system requirements for Enterprise Console and its components, go to http://www.sophos.com/en-us/support/knowledgebase/118635.aspx ■ If there is a server or other suitable Windows computer on site B which could be used to distribute updates Install an Update Manager at site B to update the local computers. This update manager could either download its updates from site A or directly from Sophos. If you have a firewall between your sites, you’ll have to update via HTTP. Set up a web folder at site A so that the site B computers can get their updates. 11 on-premise installation best practice guide
■ If there is no server or suitable Windows computer on site B Use the update manager at site A to create a share for site B. This shared folder could be located at site A, or at site B if bandwidth is a concern. If the link would be too slow to download updates from site A once an hour, consider creating a web folder for the site B computers to update from. No matter what you choose as the primary source for updates, ensure that the secondary updating source in the updating policy for Site B computers point to Sophos in case the link between the two sites goes down or the web location is unavailable. 12 Sophos Endpoint Security and Control
5.3 No server 5.3.1 Installation If you have a small network with no server (ten or fewer computers), you can still download and use Enterprise Console to manage your network as long as you have a computer that satisfies system requirements for Enterprise Console. Follow the advice for the "Single-site network" scenario, described above. Alternatively,if all of your computers are connected to the Internet,you could install the standalone version of Endpoint Security and Control on those computers and they would all update directly from Sophos. 5.3.2 Role-based administration If you install Enterprise Console on one of your computers, you could set up another user to monitor your network when you are away from the office. 5.3.3 Updating If you install Enterprise Console on one of your computers, use the update manager to set up an updating system with a single share. If you install the standalone version of Endpoint Security and Control on all of your computers, they will update directly from Sophos. 13 on-premise installation best practice guide
5.4 No suitable Windows computer If you don’t have a Windows Server, or a suitable Windows computer that satisfies system requirements for Enterprise Console, you will have to download Sophos Anti-Virus for your non-Windows computers and they will update separately. 5.4.1 Installation Download and install: ■ Sophos Anti-Virus for Mac OS X ■ Sophos Anti-Virus for Linux ■ Sophos Anti-Virus for UNIX Documentation for Sophos Anti-Virus for all supported platforms is available at http://www.sophos.com/en-us/support/documentation.aspx. 5.4.2 Role-based administration Does not apply as Enterprise Console can only be run on a Windows server or suitable workstation. 5.4.3 Updating Sophos Anti-Virus for Linux can be updated by one computer and the cache folder can be shared with the other Linux computers in your network. 14 Sophos Endpoint Security and Control
5.5 No Enterprise Console Please note that this scenario is not supported.You should make every effort to use Enterprise Consoleorothersecuritymanagementproductfromtherangeof Sophos products,forexample, Sophos Unified Threat Management (UTM). If you have a small network and no dedicated server, you could also use Sophos Cloud. 5.5.1 Installation Download the standalone installer and install Endpoint Security and Control on each computer individually. Each computer would then update directly from Sophos. 5.5.2 Role-based administration Not applicable, as these computers are not managed and Enterprise Console is not being used. 5.5.3 Updating The computers would update directly from Sophos. 15 on-premise installation best practice guide
6 Additional configurations 6.1 Roaming users connecting via VPN 6.1.1 Installation Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console on the management server. For your roaming users, because the computers will connect to the network via VPN, you should deploy Endpoint Security and Control software to these computers from Enterprise Console. When they next connect, they will download and install the security software. 6.1.2 Role-based administration Supporting roaming users is an additional security concern. To make monitoring and administration easier, you might want to set up one sub-estate for roaming users so that one person could closely monitor their security status. 6.1.3 Updating Ensure that the updating policies for roaming computers have Sophos set up as a secondary source for updates, in case the user can't connect to your network while they're away from the office. Alternatively, you may also consider creating a web location for them to update from, so that they can update their security software even if they can't connect to your network. 16 Sophos Endpoint Security and Control
6.2 Air gapped network 6.2.1 Installation Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console on the management server on the outside network. For your air-gapped network, you have two options: ■ Install Enterprise Console and an update manager and deploy to the client computers from the management server in the air-gapped network. ■ Install Endpoint Security and Control on each of the computers individually and have them update from a shared folder copied from the outside network. You won't be able to manage the computers on the air-gapped network, nor would you be able to take advantage of all the features of Endpoint Security and Control, because Application Control, Device Control and Data Control are all configured using Enterprise Console. 6.2.2 Role-based administration You will have separate installations of Enterprise Console on the two networks, so you won't be able to monitor both networks from one Enterprise Console. You could break your air-gapped network into sub-estates, if it's big enough. As with any network, you'd probably want to define at least one extra role to monitor the network when the administrator is busy. 6.2.3 Updating When you configure the update manager in the air-gapped network, ensure that it uses a folder on the management server, or a removable device that you manually update with data from the outside network as its update source. For detailed instructions on setting up an air gapped network, please see Installing and configuring an air gap with Sophos Update Manager. 17 on-premise installation best practice guide
6.3 Remote workers, no VPN access 6.3.1 Installation There are two options for protecting off-site computers without VPN connection: ■ You could download the standalone installer and install Endpoint Security and Control on each computer individually. The users would then update directly from Sophos. ■ You could create a self-extracting .exe file for your users to install the software themselves. These users would update from a web location that you configure and update. 6.3.2 Role-based administration Not applicable, as these computers are not managed. 6.3.3 Updating Either the computers would update directly from Sophos or they would update from a web location that you configure. 18 Sophos Endpoint Security and Control
6.4 Home users (extended license) 6.4.1 Installation The only supported installation for home users is a self-extracting .exe file that you build for them. We do not permit home users to update from the Sophos databanks directly. You will have to create a web folder where your home users can download their updates from. 6.4.2 Role-based administration Does not apply. 6.4.3 Updating Create a web folder that will copy the updates from your update manager and allow you to distribute them to your employees' personal computers at home. Please see our Best Practice article about setting up home users for more information. 19 on-premise installation best practice guide
7 Technical support You can find technical support for Sophos products in any of these ways: ■ Visit the SophosTalk community at community.sophos.com/ and search for other users who are experiencing the same problem. ■ Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx. ■ Download the product documentation at www.sophos.com/en-us/support/documentation/. ■ Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 20 Sophos Endpoint Security and Control
8 Legal notices Copyright © 2009–2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco SafewareAG,as applicable.All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 21 on-premise installation best practice guide

Recomendados

Windows Server Core
Windows Server CoreWindows Server Core
Windows Server CoreMark Wilson
 
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...Dsunte Wilson
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
SafePeak Installation guide
SafePeak Installation guideSafePeak Installation guide
SafePeak Installation guideVladi Vexler
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Deform 3 d_v61_pc_installation_notes
Deform 3 d_v61_pc_installation_notesDeform 3 d_v61_pc_installation_notes
Deform 3 d_v61_pc_installation_notessundar sivam
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
 
WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008SolarWinds
 

Recomendados

Windows Server Core
Windows Server CoreWindows Server Core
Windows Server CoreMark Wilson
 
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...Dsunte Wilson
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
SafePeak Installation guide
SafePeak Installation guideSafePeak Installation guide
SafePeak Installation guideVladi Vexler
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Deform 3 d_v61_pc_installation_notes
Deform 3 d_v61_pc_installation_notesDeform 3 d_v61_pc_installation_notes
Deform 3 d_v61_pc_installation_notessundar sivam
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
 
WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008SolarWinds
 
Domain Migration/Administration for the
Domain Migration/Administration for the Domain Migration/Administration for the
Domain Migration/Administration for the webhostingguy
 
Project Pt1
Project Pt1Project Pt1
Project Pt1Emmanuel McCain
 
Dell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power usersDell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power usersMark Maclean
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsLumension
 
dfasdfsdf
dfasdfsdfdfasdfsdf
dfasdfsdfguest8637e17
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide The World Bank
 
General Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape DatasheetGeneral Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape DatasheetThe World Bank
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds
 
ESM High Availability Module User's Guide
ESM High Availability Module User's GuideESM High Availability Module User's Guide
ESM High Availability Module User's GuideProtect724gopi
 
PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?Milton Goh
 
Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007Amit Gatenyo
 
Computer maintenance
Computer maintenanceComputer maintenance
Computer maintenanceJohndion Ruloma
 
Adnmag
AdnmagAdnmag
Adnmagguest8d2103
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Automotive embedded systems part6 v1
Automotive embedded systems part6 v1Automotive embedded systems part6 v1
Automotive embedded systems part6 v1Keroles karam khalil
 
Wsus config[ver1.0]
Wsus config[ver1.0]Wsus config[ver1.0]
Wsus config[ver1.0]laonap166
 
App note running-amd_app_apps_remotely
App note running-amd_app_apps_remotelyApp note running-amd_app_apps_remotely
App note running-amd_app_apps_remotelyRuby Tsai
 
Installing Aix
Installing AixInstalling Aix
Installing AixFrederick James Rathweg
 
Installation
InstallationInstallation
Installationrumoorthyit
 
Sccm Interview Questions and Answers
Sccm Interview Questions and AnswersSccm Interview Questions and Answers
Sccm Interview Questions and AnswersKashifSCCMTrainer
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1Ganesh Joshi Regmi
 
SP1_Battlecard
SP1_BattlecardSP1_Battlecard
SP1_BattlecardLarry Yurdin
 

Mais conteúdo relacionado

Mais procurados

Domain Migration/Administration for the
Domain Migration/Administration for the Domain Migration/Administration for the
Domain Migration/Administration for the webhostingguy
 
Dell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power usersDell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power usersMark Maclean
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsLumension
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide The World Bank
 
General Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape DatasheetGeneral Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape DatasheetThe World Bank
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds
 
ESM High Availability Module User's Guide
ESM High Availability Module User's GuideESM High Availability Module User's Guide
ESM High Availability Module User's GuideProtect724gopi
 
PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?Milton Goh
 
Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007Amit Gatenyo
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Automotive embedded systems part6 v1
Automotive embedded systems part6 v1Automotive embedded systems part6 v1
Automotive embedded systems part6 v1Keroles karam khalil
 
Wsus config[ver1.0]
Wsus config[ver1.0]Wsus config[ver1.0]
Wsus config[ver1.0]laonap166
 
App note running-amd_app_apps_remotely
App note running-amd_app_apps_remotelyApp note running-amd_app_apps_remotely
App note running-amd_app_apps_remotelyRuby Tsai
 

Mais procurados (19)

Domain Migration/Administration for the
Domain Migration/Administration for the Domain Migration/Administration for the
Domain Migration/Administration for the
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
 
Dell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power usersDell EMC PowerEdge iDRAC9 - 14 features for power users
Dell EMC PowerEdge iDRAC9 - 14 features for power users
 
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
 
dfasdfsdf
dfasdfsdfdfasdfsdf
dfasdfsdf
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide
 
General Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape DatasheetGeneral Ubuntu Advantage - Landscape Datasheet
General Ubuntu Advantage - Landscape Datasheet
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
ESM High Availability Module User's Guide
ESM High Availability Module User's GuideESM High Availability Module User's Guide
ESM High Availability Module User's Guide
 
PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?PowerBreakfast #005 - Why DSC, NOW?
PowerBreakfast #005 - Why DSC, NOW?
 
Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007Os Deployment With Configuration Manager 2007
Os Deployment With Configuration Manager 2007
 
Computer maintenance
Computer maintenanceComputer maintenance
Computer maintenance
 
Adnmag
AdnmagAdnmag
Adnmag
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Automotive embedded systems part6 v1
Automotive embedded systems part6 v1Automotive embedded systems part6 v1
Automotive embedded systems part6 v1
 
Wsus config[ver1.0]
Wsus config[ver1.0]Wsus config[ver1.0]
Wsus config[ver1.0]
 
App note running-amd_app_apps_remotely
App note running-amd_app_apps_remotelyApp note running-amd_app_apps_remotely
App note running-amd_app_apps_remotely
 
Installing Aix
Installing AixInstalling Aix
Installing Aix
 
Installation
InstallationInstallation
Installation
 

Semelhante a Manual Sophos

Sccm Interview Questions and Answers
Sccm Interview Questions and AnswersSccm Interview Questions and Answers
Sccm Interview Questions and AnswersKashifSCCMTrainer
 
Ovms ops manager_admin
Ovms ops manager_adminOvms ops manager_admin
Ovms ops manager_adminsati1981
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsStuart McIntyre
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsJohn Smith
 
Kvm for ibm_z_systems_v1.1.2_limits
Kvm for ibm_z_systems_v1.1.2_limitsKvm for ibm_z_systems_v1.1.2_limits
Kvm for ibm_z_systems_v1.1.2_limitsKrystel Hery
 
VMware End-User-Computing Best Practices Poster
VMware End-User-Computing Best Practices PosterVMware End-User-Computing Best Practices Poster
VMware End-User-Computing Best Practices PosterVMware Academy
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorialDru Lavigne
 
Is BranchCache right for remote, serverless software distribution?
Is BranchCache right for remote, serverless software distribution?Is BranchCache right for remote, serverless software distribution?
Is BranchCache right for remote, serverless software distribution?1E: Software Lifecycle Automation
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityHTS Hosting
 
Deploying windows 7 from a to z
Deploying windows 7 from a to zDeploying windows 7 from a to z
Deploying windows 7 from a to zRose Valley Groups
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
cynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guidecynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guidecynapspro GmbH
 

Semelhante a Manual Sophos (20)

Sccm Interview Questions and Answers
Sccm Interview Questions and AnswersSccm Interview Questions and Answers
Sccm Interview Questions and Answers
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1
 
SP1_Battlecard
SP1_BattlecardSP1_Battlecard
SP1_Battlecard
 
Virtualization 101
Virtualization 101Virtualization 101
Virtualization 101
 
Ovms ops manager_admin
Ovms ops manager_adminOvms ops manager_admin
Ovms ops manager_admin
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
 
Kvm for ibm_z_systems_v1.1.2_limits
Kvm for ibm_z_systems_v1.1.2_limitsKvm for ibm_z_systems_v1.1.2_limits
Kvm for ibm_z_systems_v1.1.2_limits
 
VMware End-User-Computing Best Practices Poster
VMware End-User-Computing Best Practices PosterVMware End-User-Computing Best Practices Poster
VMware End-User-Computing Best Practices Poster
 
Nomad and WAN caching appliances 1.6
Nomad and WAN caching appliances 1.6Nomad and WAN caching appliances 1.6
Nomad and WAN caching appliances 1.6
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
 
Is BranchCache right for remote, serverless software distribution?
Is BranchCache right for remote, serverless software distribution?Is BranchCache right for remote, serverless software distribution?
Is BranchCache right for remote, serverless software distribution?
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server Security
 
Stand alone
Stand aloneStand alone
Stand alone
 
Deploying windows 7 from a to z
Deploying windows 7 from a to zDeploying windows 7 from a to z
Deploying windows 7 from a to z
 
Windows Server 2003
Windows Server 2003Windows Server 2003
Windows Server 2003
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
cynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guidecynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guide
 
IBM Notes in the Cloud
IBM Notes in the CloudIBM Notes in the Cloud
IBM Notes in the Cloud
 
Devstack lab guide
Devstack lab guideDevstack lab guide
Devstack lab guide
 

Último

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Último (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

Manual Sophos

  • 1. Sophos Endpoint Security and Control on-premise installation best practice guide Endpoint Security and Control 10 Enterprise Console 5 May 2014Document date:
  • 2. Contents 1 About this guide........................................................................................................................................3 2 What software is installed as part of Endpoint Security and Control?..................................................4 3 What features require planning?..............................................................................................................5 4 General installation planning considerations..........................................................................................6 5 Main installation scenarios.......................................................................................................................7 6 Additional configurations.......................................................................................................................16 7 Technical support....................................................................................................................................20 8 Legal notices............................................................................................................................................21 2
  • 3. 1 About this guide This guide is for you if you are a network administrator who will be installing Enterprise Console and Endpoint Security and Control on your company network. The guide is designed to answer your preliminary questions and suggest the ways that Endpoint Security and Control can be best adapted for your network. It begins with a few general questions to set the context and then describes more specific network scenarios. For more detailed advice on installing and configuring Enterprise Console and Endpoint Security and Control, see Best Practices for Endpoint Security and Control. 3 on-premise installation best practice guide
  • 4. 2 What software is installed as part of Endpoint Security and Control? The Endpoint Security and Control on-premise option includes the following software: ■ Management console: Enterprise Console. ■ Anti-virus and other software on your endpoint computers: Endpoint Security and Control (Sophos Anti-Virus, Client Firewall, software to handle updates and messaging, etc.). ■ Management database that stores information about the configuration of your endpoint computers. ■ Management server (and management service) that handle communications between the console, the database, and the endpoint computers. 4 Sophos Endpoint Security and Control
  • 5. 3 What features require planning? 3.1 Installation locations and methods The location of the management database, management server and management consoles can be customized to suit your needs. For instance you could install: ■ All components on the same server – this is referred to as a "standard" or "default" installation throughout our documentation. ■ Each component on a separate server. ■ Only the databases on a separate server, possibly on a dedicated SQL cluster. ■ Enterprise Console on your local computer and the other components on a separate server. ■ The whole product on VMWare to be managed from within a virtual machine. ■ All components on a server in a server room and you use Remote Desktop sessions to use Enterprise Console from your local computer. We don’t describe each of these installation configurations in this document, but we do explain generally how to install the management software and the software on your endpoint computers in each of the network configuration scenarios that follow. 3.2 Other features Some features in the management console require a little foreplanning as well. The considerations that go into each are described in this document for each network configuration scenario: ■ Update Manager. This component creates a structure for updating the anti-virus (and other) software on your endpoint computers. It will automatically create a central location for your network to update from, but you can choose to create more update locations as you see fit. Update locations can either be set up as a UNC path or a web folder. ■ Role-Based Administration. This is an optional feature that allows you to subdivide the management of your network so that other users can monitor the network's health and perform actions. 5 on-premise installation best practice guide
  • 6. 4 General installation planning considerations In general, if you consider the following items before you read this document, you’ll get the most out of this guide: 1. Think about the numbers. The number of end users you have will determine how many sub-estates and update locations you should set up. 2. Think about your network configuration.Your network configuration will determine how you should install the software on your client computers, how you will distribute updates, and how many sub-estates you should set up. 3. Think about who will manage your network. The number of IT staff who will monitor and respond to malware alerts and firewall events will determine the number of sub-estates you should set up. 4. Think about how you would like to deploy updates. There are countless ways of doing this. Think about whether you would want everyone on the network downloading from one shared folder,or whether you want every department to have their own update location with a failover location as well. The rest of this document describes various deployment scenarios (like WANs, remote users, or networks with no servers) that we have anticipated. 6 Sophos Endpoint Security and Control
  • 7. 5 Main installation scenarios 5.1 Single-site network 5.1.1 Installation Management software Install Enterprise Console on one server (to be used to manage the network) or install the database(s) on a separate server if you have a large network. For more information on installing the Enterprise Console database on a SQL cluster, please see Installing Enterprise Console databases in a clustered SQL Server environment. If you use Active Directory, use it to import containers (OUs) first. Then, once you’ve adjusted your groups and created the subgroups that you need,synchronize with Active Directory to import the computers. If your network has more than 10,000 computers (4,000 if you use Windows Server 2008), you should set up at least one message relay to reduce the load of communications to and from the management server. See Enterprise Console: configuring message relay computers for more information. Client software You have many options for deploying Endpoint Security and Control to your client computers: ■ Deploy directly from Enterprise Console, as described in the Sophos Enterprise Console quick startup guide (for smaller networks) or the Sophos Enterprise Console advanced startup guide(for larger networks). The guides are available from http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx ■ Use SMS/SCCM (Microsoft recommends that you use SCCM to distribute software when you have 250 or more client computers in your network).For detailed instructions,see Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus). ■ Create a script to invoke special features when running the installation with setup.exe. You can then use a Group Policy Object to deploy the script and installation file. 7 on-premise installation best practice guide
  • 8. 5.1.2 Role-based administration Consider whether you would like to use sub-estates to divide up the day-to-day management of your network.Consider who will have what roles and install Enterprise Console on their computers when you are ready. We recommend that you have at least one sub-estate at each of your locations, with more than one IT person assigned to each one. That way, they can manage two networks when one person is off sick or on vacation. 5.1.3 Updating structure There are many considerations that go into planning an update structure. When planning, remember that the update manager pushes the files to each share in turn, so the number of shares should be tailored to fit your network bandwidth. Also remember that you shouldn’t put a share on a computer that may go into standby or otherwise be unavailable for long periods of time. How big is your network? On a network with fewer than 1,000 computers,you can install a single update manager and create one or more update locations for your client computers to download updates from. On a network of 1,000 or more computers, you’ll want to design your update structure to take advantage of the best network architecture and the most effective servers. If you use a UNC path for your update location, it should be used by a maximum of 1,000 computers, unless it is on a dedicated file server. If you set up a web location for updating, it can handle somewhere between 5,000 and 10,000 computers updating from it. You could also set up additional update managers to spread the load. They could either update from the primary update manager or directly from Sophos. This kind of scenario could also be used for designing failovers.For detailed instructions about installing an additional update manager, see section 7 of the Sophos Enterprise Console advanced startup guide (available from http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx). As a general rule,you should install an additional update manager for each 25,000 client computers on your network. What computers are on your network? Your update shares can publish software for all the different supported operating systems. Consider whether you may want more than one update location for a specific operating system. For example, you might want half your Windows 2000+ operating systems to use one update location and the other half to use another, and use a separate server for Mac OS X, Linux, and UNIX updates. You can also download software for NetWare and set up a share on any server for these computers to update from. This is described in an appendix to the Sophos Enterprise Console advanced startup guide. 8 Sophos Endpoint Security and Control
  • 9. Do you have roaming or remote users connecting to your network? We’ve tried to illustrate the most common "additional network configuration" scenarios in the rest of this document. Refer to the type of installation that applies to your situation to learn how to install Endpoint Security and Control on the client computers and how to structure your updating structure to support them. 9 on-premise installation best practice guide
  • 10. 5.2 WAN Note: The following sections apply to both single-domain and multiple-domain (or workgroup) networks. Choose the scenario that best applies to your situation: ■ Scenario 1: Sites are managed independently. In this scenario, there is an administrator at each site who will administer their own site independently. ■ Scenario 2: Sites are primarily centrally managed. ■ There is admin or helpdesk staff who will administer groups across the two domains/sites, or ■ There is one administrator who will administer both domains/sites from site A. 5.2.1 Scenario 1: Sites are managed independently There is an administrator at each site who will administer their own site independently 5.2.1.1 Installation Install Enterprise Console at each site and use Active Directory to synchronize with the local domain only. 5.2.1.2 Role-based administration If there is only one person responsible for checking the network at each site, set up the other site administrator with the right to monitor alerts and events to ensure that there is coverage to deal with malware outbreaks and other security events in the event that the local admin is not present. If there are several people at each site who can check the network, set them up with roles and sub-estates as required. 5.2.1.3 Updating structure If you wish, you could configure the update manager on site B to download its updates from site A, but you could also have it download its updates directly from Sophos. Read the advice for the "standard" scenario described above to see what other issues you should consider before installing Endpoint Security and Control at each site. 10 Sophos Endpoint Security and Control
  • 11. 5.2.2 Scenario 2: Sites are primarily centrally managed There is admin or helpdesk staff who will administer groups across the two domains/sites OR There is one administrator who will administer both domains/sites from site A 5.2.2.1 Installation Install Enterprise Console at site A and use RDP or TS to manage the computers at site B. If you have staff at site B who should be allowed to perform certain tasks, install Enterprise Console only at site B. If the sites are on different domains, remember that once you install Enterprise Console, you will need to set it up for multiple domains.For more information,see Protecting computers in a multiple domain environment. Ensure that your web filtering equipment allows the following ports for Sophos communications: Network: allow ports 137-139 and 445 Weblink: allow port 80 5.2.2.2 Role-based administration This depends on how the IT department is structured. If all the IT staff is on one site, you’d probably want to break down the network into sub-estates based on location. If there is IT staff at each site, you could divide each site into sub-estates as well. It’s up to you. 5.2.2.3 Updating structure Wherever possible, we recommend that you install an additional update manager in a remote location. There are a few reasons, but most important is the amount of bandwidth needed to update the shared folders on site B and the danger that the shares would be incomplete if the link went down. Your updating structure would depend on whether or not there is a server or other suitable Windows computer on site B which could be used to distribute updates. Note: Suitable computers are those running Windows 2003/Vista/Windows 7/2008/SBS 2011. For system requirements for Enterprise Console and its components, go to http://www.sophos.com/en-us/support/knowledgebase/118635.aspx ■ If there is a server or other suitable Windows computer on site B which could be used to distribute updates Install an Update Manager at site B to update the local computers. This update manager could either download its updates from site A or directly from Sophos. If you have a firewall between your sites, you’ll have to update via HTTP. Set up a web folder at site A so that the site B computers can get their updates. 11 on-premise installation best practice guide
  • 12. ■ If there is no server or suitable Windows computer on site B Use the update manager at site A to create a share for site B. This shared folder could be located at site A, or at site B if bandwidth is a concern. If the link would be too slow to download updates from site A once an hour, consider creating a web folder for the site B computers to update from. No matter what you choose as the primary source for updates, ensure that the secondary updating source in the updating policy for Site B computers point to Sophos in case the link between the two sites goes down or the web location is unavailable. 12 Sophos Endpoint Security and Control
  • 13. 5.3 No server 5.3.1 Installation If you have a small network with no server (ten or fewer computers), you can still download and use Enterprise Console to manage your network as long as you have a computer that satisfies system requirements for Enterprise Console. Follow the advice for the "Single-site network" scenario, described above. Alternatively,if all of your computers are connected to the Internet,you could install the standalone version of Endpoint Security and Control on those computers and they would all update directly from Sophos. 5.3.2 Role-based administration If you install Enterprise Console on one of your computers, you could set up another user to monitor your network when you are away from the office. 5.3.3 Updating If you install Enterprise Console on one of your computers, use the update manager to set up an updating system with a single share. If you install the standalone version of Endpoint Security and Control on all of your computers, they will update directly from Sophos. 13 on-premise installation best practice guide
  • 14. 5.4 No suitable Windows computer If you don’t have a Windows Server, or a suitable Windows computer that satisfies system requirements for Enterprise Console, you will have to download Sophos Anti-Virus for your non-Windows computers and they will update separately. 5.4.1 Installation Download and install: ■ Sophos Anti-Virus for Mac OS X ■ Sophos Anti-Virus for Linux ■ Sophos Anti-Virus for UNIX Documentation for Sophos Anti-Virus for all supported platforms is available at http://www.sophos.com/en-us/support/documentation.aspx. 5.4.2 Role-based administration Does not apply as Enterprise Console can only be run on a Windows server or suitable workstation. 5.4.3 Updating Sophos Anti-Virus for Linux can be updated by one computer and the cache folder can be shared with the other Linux computers in your network. 14 Sophos Endpoint Security and Control
  • 15. 5.5 No Enterprise Console Please note that this scenario is not supported.You should make every effort to use Enterprise Consoleorothersecuritymanagementproductfromtherangeof Sophos products,forexample, Sophos Unified Threat Management (UTM). If you have a small network and no dedicated server, you could also use Sophos Cloud. 5.5.1 Installation Download the standalone installer and install Endpoint Security and Control on each computer individually. Each computer would then update directly from Sophos. 5.5.2 Role-based administration Not applicable, as these computers are not managed and Enterprise Console is not being used. 5.5.3 Updating The computers would update directly from Sophos. 15 on-premise installation best practice guide
  • 16. 6 Additional configurations 6.1 Roaming users connecting via VPN 6.1.1 Installation Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console on the management server. For your roaming users, because the computers will connect to the network via VPN, you should deploy Endpoint Security and Control software to these computers from Enterprise Console. When they next connect, they will download and install the security software. 6.1.2 Role-based administration Supporting roaming users is an additional security concern. To make monitoring and administration easier, you might want to set up one sub-estate for roaming users so that one person could closely monitor their security status. 6.1.3 Updating Ensure that the updating policies for roaming computers have Sophos set up as a secondary source for updates, in case the user can't connect to your network while they're away from the office. Alternatively, you may also consider creating a web location for them to update from, so that they can update their security software even if they can't connect to your network. 16 Sophos Endpoint Security and Control
  • 17. 6.2 Air gapped network 6.2.1 Installation Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console on the management server on the outside network. For your air-gapped network, you have two options: ■ Install Enterprise Console and an update manager and deploy to the client computers from the management server in the air-gapped network. ■ Install Endpoint Security and Control on each of the computers individually and have them update from a shared folder copied from the outside network. You won't be able to manage the computers on the air-gapped network, nor would you be able to take advantage of all the features of Endpoint Security and Control, because Application Control, Device Control and Data Control are all configured using Enterprise Console. 6.2.2 Role-based administration You will have separate installations of Enterprise Console on the two networks, so you won't be able to monitor both networks from one Enterprise Console. You could break your air-gapped network into sub-estates, if it's big enough. As with any network, you'd probably want to define at least one extra role to monitor the network when the administrator is busy. 6.2.3 Updating When you configure the update manager in the air-gapped network, ensure that it uses a folder on the management server, or a removable device that you manually update with data from the outside network as its update source. For detailed instructions on setting up an air gapped network, please see Installing and configuring an air gap with Sophos Update Manager. 17 on-premise installation best practice guide
  • 18. 6.3 Remote workers, no VPN access 6.3.1 Installation There are two options for protecting off-site computers without VPN connection: ■ You could download the standalone installer and install Endpoint Security and Control on each computer individually. The users would then update directly from Sophos. ■ You could create a self-extracting .exe file for your users to install the software themselves. These users would update from a web location that you configure and update. 6.3.2 Role-based administration Not applicable, as these computers are not managed. 6.3.3 Updating Either the computers would update directly from Sophos or they would update from a web location that you configure. 18 Sophos Endpoint Security and Control
  • 19. 6.4 Home users (extended license) 6.4.1 Installation The only supported installation for home users is a self-extracting .exe file that you build for them. We do not permit home users to update from the Sophos databanks directly. You will have to create a web folder where your home users can download their updates from. 6.4.2 Role-based administration Does not apply. 6.4.3 Updating Create a web folder that will copy the updates from your update manager and allow you to distribute them to your employees' personal computers at home. Please see our Best Practice article about setting up home users for more information. 19 on-premise installation best practice guide
  • 20. 7 Technical support You can find technical support for Sophos products in any of these ways: ■ Visit the SophosTalk community at community.sophos.com/ and search for other users who are experiencing the same problem. ■ Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx. ■ Download the product documentation at www.sophos.com/en-us/support/documentation/. ■ Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 20 Sophos Endpoint Security and Control
  • 21. 8 Legal notices Copyright © 2009–2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco SafewareAG,as applicable.All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 21 on-premise installation best practice guide