[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Sophos EndPoint Deployment in Enterprise Environment

Posted on 2014-08-18
14
Medium Priority
?
1,649 Views
Last Modified: 2016-02-25
Hi,
We are planning to rollout Sophos Endpoint to Servers, we have 15 servers at DR site and around 100 Virtual/Physical servers onsite. On site the servers are located in three buildings, Just wondering in which order i should rollout sophos EndPoint to servers.
Its similar with Computers as well, there are around 2000 computers/laptops which are due to be rolled out......
Need to develop a rollout plan for computers and servers....
any help/suggestions will be greatly appreciated.
0
Comment
Question by:Leo
  • 7
  • 5
  • 2
14 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40271491
This can be good start for the deployment practices and I do recommend have a pool of test environment to tired out, and DR should be readily available with upgrade first then the main site. Appl testing is best to pass the UAT before transiting to the main site for installation... the key is the site server to be identified to handle the push down as well as the "client" to be managed by the site server identified...

http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_10_ibpgeng.pdf?la=en

The location of the management database, management server and management consoles can be customized to suit your needs. For instance you could install:
■ All components on the same server – this is referred to as a "standard" or "default" installation throughout our documentation.
■ Each component on a separate server.
■ Only the databases on a separate server, possibly on a dedicated SQL cluster.
■ Enterprise Console on your local computer and the other components on a separate server.
■ The whole product on VMWare to be managed from within a virtual machine.
■ All components on a server in a server room and you use Remote Desktop sessions to use Enterprise Console from your local computer.

The considerations that go into each are described in this document for each network configuration scenario:
■ Update Manager. This component creates a structure for updating the anti-virus (and other) software on your endpoint computers. It will automatically create a central location for your network to update from, but you can choose to create more update locations as you see fit. Update locations can either be set up as a UNC path or a web folder.

For VM, you want to check out
http://www.sophos.com/en-us/support/knowledgebase/110507.aspx

always ensure backup ad rollback plan is readily available and tested prior to actual production rollout hence the staging testing is critical too
0
 
LVL 8

Author Comment

by:Leo
ID: 40271505
Apologies to clarify more, we already have Sophos Enterprise console, we have to rollout Endpoint to servers/computers.
Enterprise console is already installed, its stable and working in production environment.
0
 
LVL 65

Expert Comment

by:btan
ID: 40272422
maybe can check out

How to install Endpoint Security and Control manually on networked computers
http://www.sophos.com/en-us/support/knowledgebase/12386.aspx

Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away.  The alternative source can be an updates folder on a website maintained by your company, or it can be a Sophos website.  You will either need to create a new updating policy or edit an existing one and enter the alternate update source in the secondary server tab.

Overall guidance from Sophos below and maybe best to leverage any of the existing software distribution you have in place for consistency
http://www.sophos.com/en-us/support/knowledgebase/114191.aspx

Sophos endpoint deployment guide
http://downloads.sophos.com/tools/on-line/deployment_guide/en-us/index.html

Deploying Endpoint Security and Control through Active Directory group policy
http://www.sophos.com/en-us/support/knowledgebase/13090.aspx

Sophos installations on either physical or virtual systems.
http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus)
http://www.sophos.com/en-us/support/knowledgebase/12457.aspx
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Expert Comment

by:btan
ID: 40272436
Best Practice guide: designing sub-estates and role-based administration.
http://www.sophos.com/en-us/support/knowledgebase/63172.aspx

Sub-estates are logical subdivisions of your network. Most often, they are the same as your distinct sites, such as a branch office in another city or a manufacturing site in another country. But sometimes you need to set up sub-estates because you have more than 25,000 endpoints that will be managed by Enterprise Console. In this case, you may choose to create one sub-estate for your sales and marketing endpoints, another for your production endpoints and yet another for all of the other departments in your organization. In educational establishments, you may have one sub-estate for the endpoints in the humanities and another for the endpoints in the sciences and all other faculties.

Role-based administration refers to the logical subdivision of responsibilities in each of the sub-estates. For instance, from our previous example, there may be one IT manager in the school of arts and humanities, but three other IT staff of various rank who have different responsibilities over the endpoints computers in that same school. Some of those people may work on a helpdesk within computer labs to help students with immediate problems on computers. These staff may not be responsible for planning security policies. The role that you choose for each individual will reflect these differences in responsibility.

other considerations

Best Practices for Endpoint Security and Control
http://www.sophos.com/en-us/support/knowledgebase/63556.aspx

Best practice: designing groups in Enterprise Console
http://www.sophos.com/en-us/support/knowledgebase/63155.aspx
0
 
LVL 8

Author Comment

by:Leo
ID: 40284910
Thanks for that, I am trying to to create Sophos EndPoint for Home users who are using MAC as their operating system, by following this article...
http://www.sophos.com/en-us/support/knowledgebase/119744.aspx 
I cant seem to run this command under windows OS "CreateUpdatePreconfig".
It gives an error when I run this command “./CreateUpdatePreconfig” 'CreateUpdatePreconfig' is not recognized as an internal or external command,operable program or batch file.
does these instructions need to be run on MAC computer?
0
 
LVL 65

Expert Comment

by:btan
ID: 40285915
that is to run in Mac (not Windows) as you can see in the command
sudo ./CreateUpdatePreconfig -PrimaryServerType 0 -PrimaryServerUserName MyUserName -PrimaryServerPassword MyPassword

Wondering if this can help for manually create an installer package
http://www.sophos.com/en-us/support/knowledgebase/67504.aspx
0
 
LVL 8

Author Comment

by:Leo
ID: 40308455
I have drafted a report,  would it possible i can send you it through email, you can review it and let me know if it require any further considerations?
0
 
LVL 8

Author Comment

by:Leo
ID: 40308465
I have attached the project scope kindly review it and let me know what you think?
thanks.
Scope-of-brief.docx
0
 
LVL 65

Expert Comment

by:btan
ID: 40308489
I will not drill into the steps as I strongly suggest you get the Sophos support to advice and standby since it is officially available for your organisation. This should be covered within your contractual rights for user acceptance or even future maintenance and renewal roadmap so do maxmise on this. If not available, engage the Sophos account contact for your org to plan forth this ... for interim suppt and long term ...

Seems alright but I do suggest you target the server first then the workstation and also the application testing especially those in house in the UAT. As for the upgrade steps ideally the remote user or secondary server will be first to run since it is small pool before going big bang on the rest. Likewise for internal, as mentioned test and state a windows of monitoring (server, appl, workstation by dept if vaiable).
0
 
LVL 32

Expert Comment

by:aleghart
ID: 40308584
I didn't see in the scope a call for a relay server or servers, and any public-facing server for updates outside the LAN.  Are you planning on running the DR site as just another group of endpoints over WAN, or treating as a separate sub-estate?  Your node count is not that high.

You also don't mention update server(s) or if you will point to Sophos's web server.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40309052
another ...

Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away. The alternative source can be an updates folder on a website maintained by your side.

for successful endpoint deployment and installation some Sophos guidances ref
http://downloads.sophos.com/tools/on-line/deployment_guide/en-us/index.html
1      Check the version of Sophos console you have - Confirm your console version
2      Determine if you have a domain or workgroup network type - Understanding network types
3      If step two showed you have a domain: determine your domain functional level. Otherwise skip to step four - Confirm your domain functional level
4      Prepare your workstation computers to allow remote installation of Sophos endpoint software      - Preparing computers for deployment
5      Prepare your workstation computers so they can report back to the management server - Allowing computers to report
6      Populate the console with a list of endpoint computers connected to your network      - Discovering endpoint computers
7      Deploy security software to your endpoint computers from the console      Installing endpoint software
8      Troubleshoot any issues that occur with either installation or ability to report to the console. Otherwise skip to step nine -Troubleshooting installation errors
9      Return settings enabled for deployment to default. Note: Any settings changed to allow endpoints to report to the management server must not be changed. - Post deployment recommendations

also may want to consider using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus) if there already existing a structure of distributing s/w consistently.
http://www.sophos.com/en-us/support/knowledgebase/12457.aspx
0
 
LVL 8

Author Comment

by:Leo
ID: 40313609
We are due to roll out Sophos on 1000+ computers, some of the computers already have the newer version, what we are trying to achieve is to select a group of computers, and roll out on them first, but we need to know what version of Sophos is running on those computers, so i think best approach would be to run a script on those computers remotely and find out which version of particular software version they are running?
In step one it says check version of Sophos Endpoint version.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 40313641
You see the engine version and definitions date from the console.  Did you run discovery on the network(s) yet?  You should be able to see managed and unmanaged machines, sort the master list, or manually create groups.
0
 
LVL 65

Expert Comment

by:btan
ID: 40313677
good to discover asset as well as they not necessarily be always there e.g. off site, switched off, faulty etc...you can check this pdf for gradual upgrade per se as ref

http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_103_ugeng.pdf
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question