Sophos EndPoint Deployment in Enterprise Environment

We are planning to rollout Sophos Endpoint to Servers, we have 15 servers at DR site and around 100 Virtual/Physical servers onsite. On site the servers are located in three buildings, Just wondering in which order i should rollout sophos EndPoint to servers.
Its similar with Computers as well, there are around 2000 computers/laptops which are due to be rolled out......
Need to develop a rollout plan for computers and servers....
any help/suggestions will be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
This can be good start for the deployment practices and I do recommend have a pool of test environment to tired out, and DR should be readily available with upgrade first then the main site. Appl testing is best to pass the UAT before transiting to the main site for installation... the key is the site server to be identified to handle the push down as well as the "client" to be managed by the site server identified...

The location of the management database, management server and management consoles can be customized to suit your needs. For instance you could install:
■ All components on the same server – this is referred to as a "standard" or "default" installation throughout our documentation.
■ Each component on a separate server.
■ Only the databases on a separate server, possibly on a dedicated SQL cluster.
■ Enterprise Console on your local computer and the other components on a separate server.
■ The whole product on VMWare to be managed from within a virtual machine.
■ All components on a server in a server room and you use Remote Desktop sessions to use Enterprise Console from your local computer.

The considerations that go into each are described in this document for each network configuration scenario:
■ Update Manager. This component creates a structure for updating the anti-virus (and other) software on your endpoint computers. It will automatically create a central location for your network to update from, but you can choose to create more update locations as you see fit. Update locations can either be set up as a UNC path or a web folder.

For VM, you want to check out

always ensure backup ad rollback plan is readily available and tested prior to actual production rollout hence the staging testing is critical too
LeoAuthor Commented:
Apologies to clarify more, we already have Sophos Enterprise console, we have to rollout Endpoint to servers/computers.
Enterprise console is already installed, its stable and working in production environment.
btanExec ConsultantCommented:
maybe can check out

How to install Endpoint Security and Control manually on networked computers

Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away.  The alternative source can be an updates folder on a website maintained by your company, or it can be a Sophos website.  You will either need to create a new updating policy or edit an existing one and enter the alternate update source in the secondary server tab.

Overall guidance from Sophos below and maybe best to leverage any of the existing software distribution you have in place for consistency

Sophos endpoint deployment guide

Deploying Endpoint Security and Control through Active Directory group policy

Sophos installations on either physical or virtual systems.
Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus)
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

btanExec ConsultantCommented:
Best Practice guide: designing sub-estates and role-based administration.

Sub-estates are logical subdivisions of your network. Most often, they are the same as your distinct sites, such as a branch office in another city or a manufacturing site in another country. But sometimes you need to set up sub-estates because you have more than 25,000 endpoints that will be managed by Enterprise Console. In this case, you may choose to create one sub-estate for your sales and marketing endpoints, another for your production endpoints and yet another for all of the other departments in your organization. In educational establishments, you may have one sub-estate for the endpoints in the humanities and another for the endpoints in the sciences and all other faculties.

Role-based administration refers to the logical subdivision of responsibilities in each of the sub-estates. For instance, from our previous example, there may be one IT manager in the school of arts and humanities, but three other IT staff of various rank who have different responsibilities over the endpoints computers in that same school. Some of those people may work on a helpdesk within computer labs to help students with immediate problems on computers. These staff may not be responsible for planning security policies. The role that you choose for each individual will reflect these differences in responsibility.

other considerations

Best Practices for Endpoint Security and Control

Best practice: designing groups in Enterprise Console
LeoAuthor Commented:
Thanks for that, I am trying to to create Sophos EndPoint for Home users who are using MAC as their operating system, by following this article... 
I cant seem to run this command under windows OS "CreateUpdatePreconfig".
It gives an error when I run this command “./CreateUpdatePreconfig” 'CreateUpdatePreconfig' is not recognized as an internal or external command,operable program or batch file.
does these instructions need to be run on MAC computer?
btanExec ConsultantCommented:
that is to run in Mac (not Windows) as you can see in the command
sudo ./CreateUpdatePreconfig -PrimaryServerType 0 -PrimaryServerUserName MyUserName -PrimaryServerPassword MyPassword

Wondering if this can help for manually create an installer package
LeoAuthor Commented:
I have drafted a report,  would it possible i can send you it through email, you can review it and let me know if it require any further considerations?
LeoAuthor Commented:
I have attached the project scope kindly review it and let me know what you think?
btanExec ConsultantCommented:
I will not drill into the steps as I strongly suggest you get the Sophos support to advice and standby since it is officially available for your organisation. This should be covered within your contractual rights for user acceptance or even future maintenance and renewal roadmap so do maxmise on this. If not available, engage the Sophos account contact for your org to plan forth this ... for interim suppt and long term ...

Seems alright but I do suggest you target the server first then the workstation and also the application testing especially those in house in the UAT. As for the upgrade steps ideally the remote user or secondary server will be first to run since it is small pool before going big bang on the rest. Likewise for internal, as mentioned test and state a windows of monitoring (server, appl, workstation by dept if vaiable).
I didn't see in the scope a call for a relay server or servers, and any public-facing server for updates outside the LAN.  Are you planning on running the DR site as just another group of endpoints over WAN, or treating as a separate sub-estate?  Your node count is not that high.

You also don't mention update server(s) or if you will point to Sophos's web server.
btanExec ConsultantCommented:
another ...

Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away. The alternative source can be an updates folder on a website maintained by your side.

for successful endpoint deployment and installation some Sophos guidances ref
1      Check the version of Sophos console you have - Confirm your console version
2      Determine if you have a domain or workgroup network type - Understanding network types
3      If step two showed you have a domain: determine your domain functional level. Otherwise skip to step four - Confirm your domain functional level
4      Prepare your workstation computers to allow remote installation of Sophos endpoint software      - Preparing computers for deployment
5      Prepare your workstation computers so they can report back to the management server - Allowing computers to report
6      Populate the console with a list of endpoint computers connected to your network      - Discovering endpoint computers
7      Deploy security software to your endpoint computers from the console      Installing endpoint software
8      Troubleshoot any issues that occur with either installation or ability to report to the console. Otherwise skip to step nine -Troubleshooting installation errors
9      Return settings enabled for deployment to default. Note: Any settings changed to allow endpoints to report to the management server must not be changed. - Post deployment recommendations

also may want to consider using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus) if there already existing a structure of distributing s/w consistently.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LeoAuthor Commented:
We are due to roll out Sophos on 1000+ computers, some of the computers already have the newer version, what we are trying to achieve is to select a group of computers, and roll out on them first, but we need to know what version of Sophos is running on those computers, so i think best approach would be to run a script on those computers remotely and find out which version of particular software version they are running?
In step one it says check version of Sophos Endpoint version.
You see the engine version and definitions date from the console.  Did you run discovery on the network(s) yet?  You should be able to see managed and unmanaged machines, sort the master list, or manually create groups.
btanExec ConsultantCommented:
good to discover asset as well as they not necessarily be always there e.g. off site, switched off, faulty can check this pdf for gradual upgrade per se as ref
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.