Sophos EndPoint Deployment in Enterprise Environment
Hi,
We are planning to rollout Sophos Endpoint to Servers, we have 15 servers at DR site and around 100 Virtual/Physical servers onsite. On site the servers are located in three buildings, Just wondering in which order i should rollout sophos EndPoint to servers.
Its similar with Computers as well, there are around 2000 computers/laptops which are due to be rolled out......
Need to develop a rollout plan for computers and servers....
any help/suggestions will be greatly appreciated.
We are planning to rollout Sophos Endpoint to Servers, we have 15 servers at DR site and around 100 Virtual/Physical servers onsite. On site the servers are located in three buildings, Just wondering in which order i should rollout sophos EndPoint to servers.
Its similar with Computers as well, there are around 2000 computers/laptops which are due to be rolled out......
Need to develop a rollout plan for computers and servers....
any help/suggestions will be greatly appreciated.
ASKER
Apologies to clarify more, we already have Sophos Enterprise console, we have to rollout Endpoint to servers/computers.
Enterprise console is already installed, its stable and working in production environment.
Enterprise console is already installed, its stable and working in production environment.
maybe can check out
How to install Endpoint Security and Control manually on networked computers
http://www.sophos.com/en-us/support/knowledgebase/12386.aspx
Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away. The alternative source can be an updates folder on a website maintained by your company, or it can be a Sophos website. You will either need to create a new updating policy or edit an existing one and enter the alternate update source in the secondary server tab.
Overall guidance from Sophos below and maybe best to leverage any of the existing software distribution you have in place for consistency
http://www.sophos.com/en-us/support/knowledgebase/114191.aspx
Sophos endpoint deployment guide
http://downloads.sophos.com/tools/on-line/deployment_guide/en-us/index.html
Deploying Endpoint Security and Control through Active Directory group policy
http://www.sophos.com/en-us/support/knowledgebase/13090.aspx
Sophos installations on either physical or virtual systems.
http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus)
http://www.sophos.com/en-us/support/knowledgebase/12457.aspx
How to install Endpoint Security and Control manually on networked computers
http://www.sophos.com/en-us/support/knowledgebase/12386.aspx
Where computers are not always on the network, e.g., laptops that are sometimes used away from the office, you can configure them to update from an alternative source when they are away. The alternative source can be an updates folder on a website maintained by your company, or it can be a Sophos website. You will either need to create a new updating policy or edit an existing one and enter the alternate update source in the secondary server tab.
Overall guidance from Sophos below and maybe best to leverage any of the existing software distribution you have in place for consistency
http://www.sophos.com/en-us/support/knowledgebase/114191.aspx
Sophos endpoint deployment guide
http://downloads.sophos.com/tools/on-line/deployment_guide/en-us/index.html
Deploying Endpoint Security and Control through Active Directory group policy
http://www.sophos.com/en-us/support/knowledgebase/13090.aspx
Sophos installations on either physical or virtual systems.
http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus)
http://www.sophos.com/en-us/support/knowledgebase/12457.aspx
Best Practice guide: designing sub-estates and role-based administration.
http://www.sophos.com/en-us/support/knowledgebase/63172.aspx
other considerations
Best Practices for Endpoint Security and Control
http://www.sophos.com/en-us/support/knowledgebase/63556.aspx
Best practice: designing groups in Enterprise Console
http://www.sophos.com/en-us/support/knowledgebase/63155.aspx
http://www.sophos.com/en-us/support/knowledgebase/63172.aspx
Sub-estates are logical subdivisions of your network. Most often, they are the same as your distinct sites, such as a branch office in another city or a manufacturing site in another country. But sometimes you need to set up sub-estates because you have more than 25,000 endpoints that will be managed by Enterprise Console. In this case, you may choose to create one sub-estate for your sales and marketing endpoints, another for your production endpoints and yet another for all of the other departments in your organization. In educational establishments, you may have one sub-estate for the endpoints in the humanities and another for the endpoints in the sciences and all other faculties.
Role-based administration refers to the logical subdivision of responsibilities in each of the sub-estates. For instance, from our previous example, there may be one IT manager in the school of arts and humanities, but three other IT staff of various rank who have different responsibilities over the endpoints computers in that same school. Some of those people may work on a helpdesk within computer labs to help students with immediate problems on computers. These staff may not be responsible for planning security policies. The role that you choose for each individual will reflect these differences in responsibility.
other considerations
Best Practices for Endpoint Security and Control
http://www.sophos.com/en-us/support/knowledgebase/63556.aspx
Best practice: designing groups in Enterprise Console
http://www.sophos.com/en-us/support/knowledgebase/63155.aspx
ASKER
Thanks for that, I am trying to to create Sophos EndPoint for Home users who are using MAC as their operating system, by following this article...
http://www.sophos.com/en-us/support/knowledgebase/119744.aspx
I cant seem to run this command under windows OS "CreateUpdatePreconfig".
It gives an error when I run this command “./CreateUpdatePreconfig” 'CreateUpdatePreconfig' is not recognized as an internal or external command,operable program or batch file.
does these instructions need to be run on MAC computer?
http://www.sophos.com/en-us/support/knowledgebase/119744.aspx
I cant seem to run this command under windows OS "CreateUpdatePreconfig".
It gives an error when I run this command “./CreateUpdatePreconfig” 'CreateUpdatePreconfig' is not recognized as an internal or external command,operable program or batch file.
does these instructions need to be run on MAC computer?
that is to run in Mac (not Windows) as you can see in the command
sudo ./CreateUpdatePreconfig -PrimaryServerType 0 -PrimaryServerUserName MyUserName -PrimaryServerPassword MyPassword
Wondering if this can help for manually create an installer package
http://www.sophos.com/en-us/support/knowledgebase/67504.aspx
sudo ./CreateUpdatePreconfig -PrimaryServerType 0 -PrimaryServerUserName MyUserName -PrimaryServerPassword MyPassword
Wondering if this can help for manually create an installer package
http://www.sophos.com/en-us/support/knowledgebase/67504.aspx
ASKER
I have drafted a report, would it possible i can send you it through email, you can review it and let me know if it require any further considerations?
ASKER
I have attached the project scope kindly review it and let me know what you think?
thanks.
Scope-of-brief.docx
thanks.
Scope-of-brief.docx
I will not drill into the steps as I strongly suggest you get the Sophos support to advice and standby since it is officially available for your organisation. This should be covered within your contractual rights for user acceptance or even future maintenance and renewal roadmap so do maxmise on this. If not available, engage the Sophos account contact for your org to plan forth this ... for interim suppt and long term ...
Seems alright but I do suggest you target the server first then the workstation and also the application testing especially those in house in the UAT. As for the upgrade steps ideally the remote user or secondary server will be first to run since it is small pool before going big bang on the rest. Likewise for internal, as mentioned test and state a windows of monitoring (server, appl, workstation by dept if vaiable).
Seems alright but I do suggest you target the server first then the workstation and also the application testing especially those in house in the UAT. As for the upgrade steps ideally the remote user or secondary server will be first to run since it is small pool before going big bang on the rest. Likewise for internal, as mentioned test and state a windows of monitoring (server, appl, workstation by dept if vaiable).
I didn't see in the scope a call for a relay server or servers, and any public-facing server for updates outside the LAN. Are you planning on running the DR site as just another group of endpoints over WAN, or treating as a separate sub-estate? Your node count is not that high.
You also don't mention update server(s) or if you will point to Sophos's web server.
You also don't mention update server(s) or if you will point to Sophos's web server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are due to roll out Sophos on 1000+ computers, some of the computers already have the newer version, what we are trying to achieve is to select a group of computers, and roll out on them first, but we need to know what version of Sophos is running on those computers, so i think best approach would be to run a script on those computers remotely and find out which version of particular software version they are running?
In step one it says check version of Sophos Endpoint version.
In step one it says check version of Sophos Endpoint version.
You see the engine version and definitions date from the console. Did you run discovery on the network(s) yet? You should be able to see managed and unmanaged machines, sort the master list, or manually create groups.
good to discover asset as well as they not necessarily be always there e.g. off site, switched off, faulty etc...you can check this pdf for gradual upgrade per se as ref
http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_103_ugeng.pdf
http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_103_ugeng.pdf
http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_10_ibpgeng.pdf?la=en
The location of the management database, management server and management consoles can be customized to suit your needs. For instance you could install:
■ All components on the same server – this is referred to as a "standard" or "default" installation throughout our documentation.
■ Each component on a separate server.
■ Only the databases on a separate server, possibly on a dedicated SQL cluster.
■ Enterprise Console on your local computer and the other components on a separate server.
■ The whole product on VMWare to be managed from within a virtual machine.
■ All components on a server in a server room and you use Remote Desktop sessions to use Enterprise Console from your local computer.
The considerations that go into each are described in this document for each network configuration scenario:
■ Update Manager. This component creates a structure for updating the anti-virus (and other) software on your endpoint computers. It will automatically create a central location for your network to update from, but you can choose to create more update locations as you see fit. Update locations can either be set up as a UNC path or a web folder.
For VM, you want to check out
http://www.sophos.com/en-us/support/knowledgebase/110507.aspx
always ensure backup ad rollback plan is readily available and tested prior to actual production rollout hence the staging testing is critical too