Sophos Enterprise Console on a Workstation

First published: 07^th January 2010

Sophos Enterprise Console enables you to install and manage Sophos' security software on your computers. It includes four components:

• Management console: Enables you to protect and manage computers.
• Management server: Handles updating and communications.
• Database: Stores data about computers on the network.
• Update manager: Downloads Sophos software and updates from Sophos automatically to a central location.

Sophos Enterprise Console can enable you to remotely install and manage anti-virus and other security software on computers running Windows, Linux, Unix and Mac OS X. However, Sophos Enterprise Console itself is only supported on Windows servers. What can you do if you want the ease of central management of your security software, but you do not have Windows servers?

This note discusses the successful installation of Sophos Enterprise Console 4 on a small network including Windows 2000 Workstations and Debian Linux servers in a Samba 3 domain. This environment is not supported by Sophos, and the information here has not been checked or approved by Sophos.

Installation

The supported environment for Enterprises Console includes Windows Server 2008, Windows Server 2003 and R2, Windows 2000 Server SP4+, VMWare ESX 3.0/3.5, VMWare Workstation 5.0 and VMWare Server 1.0. But what if your environment does not include any Windows servers? Fortunately, the practical difference between Windows 2000 Server and Windows 2000 Workstation is very small. Installation can be performed as described in the Sophos documentation, with one important exception: section 5.2 of the "Sophos Endpoint Security and Control 9 advanced startup guide" says,

"If the server is in a domain, log on as a domain administrator.
If the server is in a workgroup, log on as a local administrator."

With a Samba 3 domain and installing Enterprise Console on a Windows 2000 workstation, if you log on as a domain administrator then the installation will proceed normally, but, after the required reboot, starting the Enterprise Console results in a dialog box:

When the dialog box is acknowledged, the application closes. There is no way to successfully start the Enterprise Console.

To avoid this problem, log onto the Windows 2000 Workstation using the local administrator account. The reason for this anomaly is unclear, it may be related to the difference between Windows 2000 Workstation and Server, or the difference between a Samba domain and a Windows domain, or even related to whether the target machine is a Domain Controller or not.

Managing Users, Roles and Sub-Estates

Another oddity is how the Enterprise Console refers to users in managing Roles and Sub-Estates - essentially user access control for the Console's functions. Windows users can be assigned Roles and Sub-Estates by clicking "Tools", "Manage Roles and Sub-Estates" in the Console. The dialog does not show the domain or workgroup of the users or groups:

When a role is edited, the users and groups are still shown without the domain or workgroup:

However, clicking the Add button displays the "Select Users or Groups" dialog, where the domain can be selected, and is displayed:

Planning Update Distribution

If you have installed the Enterprise Console on a workstation, then it may not be on all the time. This will restrict the distribution of updates at two stages:

• Download of the updates from Sophos to the SophosUpdate share on the Enterprise Console machine
• Download of the updates from the SophosUpdate share on the Enterprise Console machine to your Sophos-protected computers

The first restriction is unavoidable - the download is performed by a windows application, so a windows machine must be on to do it. However, if the machine is in use each day, the share will be updated regularly.

The second restriction could be more serious. If the Enterprise Console machine and a protected machine are seldom on at the same time, then the protection might be updated rarely, or not at all. Fortunately, there is a solution - configure another share stored on a machine that is on 24x7, for example, on a Samba server. To achieve this, two things must be configured in the Enterprise Console:

• Configure the Update Manager to update the share

  • Click View, Update Managers
  • Right-click on the computer running the Enterprise Console, select View/Edit Configuration
  • Click on the Distribution tab
  • Make sure that the subscription that you want to use is selected in the list at the top of the tab, click Add
  • In the Browse For Folder dialog box, browse to one of the shares. Click OK.
  • Select the share in the Available list and click the > button to move it to the Update to list.
  • To enter a description for the share, or credentials to write to it, select the share and click Configure. In the Share Manager dialog box, enter the description and credentials.

  See the "Sophos Endpoint Security and Control 9 advanced startup guide", section 5.10.2 for further details.

• Configure the Updating Policy for the target computers

  • Click View, Endpoints, the Policies pane will be at the bottom left-hand side of the window
  • Expand the Updating policy tree, right-click on the relevant policy and click View/Edit Policy
  • Enter the details of your update shares in the Primary Server and Secondary Server tabs. For example, you could set the Primary Server to the Samba share, and the Secondary Server to the one on the Enterprise Console machine, depending on your network's requirements.

  See the "Sophos Endpoint Security and Control 9 advanced startup guide", section 9.2 for further details.