Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Sophos Enterprise Console on a Workstation

First published: 07th January 2010

Sophos Enterprise Console enables you to install and manage Sophos' security software on your computers. It includes four components:

Sophos Enterprise Console can enable you to remotely install and manage anti-virus and other security software on computers running Windows, Linux, Unix and Mac OS X. However, Sophos Enterprise Console itself is only supported on Windows servers. What can you do if you want the ease of central management of your security software, but you do not have Windows servers?

This note discusses the successful installation of Sophos Enterprise Console 4 on a small network including Windows 2000 Workstations and Debian Linux servers in a Samba 3 domain. This environment is not supported by Sophos, and the information here has not been checked or approved by Sophos.

Installation

The supported environment for Enterprises Console includes Windows Server 2008, Windows Server 2003 and R2, Windows 2000 Server SP4+, VMWare ESX 3.0/3.5, VMWare Workstation 5.0 and VMWare Server 1.0. But what if your environment does not include any Windows servers? Fortunately, the practical difference between Windows 2000 Server and Windows 2000 Workstation is very small. Installation can be performed as described in the Sophos documentation, with one important exception: section 5.2 of the "Sophos Endpoint Security and Control 9 advanced startup guide" says,

"If the server is in a domain, log on as a domain administrator.
If the server is in a workgroup, log on as a local administrator."

With a Samba 3 domain and installing Enterprise Console on a Windows 2000 workstation, if you log on as a domain administrator then the installation will proceed normally, but, after the required reboot, starting the Enterprise Console results in a dialog box:

Cannot open Sophos Enterprise Console. The user YUIKEE\root is not assigned to any sub-estates. You must be a member of at least one sub-estate to run the console.

When the dialog box is acknowledged, the application closes. There is no way to successfully start the Enterprise Console.

To avoid this problem, log onto the Windows 2000 Workstation using the local administrator account. The reason for this anomaly is unclear, it may be related to the difference between Windows 2000 Workstation and Server, or the difference between a Samba domain and a Windows domain, or even related to whether the target machine is a Domain Controller or not.

Managing Users, Roles and Sub-Estates

Another oddity is how the Enterprise Console refers to users in managing Roles and Sub-Estates - essentially user access control for the Console's functions. Windows users can be assigned Roles and Sub-Estates by clicking "Tools", "Manage Roles and Sub-Estates" in the Console. The dialog does not show the domain or workgroup of the users or groups:

Fig. 2: Manage Roles and Sub-Estates dialog, note the users and groups are listed without the domain or workgroup name.

When a role is edited, the users and groups are still shown without the domain or workgroup:

Fig. 3: Edit role dialog, still no domain or workgroup shown for users and groups.

However, clicking the Add button displays the "Select Users or Groups" dialog, where the domain can be selected, and is displayed:

Fig. 4: Select Users or Groups dialog - the domain can be selected, and is displayed for the added users and groups.

Planning Update Distribution

If you have installed the Enterprise Console on a workstation, then it may not be on all the time. This will restrict the distribution of updates at two stages:

The first restriction is unavoidable - the download is performed by a windows application, so a windows machine must be on to do it. However, if the machine is in use each day, the share will be updated regularly.

The second restriction could be more serious. If the Enterprise Console machine and a protected machine are seldom on at the same time, then the protection might be updated rarely, or not at all. Fortunately, there is a solution - configure another share stored on a machine that is on 24x7, for example, on a Samba server. To achieve this, two things must be configured in the Enterprise Console:


Gallery

Fig. 1: Error if installed by the wrong userFig. 1: Error if installed by the wrong user hi-res
Fig. 2: Manage Roles and Sub-Estates dialog, note the users and groups are listed without the domain or workgroup name.Fig. 2: Manage Roles and Sub-Estates dialog, note the users and groups are listed without the domain or workgroup name. hi-res
Fig. 3: Edit role dialog, still no domain or workgroup shown for users and groups.Fig. 3: Edit role dialog, still no domain or workgroup shown for users and groups. hi-res
Fig. 4: Select Users or Groups dialog - the domain can be selected, and is displayed for the added users and groups.Fig. 4: Select Users or Groups dialog - the domain can be selected, and is displayed for the added users and groups. hi-res

More Information

Slashdot   Slashdot It! | Share