Embed Size (px)
DESCRIPTION
sophos
Citation preview
Sophos Endpoint Securityand Control 9.7upgrade guide
April 2011Document date:
Contents
1 About this guide........................................................................................................................................3
2 What are the steps in upgrading?.............................................................................................................4
3 Check existing policies..............................................................................................................................5
4 Upgrade endpoint computers..................................................................................................................6
5 Upgrade the Compliance Dissolvable Agent.........................................................................................11
6 Migrate to Sophos Update Manager......................................................................................................12
7 Technical support....................................................................................................................................27
8 Legal notices............................................................................................................................................28
2
1 About this guide
This guide tells you how to upgrade the software that is used to protect your endpoint computers.
Before you start
This guide assumes that you have already upgraded the Sophos management tools (SophosEnterprise Console 4.7 and optionally NAC Manager 3.7).
If you haven't upgraded the Sophos management tools yet, go to the Upgrade Center athttp://www.sophos.com/support/upgrades/ and follow the instructions there.
Other Sophos documentation
Sophos documentation is published at http://www.sophos.com/support/docs/.
3
upgrade guide
2 What are the steps in upgrading?
Upgrading the software that is used to protect your endpoint computers involves the followingsteps.
Check existing policies
You may want to check that your existing policies have been preserved by the upgrade toEnterprise Console 4.7.
Upgrade endpoint computers
There are two ways that you can upgrade the Sophos security software on your endpoint computers:
■ If you want to begin using the latest versions of the security software immediately, you canupgrade your endpoint computers in one step.
See Upgrade endpoint computers immediately (page 6).
■ If you want to try out the latest versions of the security software before upgrading all computers,you can upgrade your endpoint computers gradually.
See Subscribe to the new endpoint software (page 7) and the other topics in the Upgrade endpointcomputers gradually section.
Upgrade Sophos Compliance Dissolvable Agent (optional)
If you use NAC Manager, you may want to upgrade the Sophos Compliance Dissolvable Agenton the NAC Manager server.
Migrate to Sophos Update Manager (optional)
If you are still using EM Library, all of your EM Library settings and updating policies will remainunchanged after you upgrade to Enterprise Console 4.7.
You may, however, want to migrate from EM Library to Sophos Update Manager, which supportsmore versions of the endpoint software.
4
Sophos Endpoint Security and Control 9.7
3 Check existing policies
3.1 Check policy settings
Note: If you use role-based administration, you must have the Computer search, protection andgroups right to perform these tasks. For more information, see "About roles and sub-estates" inthe section "Managing roles and sub-estates" in the Sophos Enterprise Console Help.
To check that your policy settings have been preserved after upgrading Enterprise Console:
1. Start Enterprise Console.
2. In the Policies pane, double-click a policy type (for example, Anti-virus and HIPS).
3. Double-click the policy you want to check.
4. In the dialog box that is displayed, review the policy settings.
3.2 Check policies applied to computer groups
Note: If you use role-based administration, you must have the Computer search, protection andgroups right to perform these tasks. For more information, see "About roles and sub-estates" inthe section "Managing roles and sub-estates" in the Sophos Enterprise Console Help.
To check that your groups have the correct policies applied to them after upgradingEnterprise Console:
1. Start Enterprise Console.
2. In the Groups pane, right-click a group, and then click View/Edit Group Policy Details.
3. In the Group Details dialog box, verify that the group is assigned the right policies. If not, fora policy type, select a different policy from the drop-down list.
5
upgrade guide
4 Upgrade endpoint computers
4.1 About upgrading endpoint computers
To upgrade your Windows endpoint computers and make full use of the new features, you mustchange the version of the software that the computers are kept up to date with to Sophos EndpointSecurity and Control 9.7.
The latest endpoint software for operating systems other than Windows remains unchanged atthe time of this release.
The information in this section covers the following upgrade scenarios:
■ Upgrade Sophos Endpoint Security and Control 9.0 or 9.5 to version 9.7
■ Upgrade Sophos Anti-Virus 7 and Sophos Client Firewall 1.5 to Sophos Endpoint Security andControl 9.7
The procedures described here upgrade all of the security software components, including theCompliance Agent for NAC (if you use NAC Manager).
4.2 Upgrade endpoint computers immediately
To upgrade your endpoint computers immediately, you change your existing software subscriptionsto download the new version of the endpoint security software.
To change your existing software subscriptions:
1. In Enterprise Console, on the View menu, click Update Managers.
2. In the Software Subscriptions pane, double-click the subscription you want to change.
The Software Subscription dialog box appears.
3. Next to Windows 2000 and later, click in the Version field, and then click again.
4. In the list of available versions, select 9.7 Recommended.
The next time Enterprise Console downloads updates, it will download the new version of theendpoint software. Your Windows computers will then upgrade themselves to version 9.7automatically.
You do not need to perform any other configuration steps:
■ The update manager is already configured to maintain the subscription and distribute thesoftware into update shares on the network.
■ You already have updating policies that refer to that subscription and are applied to endpointcomputers.
6
Sophos Endpoint Security and Control 9.7
Notes
■ During the Sophos Client Firewall installation, there will be a temporary disconnection ofnetwork adapters. The interruption may cause the disconnection of networked applications,such as Remote Desktop.
■ When computers upgrade to Sophos Endpoint Security and Control 9.7, the computer detailsin Enterprise Console may show "Differs from policy" in the Policy Compliance column. Tocorrect this, right-click the computers, click Comply with, and then click the relevant policyor policies.
4.3 Upgrade endpoint computers gradually
4.3.1 Subscribe to the new endpoint software
Creating new software subscriptions
If you want to test the new software on a small group of computers before releasing it to thenetwork, you can create a new subscription.
After you have created a new subscription, you will need to perform the following steps:
■ Configure the update manager to maintain the subscription: that is, download the softwarefrom Sophos and put it in network shares from which endpoint computers will update.
■ Create new updating policies that will refer to the new subscription and point to the updateshares set up for it in the update manager.
■ Upgrade endpoint computers by applying the new updating policies to them.
Important: Do not upgrade to Sophos Endpoint Security and Control 9.7 on any Windows 2000computers running SP3 or earlier. The minimum requirement for the software is Windows 2000with SP4.
Continue using your existing versions
If you are subscribed to a fixed version of Sophos Endpoint Security and Control and ComplianceAgent for NAC and want to continue using that version, you can do so. When Sophos stopssupporting that version, your computers will be upgraded automatically, provided that you leaveselected the check box Automatically upgrade fixed version software when it is no longersupported by Sophos in the Software Subscription dialog box.
If you want to evaluate new versions of the software before placing them on your main network,you may want to consider using fixed versions of the software on the main network while evaluatingthe new versions. Fixed versions are updated with new threat detection data, but not with thelatest software version each month.
If you want to continue using your existing versions of Sophos endpoint security software youcan do so. However, you will eventually be automatically upgraded to version 9.7. You will bewarned about this well in advance.
7
upgrade guide
4.3.2 Create a new software subscription
To create a new software subscription:
1. In Enterprise Console, on the View menu, click Update Managers.
2. In the Software Subscriptions pane, click the Add button at the top of the pane to create anew subscription.
The Software Subscription dialog box appears.
Alternatively, if you want to create a copy of an existing subscription, select the subscription,right-click and click Duplicate Subscription. Type a new name for the subscription and thendouble-click it to open the Software Subscription dialog box.
3. In the Software Subscription dialog box, edit the name of the subscription, if you wish.
4. Click in the Version field next to Windows 2000 and later and then click again.
A drop-down list of available versions appears.
5. Select the type of update you want to download for version 9.7 of Sophos Endpoint Securityand Control.
Normally, you subscribe to the “Recommended” versions to ensure that your software is keptup to date automatically. To learn what other types of update are available, see Appendix: Whattypes of update are available? (page 25).
Important: If you select a fixed version, for example, 9.7.1, Sophos recommends that you leavethe Automatically upgrade fixed version software when it is no longer supported by Sophoscheck box selected. Running unsupported software leaves you unprotected against new securitythreats.
After you have created a new software subscription, configure the update manager to maintain itas described in Add a subscription in the update manager (page 8).
You can also set up subscription email alerts. For more information about subscription emailalerts, see the topic “Set up subscription alerts” in the “Setting up alerts and messages” section ofthe Sophos Enterprise Console Help.
4.3.3 Add a subscription in the update manager
If you created a new subscription for the new software version, configure the update manager tomaintain this subscription.
1. In the Update managers view, select the update manager, right-click and click View/EditConfiguration.
2. In the Configure update manager dialog box, on the Subscriptions tab, select the softwaresubscription in the list of available subscriptions.
To view the details of the subscription, for example, what software is included in thesubscription, click View details.
8
Sophos Endpoint Security and Control 9.7
3. To move the selected subscription to the “Subscribed to” list, click the > button.
By default, the software is downloaded to the share \\<ComputerName>\SophosUpdate, whereComputerName is the name of the computer where the update manager is installed. You canspecify additional shares as described in Specify where the software is placed (page 20).
If you want to download the new version immediately, select the update manager, right-click andclick Update Now.
4.3.4 Configure your updating policies
If you created a new software subscription and configured the update manager to maintain thissubscription, configure updating policies to update the computers with the software specified inthe subscription.
You can choose either of the following options.
■ Change your existing updating policies to refer to the new subscription
For information on how to do this, see the section “Select a subscription” in the SophosEnterprise Console Help.
If you choose this option, your endpoint computers will be upgraded to the new version nexttime they check for updates.
■ Create new updating policies
For information on how to do this, see Create new updating policies (page 21).
If you choose this option, you will then need to apply the new policies to endpoint computersto upgrade them and keep up to date with the new version.
4.3.5 Apply a new updating policy to a group of Windows computers
Important: Do not upgrade Sophos endpoint security software to Sophos Endpoint Security andControl 9.7 on Windows 2000 computers running SP3 or earlier. The minimum requirement forthe software is Windows 2000 with SP4.
To apply a new updating policy to a group of computers:
1. In the Policies pane, highlight the updating policy.
2. Click the policy and drag it onto the group to which you want to apply the policy. Whenprompted, confirm that you want to continue.
Alternatively, you can right-click a group and select View group policy details. You can thenselect policies for that group from drop-down menus.
During the next update, computers will be upgraded to the new version of the security software,Sophos Endpoint Security and Control 9.7.
9
upgrade guide
Notes
■ During the Sophos Client Firewall installation, there will be a temporary disconnection ofnetwork adapters. The interruption may cause the disconnection of networked applications,such as Remote Desktop.
■ When computers upgrade to Sophos Endpoint Security and Control 9.7, the computer detailsin Enterprise Console may show "Differs from policy" in the Policy Compliance column. Tocorrect this, right-click the computers, click Comply with, and then click the relevant policyor policies.
10
Sophos Endpoint Security and Control 9.7
5 Upgrade the Compliance Dissolvable Agent
If you use NAC Manager, you can upgrade the Sophos Compliance Dissolvable Agent from version3.5 to version 3.7.
To upgrade the Compliance Dissolvable Agent:
1. Go to http://www.sophos.com/support/updates/.
2. Type your MySophos username and password.
3. Download the Sophos NAC Compliance Dissolvable Agent version 3.7 installer.
4. Start the Sophos NAC Compliance Dissolvable Agent version 3.7 installer.
5. A wizard guides you through installation. Accept the default options, except as shown below.
6. On the Sophos Server page, type the IP address or DNS name of the server on which youinstalled NAC Manager.
■ If Sophos NAC was installed on more than one server, the server address is the IP addressor DNS name of the NAC Manager Server and not the NAC Database Server.
■ If you change the NAC Manager server address later, you must reinstall ComplianceDissolvable Agent on the web server and specify the new address during the installation.
7. If you are using HTTPS with NAC, select the Secure Sophos Server (use HTTPS) check box.
The web certificate IP address or DNS name must be the same as the NAC Manager server.
11
upgrade guide
6 Migrate to Sophos Update Manager
6.1 Do I need to migrate to Update Manager manually?
Your main EM Library is the update library that downloads security software and updates directlyfrom Sophos.
Choose the statement below that applies to you.
My main EM Library and Enterprise Console are both installed on the same computer.
If you successfully ran the Migrate to Sophos Update Manager wizard as part of your upgrade toEnterprise Console 4.7, you do not need to migrate to Sophos Update Manager manually.
■ Update Manager is installed automatically on the same computer as the Enterprise Consolemanagement server.
■ Update Manager is configured to use a set of updating policies and shares that mirror yourexisting EM Library updating settings.
■ The Migrate to Sophos Update Manager wizard applies the new updating policies to yourendpoint computers so that they can begin updating from the new shares managed by UpdateManager.
If the migration did not succeed, or you did not use the migration wizard, you need to performthe steps described in Migrate settings to Update Manager manually (page 17).
My main EM Library and Enterprise Console are installed on different computers.
After upgrading the Enterprise Console management server, you canceled the Download SecuritySoftware wizard.
You now need to migrate your main EM Library to Update Manager as described in What are thekey steps in migration? (page 12).
6.2 What are the key steps in migration?
The following key steps describe the migration process for an installation where theEnterprise Console management server and main EM Library are installed on different computers.
This section assumes that you have previously canceled the Download Security Software Wizard,and the update manager that is always installed on the same computer as Enterprise Console isnot configured.
Any updating policies that existed before the upgrade have become legacy policies and are nowgrouped in the Policies pane under Legacy Updating. EM Library is running as before the upgrade,and endpoint computers use legacy updating policies and continue to update fromEM Library-maintained central installation directories (CIDs).
12
Sophos Endpoint Security and Control 9.7
Note: NetWare computers are an exception. These automatically switch to updating from CIDsgenerated by Sophos Update Manager.
Important: If you have computers running Sophos Anti-Virus for UNIX/Linux version 4.x(unmanaged), you will need to manually configure them to use the new update locations. Fordetails, see Sophos support knowledgebase article 64214(http://www.sophos.com/support/knowledgebase/article/64214.html).
Computers running Sophos Anti-Virus for UNIX/Linux version 7.x will automatically detect anduse the new update locations.
To migrate to Sophos Update Manager, you carry out these key steps:
■ Check EM Library settings, to avoid migration errors.
■ On the computer where the main EM Library is installed, install Sophos Update Manager.
■ On the computer where Enterprise Console is installed, view the remote update manager'smigration report to see whether the update manager has been configured successfully.
■ If the update manager has not been fully configured, configure the update manager and createnew updating policies.
■ Configure the update manager installed on the same computer as Enterprise Console to updatefrom the remote update manager that replaces EM Library and updates from Sophos.
■ If you use any additional libraries, view the Updating Hierarchy report to see which otherlibraries need migrating.
■ Migrate any additional managed libraries on the network.
■ If you had custom files in any of the CIDs, add them to the new update locations.
■ Test the new update shares and updating policies.
■ Apply new updating policies to computer groups.
■ Uninstall EM Library once it is no longer required for endpoint updating.
After you perform these steps, you will have migrated to use the update manager. However, theupdate manager will be using the “old” updating settings from EM Library and your endpointcomputers will still be using the “old” security software. To make full use of the newEnterprise Console features, you will need to upgrade your endpoint computers as described inAbout upgrading endpoint computers (page 6).
The following flowchart shows the process of migrating remote EM Library to Sophos UpdateManager.
13
upgrade guide
14
Sophos Endpoint Security and Control 9.7
6.3 Check EM Library settings
Before you migrate from EM Library to Update Manager, check that EM Library is not using anypackages that are no longer maintained on its parent. This is to ensure that no migration errorsoccur when the migration wizard cannot find a non-existent package.
To check that EM Library is not using packages that are no longer maintained on its parent:
1. In Enterprise Console, click the Libraries icon on the toolbar.
The Sophos EM Library window is displayed. The Configuration view is open by default.
2. Look in the “Notifications” pane (lower-right corner).
If EM Library is using a package that is no longer maintained on the parent, you will see thefollowing warning:
Warning: You have a package in use that is no longer maintainedon the parent. Click "Select packages" and subscribe to anotherpackage.
3. If you have a package that is no longer maintained, subscribe to another package that containsa more up-to-date version of the software or unsubscribe from the package if you no longeruse it.
For information about upgrading, see the knowledgebase article “How to upgrade to the newEndpoint Security and Control products”(http://www.sophos.com/support/knowledgebase/article/14844.html).
6.4 Install Update Manager
If you have EM Library and Enterprise Console management server installed on different computers,you need to install Sophos Update Manager on the computer where EM Library is installed.
All servers where Update Manager is installed must have hostnames which are unique within yournetwork of computers protected by Sophos Endpoint Security and Control.
Note: The Enterprise Console installer always installs Sophos Update Manager on the computerwhere the Enterprise Console management server is installed. It also places the Sophos UpdateManager installer in the SUMInstallSet share on that computer.
You can use Windows Remote Desktop to install Sophos Update Manager.
To install Sophos Update Manager manually:
1. If the computer where EM Library is installed is protected by Sophos Anti-Virus managedfrom Enterprise Console, uninstall Sophos Remote Management System. In Control Panel,open Add or Remove Programs, locate Sophos Remote Management System from the list,and click Change/Remove or Remove. Follow the instructions for uninstalling the component.
15
upgrade guide
2. Locate the Sophos Update Manager installer. In Enterprise Console, on the View menu, clickSophos Update Manager Installer Location.
In the Sophos Update Manager Installer Location dialog box, note the location of the installer.
3. Go to the computer where EM Library is installed and run the installer.
Alternatively, use Windows Remote Desktop to install Sophos Update Manager on the computer.
4. Follow the instructions in the Sophos Update Manager InstallShield Wizard.
5. On the Sophos Update Manager Account page, select an account that endpoint computerswill use to access the default update share created by the update manager. (The default updateshare is \\<ComputerName>\SophosUpdate, where ComputerName is the name of thecomputer where the update manager is installed.) This account must have read rights to theshare and does not need to have administrative rights.
You can select the default user, select an existing user, or create a new user.
By default, the installer will create the SophosUpdateMgr account with read rights to thedefault update share and no interactive logon rights.
6. On the Sophos Update Manager Account Details page, depending on the option you selectedon the previous page, enter a password for the default user, details for the new user, or selectan existing account.
The password for the account must comply with your password policy.
7. On the Ready to Install the Program page, click Install.
8. When installation is complete, click Finish.
The computer where you installed Sophos Update Manager should appear in Enterprise Console,Update managers view. (On the View menu, click Update Managers.)
Note: It may take a few minutes before the new update manager appears in Enterprise Console.
If your updating settings could be successfully migrated from EM Library to Sophos UpdateManager, the update manager will be configured on the basis of those settings. To see if themigration process was successful, view the update manager’s migration report.
6.5 View the update manager’s migration report
Go to the computer where Enterprise Console is installed. In Enterprise Console, make sure youare in the Update managers view. If you are in the Endpoints view, on the View menu, clickUpdate Managers.
Note: It may take a few minutes before the new update manager appears in Enterprise Console.
Open the update manager’s migration report and check whether the update manager has beenconfigured successfully on the basis of EM Library settings.
16
Sophos Endpoint Security and Control 9.7
To view the update manager's migration report:
1. Select the computer with the update manager whose migration report you want to view,right-click and then click View Migration Report.
2. In the update manager’s Migration Report check that:
■ The updating sources that the update manager uses are correct.
If this is the master update manager that downloads updates from Sophos, its primaryupdate source must be Sophos. For instructions on selecting an update source, see Selectan update source for the update manager (page 19).
■ The updating schedule was successfully migrated from EM Library. (If not, a default updatingschedule would have been applied.)
■ The endpoint update locations were migrated successfully.
■ The updating policies were successfully migrated from legacy updating policies.
Note: If you used a non-default initial install source in a legacy updating policy, this settingwould not have been migrated, and the new updating policy would have been set to use thedefault (primary server address). This is because EM Library and Sophos Update Manageruse different update directory structures and a non-default initial install source in the legacyupdating policy cannot be matched to a new update directory.
Depending on whether the updating settings have been migrated successfully or not:
■ If your updating settings have been successfully migrated from EM Library, the update manageris configured on the basis of those settings. New updating policies, corresponding to the legacyones, are created, but endpoint computers are not using them yet. Continue the migration asdescribed in the next section.
■ If some of the updating settings could not be migrated, see Migrate settings to Update Managermanually (page 17).
6.6 Migrate settings to Update Manager manually
Sometimes, it may not be possible to migrate the EM Library settings to Sophos Update Manager.For example, EM Library may be using custom packages that cannot be migrated or EM Librarymay be updating from a location that is not a valid update source for an update manager.
If some or all of the EM Library updating settings could not be migrated, you will need to carryout some or all of the following steps:
■ Configure subscriptions (see Subscribe to Sophos software and updates (page 18)).
■ Configure the update manager to use the subscriptions to download and distribute the softwareacross the network (see Configure the update manager (page 19)).
■ Create new updating policies (see Create new updating policies (page 21)).
17
upgrade guide
6.6.1 Subscribe to Sophos software and updates
Subscriptions allow you to define what software should be downloaded from Sophos.
In a subscription, you can specify one software version for each supported platform. If you wantto download several different software versions for the same platform, you will need to createseveral subscriptions.
Important: If you want to download Sophos Anti-Virus for NetWare, please read Sophos supportknowledgebase article 59192 (http://www.sophos.com/support/knowledgebase/article/59192.html).
To subscribe to Sophos security software and updates:
1. In the Update managers view, in the Software Subscriptions pane, double-click the subscriptionyou want to change (for example, “Recommended”), or click the Add button at the top of thepane to create a new subscription.
2. In the Software Subscription dialog box, edit the name of the subscription, if you wish.
3. Next to the platform for which you want to download software, click in the Version field, andthen click again.
A drop-down list of available versions appears.
4. Select the type of update and software version you want to download (for example,“Recommended:7” for Windows 2000 or later).
Normally, you subscribe to the “Recommended” versions to ensure that your software is keptup to date automatically. To learn what other types of update are available, see Appendix: Whattypes of update are available? (page 25).
Important: If you select a fixed version, for example, 7.6.5, Sophos recommends that you leaveselected the check box Automatically upgrade fixed version software when it is no longersupported by Sophos. Running unsupported software leaves you unprotected against newsecurity threats.
5. Repeat steps 3 and 4 for each platform for which you want to download software.
After you have subscribed to the security software, you need to configure the update manager tomaintain those subscriptions and distribute the software over the network.
You can also set up subscription email alerts. For more information about subscription emailalerts, see the topic “Set up subscription alerts” in the “Setting up alerts and messages” section ofthe Sophos Enterprise Console Help.
18
Sophos Endpoint Security and Control 9.7
6.6.2 Configure the update manager
To configure the update manager:
1. In the Update managers view, select the update manager you want to configure. Right-clickand click View/Edit Configuration.
The Configure update manager dialog box appears.
2. Edit the configuration as described in the following topics.
6.6.2.1 Select an update source for the update manager
You need to select a source from which the update manager will download security software andupdates for distribution across the network.
You can select several sources. If you do this, the first source in the list of the update sources youselected is the primary source. Additional sources in the list are optional alternate locations thatthe update manager uses if it cannot collect an update from the primary source.
The update manager at the top of the updating hierarchy, which downloads software from Sophos,must have “Sophos” as its primary source.
To select an update source:
1. In the Configure update manager dialog box, on the Sources tab, click Add.
2. In the Source details dialog box, in the Address field, enter the address of the update source.The address can be a UNC or HTTP path.
If you want to download software and updates directly from Sophos, select Sophos.
3. If necessary, in the Username and Password fields, enter the username and password for theaccount that will be used to access the update source.
■ If the update source is Sophos, enter the download credentials supplied by Sophos.■ If the update source is the default update share created by an update manager located higher
in the updating hierarchy, the Username and Password fields will be pre-populated.
The default update share is a UNC share \\<ComputerName>\SophosUpdate, whereComputerName is the name of the computer where the update manager is installed.
■ If the update source is a non-default update share on your network, enter credentials forthe account that has read rights to the share. If the Username needs to be qualified toindicate the domain, use the form domain\username.
4. If you access the update source via a proxy server, select Use a proxy server to connect. Thenenter the proxy server Address and Port number. Enter a Username and Password that giveaccess to the proxy server. If the username needs to be qualified to indicate the domain, usethe form domain\username. Click OK.
The new source appears in the list in the Configure update manager dialog box.
19
upgrade guide
If you are configuring an additional update manager and you have already installed an updatemanager on a different computer, the share where that update manager downloads software andupdates will appear on the list of addresses. You can select it as a source for the update manageryou are configuring. Then you can move the address that you want to be the primary one to thetop of the list, using the Move up and Move down buttons to the right of the list.
6.6.2.2 Select which software to download
You need to select the subscriptions that the update manager will be using to download anddistribute the software across the network.
To select a subscription or subscriptions:
1. In the Configure update manager dialog box, on the Subscriptions tab, select a subscriptionin the list of available subscriptions.
To view the details of the subscription, for example, what software is included in thesubscription, click View details.
2. To move the selected subscription to the “Subscribed to” list, click the > button.
To move all subscriptions to the “Subscribed to” list, click the >> button.
6.6.2.3 Specify where the software is placed
After you have selected which software to download, you can specify where it should be placedon the network. By default, the software is placed in a UNC share\\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer wherethe update manager is installed.
You can distribute downloaded software to additional shares on your network. To do this, addan existing network share to the list of available shares and then move it to the list of update sharesas described below.
To specify where the software is placed:
1. In the Configure update manager dialog box, on the Distribution tab, select a softwaresubscription from the list.
2. Select a share from the “Available” shares list and move it to the “Update to” list by clickingthe > button.
The default share \\<ComputerName>\SophosUpdate is always present in the “Update to”list. You cannot remove this share from the list.
The “Available” shares list includes all the shares that Enterprise Console knows about andthat are not already being used by another update manager.
You can add an existing share to or remove a share from the “Available” shares list, using theAdd or Remove button.
3. If you want to enter a description for a share or credentials needed to write to the share, selectthe share and click Configure.
20
Sophos Endpoint Security and Control 9.7
4. In the Share manager dialog box, enter the description and credentials.
The software that you have selected is downloaded to the shares that you have specified duringthe next scheduled update.
If you want to edit the default update schedule, see Edit an update schedule (page 21).
If you want to download the software immediately, select the update manager, right-click andclick Update Now.
6.6.2.4 Edit an update schedule
By default, an update manager will check for threat detection data updates every 10 minutes. Youcan change this update interval. The minimum is 5 minutes. The maximum is 1440 minutes (24hours). Sophos recommends an update interval of 10 minutes for threat detection data, so thatyou receive protection from new threats promptly after the detection data is published by Sophos.
By default, an update manager will check for software updates every 60 minutes. You can changethis update interval. The minimum is 10 minutes. The maximum is 1440 minutes (24 hours).
For software updates, you can either specify an update interval that is used every hour of everyday, or you can create more sophisticated schedules, in which each day can be specifiedindependently and each day can be divided into periods with different update intervals.
Note: You can create a different schedule for each day of the week. Only a single schedule can beassociated with a day of the week.
If you want to change the default schedule:
■ In the Configure update manager dialog box, on the Schedule tab, enter new update intervalsor create a more sophisticated schedule, or different schedules for different days of the week.
You can also change the default settings for the update manager log and self-updating, if you wish.You do this by editing the settings on the Logging and Advanced tabs, respectively.
6.6.3 Create new updating policies
If some or all of the new updating policies that correspond to the legacy updating policies couldnot be created during the migration to Sophos Update Manager, create them manually.
To create a new updating policy:
1. In the Endpoints view, Policies pane, right-click Updating and select Create policy.
A “New Policy” is added to the list, with its name highlighted.
2. Type a new name for the policy.
3. Double-click the new policy. In the Updating policy dialog box, click the Subscription taband select the subscription for the software you want to keep up to date.
21
upgrade guide
4. On the Primary server tab, in the Address field, accept the default or specify a different share(UNC path or web address) from which endpoint computers will usually download updates.
By default, computers update from a UNC share \\<ComputerName>\SophosUpdate, whereComputerName is the name of the computer where the update manager is installed.
Important: If you choose to use an HTTP location (for example, a web update share) or ashare that is not maintained by a managed update manager, Enterprise Console will not beable to check that the software specified in the subscription policy is available at that address.You must manually ensure that the share contains the software that is specified in thesubscription policy. Otherwise, computers will not be updated.
5. If you have Macs that you want to manage from Enterprise Console and you specified a UNCpath in the Address field, under Mac OS-specific options, select a protocol that Macs will useto access the update share.
6. If necessary, in the Username field, enter the username for the account that will be used toaccess the server, and then enter and confirm the password. This account should have readrights to the share you entered in the address field above.
Note: If the username needs to be qualified to indicate the domain, use the formdomain\username.
7. If you access the update source via a proxy server, click Proxy details. In the Proxy detailsdialog box, select Access the server via a proxy. Then enter the proxy server Address and Portnumber. Enter a Username and Password that give access to the proxy server. If the usernameneeds to be qualified to indicate the domain, use the form domain\username.
You can now apply this policy to a group or groups of computers to keep them up to date withyour chosen security software.
You can also limit the bandwidth used, set up an alternative source for updates, or change thedefault schedule, logging, and initial install source details, if you wish. For more information aboutconfiguring updating policies, see the section “Configuring the updating policy” in the SophosEnterprise Console Help.
Continue the migration as described in Configure the update manager on the Enterprise Consolecomputer (page 22).
6.7 Configure the update manager on the Enterprise Console computer
Enterprise Console cannot protect the network fully until the update manager installed on thesame computer as the Enterprise Console management server is configured with an update source.This will enable Enterprise Console to receive necessary updates (for example, information aboutthe versions of security software that endpoint computers should be running, new and updatedContent Control Lists for data control, or the list of new controlled devices and applications).
22
Sophos Endpoint Security and Control 9.7
To configure the update manager:
1. In the Update managers view, select the computer where Enterprise Console is installed.Right-click and click View/Edit Configuration.
2. In the Configure update manager dialog box, on the Sources tab, click Add.
3. In the Source Details dialog box, click the drop-down arrow in the Address field and selectthe default update share created by the update manager that updates from Sophos.
Alternatively, type in the address or click Browse to browse to the share.
The default update share is a UNC share \\<ComputerName>\SophosUpdate, whereComputerName is the name of the computer where the update manager that updates fromSophos is installed.
4. Enter the username, password, and proxy settings, as appropriate.
This will enable the update manager to download updates for Enterprise Console.
If you want to configure the update manager on the Enterprise Console computer to distributeendpoint software updates across the network, configure the software subscription, distribution,and schedule settings similarly to how you configured such settings for the update manager thatupdates from Sophos.
If you wish, you can change the default settings for the update manager log and self-updating.You do this on the Logging and Advanced tabs, respectively.
6.8 Migrate additional managed libraries
If you have any additional libraries that you manage from Enterprise Console, migrate theirupdating settings to Sophos Update Manager.
You can use the Updating Hierarchy report to view a list of update managers and libraries onyour network, update shares that they maintain, and the number of computers that update fromthese shares. To view the report, on theTools menu, click Manage Reports. In the Report Managerdialog box, select Updating hierarchy and click Run.
To migrate the updating settings from an additional library, you carry out these key steps:
■ Install Sophos Update Manager on the EM Library computer (see Install Update Manager (page15)).
■ On the computer where Enterprise Console is installed, view the new update manager'smigration report to see whether the update manager has been configured successfully (see Viewthe update manager’s migration report (page 16)).
■ If the update manager has not been fully configured, configure the update manager and createnew updating policies (see Migrate settings to Update Manager manually (page 17)).
23
upgrade guide
6.9 Test the new update share or shares
You may want to check that the new update share or shares are correct and are being updated,especially if you use an HTTP location (for example, a web update share) or a share that is notmaintained by a managed update manager.
To test an update share, migrate one endpoint computer or a small group of test computers toupdate from a new update manager-maintained share by applying an updating policy pointingto that share.
1. In the Endpoints view, Groups pane, select the test group, right-click and click View/EditGroup Policy Details.
2. In the Group Details dialog box, select the updating policy that points to the share you wantto test and click OK.
The test computers will check for updates during the next scheduled update.
3. Wait until the computers have checked for updates. Then, on the Status tab, look in the Upto date column, or go to the Update details tab.
■ If you see “Yes” in the Up to date column, the computers have updated successfully fromthe new update share.
■ If you see a clock icon, the computer is out of date. The text indicates how long the computerhas been out of date. For information about updating such out-of-date computers, see thesection “Updating computers” in the Sophos Enterprise Console Help.
6.10 Apply the new updating policies to the computers
To apply a new updating policy to a group of computers:
1. In the Endpoints view, Groups pane, select the group, right-click and click View Group PolicyDetails.
2. In the Group Details dialog box, clear the Legacy updating check box.
If you want to apply to the group an updating policy whose name differs from the legacyupdating policy name that the group was using previously, select an updating policy from thedrop-down list.
Once all endpoint computers have been migrated to use new updating policies maintained by theupdate manager, uninstall EM Library.
Note: Running both EM Library and Sophos Update Manager will increase network traffic.
You can now use the update manager to upgrade the software running on your endpoint computerswhen you are ready (see About upgrading endpoint computers (page 6)).
24
Sophos Endpoint Security and Control 9.7
6.11 Appendix: What types of update are available?
There are several versions of the software associated with each major version of a solution (forexample, Sophos Endpoint Security and Control 9) and platform (for example, Windows 2000or later).You can choose which software version to download from Sophos for further deploymentto endpoint computers by selecting an update type in the subscription.You can select among threelabeled versions and three fixed versions of the software.
Labeled versions
There are three labeled versions:
DescriptionLabel
The version that we considers to be the most appropriate for those who want themost up-to-date version of the product. We normally recommend that the latestversion of the endpoint software is deployed to endpoints as soon as it is released.
Recommended
The previously-recommended version.Previous
The oldest version that Sophos is still supporting with updates.Oldest
Note: We may add new labels over time.
The Download Security Software Wizard sets up a subscription that specifies the recommendedversions of any selected software.
When subscribed to a labeled version, the actual version(s) downloaded will usually change eachmonth.
Fixed versions
Fixed versions are updated with new threat detection data, but not with the latest software versioneach month.
If you want to evaluate new versions of the software before placing them on your main network,you may want to consider using fixed versions of the software on the main network while evaluatingthe new versions.
Usually, there are three fixed versions for each operating system, representing the previous threemonthly releases. An example of a fixed version is Sophos Endpoint Security and Control forWindows 2000 and later, version 9.4.3.
Fixed versions are downloaded for as long as they are available from Sophos. If a fixed version isdue to retire, you will see an alert in the Update managers view next to any update managers thatare subscribed to that version. If email alerting is active, the administrator will also receive anemail alert.
25
upgrade guide
By default, when a subscribed fixed version is retired, Enterprise Console will redefine thesubscription to use the oldest fixed version that is still available.
Note: You can change this behavior in the subscription by clearing the check box Automaticallyupgrade fixed version software when it is no longer supported by Sophos. Be aware, however,that running unsupported software will leave you unprotected against new security threats.Therefore, we recommend that you upgrade any unsupported versions as soon as possible.
26
Sophos Endpoint Security and Control 9.7
7 Technical support
You can find technical support for Sophos products in any of these ways:
■ Visit the SophosTalk community at http://community.sophos.com/ and search for other userswho are experiencing the same problem.
■ Visit the Sophos support knowledgebase at http://www.sophos.com/support/.
■ Download the product documentation at http://www.sophos.com/support/docs/.
■ Send an email to [email protected], including your Sophos software version number(s),operating system(s) and patch level(s), and the text of any error messages.
27
upgrade guide
8 Legal notices
Copyright © 2011 Sophos Limited. All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,mechanical, photocopying, recording or otherwise unless you are either a valid licensee where thedocumentation can be reproduced in accordance with the licence terms or you otherwise havethe prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited. All other productand company names mentioned are trademarks or registered trademarks of their respective owners.
Common Public License
The Sophos software that is referenced in this document includes or may include some softwareprograms that are licensed (or sublicensed) to the user under the Common Public License (CPL),which, among other rights, permits the user to have access to the source code. The CPL requiresfor any software licensed under the terms of the CPL, which is distributed in object code form,that the source code for such software also be made available to the users of the object code form.For any such software covered under the CPL, the source code is available via mail order bysubmitting a request to Sophos; via email to [email protected] or via the web athttp://www.sophos.com/support/queries/enterprise.html. A copy of the license agreement for anysuch included software can be found at http://opensource.org/licenses/cpl1.0.php
ConvertUTF
Copyright 2001–2004 Unicode, Inc.
This source code is provided as is by Unicode, Inc. No claims are made as to fitness for anyparticular purpose. No warranties of any kind are expressed or implied. The recipient agrees todetermine applicability of information provided. If this file has been purchased on magnetic oroptical media from Unicode, Inc., the sole remedy for any claim will be exchange of defectivemedia within 90 days of receipt.
Unicode, Inc. hereby grants the right to freely use the information supplied in this file in thecreation of products supporting the Unicode Standard, and to make copies of this file in any formfor internal or external distribution as long as this notice remains attached.
28
Sophos Endpoint Security and Control 9.7
