1 About this guide........................................................................................................................................4
2 Plan installation........................................................................................................................................5
3 System requirements.................................................................................................................................9
4 Create the EM Library user account on the NetWare server................................................................10
5 Install the management tools.................................................................................................................12
6 Download software and set up updating...............................................................................................13
7 Create groups for your computers.........................................................................................................20
8 Set up policies..........................................................................................................................................21
9 Search for computers and add them to groups.....................................................................................24
10 Protect computers using Enterprise Console......................................................................................25
11 Protect computers with a script...........................................................................................................29
13 Check computers are protected............................................................................................................33
14 Set up a firewall policy..........................................................................................................................34
Sophos Endpoint Security and Control network startup guide: NetWare edition
1About this guide
This guide is for customers who
■
Want to install Sophos software for the first time or reinstall it.
■
Have a NetWare-based network (that is, one that uses NDS networking).
■
Have Windows, Mac, Linux, NetWare or UNIX computers on that network.
If this does not describe you, you need a different guide, as shown below.
If you have a Windows-based network (that is, workgroups or domains), or you use Active
Directory, see the Sophos Endpoint Security and Control network startup guide.
You can find Sophos documentation on the Sophos website (www.sophos.com/support/docs/)
or on the User documentation page of the Sophos Network Install CD.
4
Sophos Endpoint Security and Control network startup guide: NetWare edition
2Plan installation
You protect your computers with the following key steps:
Install the Sophos management tools.
■
Set up automatic downloading of Sophos software and updates.
■
Create groups for computers.
■
Set up security policies for those groups.
■
Search for computers on the network and put them into groups.
■
Protect computers.
■
This section helps you think about the choices you will make at each step.
Sophos Enterprise Console includes four components:
Management console Enables you to protect and manage computers.
Management server Handles updating and communications.
Database Stores data about computers on the network.
EM Library Downloads updates from Sophos automatically.
This guide assumes that you:
Place all the components on one computer.
■
Install another copy of the management console on a workstation, so that you can manage
■
networked computers conveniently.
Note: You can install some components separately, for example, you may want to install the
database on a server with plenty of space. In that case, see Sophos Endpoint Security and Control
large networks configuration guide .
5
Sophos Endpoint Security and Control network startup guide: NetWare edition
2.1.2Sophos NAC server
If you want to use Sophos network access control, you need to install the Sophos NAC server and
Enterprise Console.
You can install the Sophos NAC server and Enterprise Console on the same computer or on
separate computers. If you have more than 1000 computers, you should do the latter.
The order in which you install the management tools depends on the type of database you want
to use.
■
If you want to use an MSDE database for both tools, you must install Enterprise Console first.
■
If you want to use SQL server, you can install Sophos NAC first.
Sophos NAC is optional. If you want to install it, see Sophos NAC for Endpoint Security and Controlinstallation guide.
2.1.3Sophos role-based administration tools
Role-based administration allows you to specify which computers a user can access and which
tasks they can carry out, depending on their role in your organization.
Sophos provides two role-based administration tools:
Sophos Helpdesk Console
This console enables a user, such as an IT help desk administrator, to monitor selected parts of
your network and to carry out remedial actions.
Sophos Enterprise Read-only Console
This console enables a user to monitor your network and generate reports, but not to carry out
any remedial actions.
These consoles are optional. If you want to install and run them, see Sophos Endpoint Security and
Control role-based administration guide.
2.2Plan how to set up automatic downloading and updating
Enterprise Console downloads the latest software to a “software library” and places it in central
installation directories. This makes it available to networked computers.
This guide describes how to set up a single software library and a default set of central installation
directories. If you have a large network, you may want to make updating more efficient by creating:
Multiple central installation directories.
■
Additional software libraries.
■
6
Sophos Endpoint Security and Control network startup guide: NetWare edition
See theSophos Endpoint Security and Control large networks configuration guide, available from the
Sophos website or from the Sophos Network Install CD.
2.3Plan the computer groups
Think about whether you group computers according to location, operating system, or other
criteria. For example, you could put Exchange servers in a group of their own, as you do not want
to run on-access scanning on them. See support knowledgebase article 12421
(http://www.sophos.com/support/knowledgebase/article/12421.html.
You should normally have no more than 1000 computers in a group.
2.4Plan the security policies
A policy is a collection of settings that can be applied to the computers in a group or groups.
When you create groups, default policies are applied to them. You can edit these policies or create
new ones. The policies are as follows:
Updating policy
If you have more than one group with the same policy (or just the default policy), you should
normally have no more than 1000 computers altogether updating from the same location. The
optimum number updating from the same location is 600-700.
Note: The number of computers that can update from the same directory depends on the server
holding that directory and on the network connectivity.
Anti-virus and HIPS policy
Note: Host Intrusion Prevention System (HIPS) is a security technology that protects computers
from suspicious files, unidentified viruses, and suspicious behavior.
By default, all files likely to contain viruses/spyware are scanned on access. But you might also
want to:
Turn off on-access scanning on Exchange servers or other servers where performance might
■
be affected. See Sophos support knowledgebase article 12421
(http://www.sophos.com/support/knowledgebase/article/12421.html).
Scan for adware/PUAs. See Scan for adware and potentially unwanted applications (PUAs) (page
■
38).
Application control policy
By default, all applications are allowed to run. However, you can configure Sophos Anti-Virus to
detect and block “controlled applications”, that is, legitimate applications that are not a security
threat, but that you decide are unsuitable for use in your office environment. See Scan for controlled
applications (page 40).
7
Sophos Endpoint Security and Control network startup guide: NetWare edition
Firewall policy
By default, the firewall blocks all non-essential connections. Therefore, you must create your own
firewall policy. We recommend that you install the firewall on a few sample computers, customize
it and use these settings as your policy. See Set up a firewall policy (page 34).
NAC policy
By default, computers are allowed to access the network (unless you have modified the default
policy or changed the “policy mode” in the NAC server). If you want to set conditions that
computers must comply with before they can access the network, you configure and apply one of
the NAC policies. See Set up network access control (page 42).
2.5Plan the search for networked computers
Before you can install security software on networked computers, they must be added to the
computer list in Enterprise Console. You can do this by using one of the following:
■
Microsoft network browsing.
■
IP range.
Searching for computers can take some time so you may want to search in stages.
2.6Plan how to protect computers
You can install security software on Windows NT, Windows 2000 or later automatically from the
console.
Note: You cannot install Sophos Client Firewall or Sophos NAC (the agent component) on
computers running server operating systems.
If you have other operating systems on your network, you must install the software manually or
by using scripts, or by another method. This guide gives details of manual installation for Windows,
Mac OS X, Linux, UNIX and NetWare, as well as scripted installation.
8
Sophos Endpoint Security and Control network startup guide: NetWare edition
3System requirements
For system requirements, see the system requirements page of the Sophos website
(http://www.sophos.com/products/all-sysreqs.html).
3.1Requirements for the NetWare server
You need a NetWare server with:
■
A version of NetWare that is supported by Novell, up to version 6.5 inclusive.
■
Up to 300 MB disk space for the central installation directories where updates are made available
for networked computers.
9
Sophos Endpoint Security and Control network startup guide: NetWare edition
4Create the EM Library user account on the NetWare
server
Important: You must create a directory on the NetWare server to which EM Library can download
updates. This should be \\<NetWare server>\SYS\SWEEP (where <NetWare server> is the name
of the NetWare server).
1.
At the Windows computer on which you want to installEM Library, run Nwadmn2.exe.
2.
In the NetWare Administrator window, on the Object menu, clickCreate.
3.
In the New Object dialog box, select User and click OK.
4.
In the Create User dialog box, in the Login name text box, type EMLibUser1. In the Lastname text box, type EM Library User Account. Click Create.
5.
In the NetWare Administrator window, your tree name is shown at the bottom of the window,
on the left. Make a note of it. Right-clickEMLibUser1 to display a menu. Select Details.
10
6.
In the Identification page of the User : EMLibUser1 dialog box, your login name is shown.
This is the full contextual user account name. Make a note of it. Click Password Restrictions.
7.
In the Password Restrictions page of the User : EMLibUser1 dialog box, deselect Allow userto change password. ClickChange Password.
8.
In the Change Password dialog box, type and confirm a password. The password is
case-sensitive. Make a note of the password. ClickOK.
Sophos Endpoint Security and Control network startup guide: NetWare edition
9.
In the User : EMLibUser1 dialog box, click Rights to Files and Directories. Click Add. Browse
to the<NetWare server>_SYS.<Organization> volume (where<NetWare server> is the name
of the NetWare server and<Organization> is the name of the Organization), and theSWEEP
directory. Click OK. Ensure that Read, Write, Create, File Scan,Modify, and Erase are selected.
Click OK.
10.
In the NetWare Administrator window, find the NetWare server. Right-click it to display a
menu. Select Details.
11. At the top of the Identification page of the dialog box, the full contextual server name is shown.
Make a note of it.
You have created the EM Library user account on the NetWare server.
Now install the management tools (see next section).
11
Sophos Endpoint Security and Control network startup guide: NetWare edition
5Install the management tools
This section describes installation of Sophos Enterprise Console. For information about installing
the Sophos NAC server, see Sophos NAC for Endpoint Security and Control installation guide.
Go to a server that meets the system requirements. Ensure that you are connected to the internet.
If the server is running Windows Server 2008, do the following before you start:
Install SQL Server 2005 or SQL Server 2005 Express (if it isn't already installed) and create a
■
'SOPHOS' instance.
Turn off User Account Control (UAC) and restart the server. You can turn UAC on again after
■
you have installed Enterprise Console and subscribed to Sophos updates.
If the server is running Windows 2000, be prepared to restart it after installation.
1. Log on as a local administrator.
2.
Go to the Sophos website, download the Sophos Endpoint Security and Control NetworkInstaller and run it.
Alternatively, insert the Sophos Network Install CD . The CD should auto-run. When the
home page is displayed, click Install .
3.
An installation wizard is launched. In the welcome dialog box, click Next.
4.
In the License Agreement dialog box, accept the terms of the license agreement if you want to
continue. Click Next.
5.
In the Destination folder dialog box, accept the default and click Next.
6.
In the Setup type dialog box, Complete is selected by default. Click Next.
7.
In the Feedback to Sophos dialog box, you specify whether you are willing for Enterprise
Console to send details of the number and type of managed computers to Sophos each week.
■
If you are willing, selectI agree and clickNext.
■
If you are not, leave this option unselected and go to step 9.
8. If you agreed to send feedback to Sophos, you are prompted to enter the username printed on
your license schedule and an email contact address. Both are optional. Click Next.
9.
In theReady to install dialog box, clickInstall.
10.
When installation is complete, you are prompted to log off or restart. Click Yes or Finish to
continue with the setup.
The management tools have been installed.
Note: If ever you replace the server, ensure the replacement has the same name and IP address,
so that Enterprise Console can continue to manage computers.
Next you download the software you need and set up automatic updating (see next section).
12
Sophos Endpoint Security and Control network startup guide: NetWare edition
6Download software and set up updating
When you log on for the first time after installing the management tools, you are prompted to set
up downloads and updating.
In the Welcome to Sophos Endpoint Security and Control dialog box, selectAdvanced setup.
❖
Note: If you installed Sophos Enterprise Console by using Remote Desktop, you are not
prompted to continue the setup. You should select Start|Programs|Sophos|EM Library.
EM Library is displayed. The Welcome to EM Library view is open.
Follow the instructions in the following sections.
6.1Create a software library
1.
In the Welcome to EM Library view, click Create library.
2.
In the Setup - EM Library (Welcome) dialog box, Local Installation is selected by default.
Click Next.
If you want to install a library on a remote Windows computer, select Remote Installation
and follow the instructions.
3.
In the Location dialog box, you can specify the folder where the library is installed and the
share name used for that folder. Click Next.
4.
In the Central Installation dialog box, you specify the location of the shared folder where EM
Library will place downloaded Sophos software, ready for distribution to networked computers.
Accept the defaults for now: a later section explains how to change the location to the share
that you created on the NetWare server. Click Next.
5.
In the Install Files dialog box, click Install to begin installing the library. A progress bar is
displayed. When the process is complete, click Finish.
When installation is complete, a SETUP message box is displayed. Click OK. This starts a wizard
that guides you through setting up an account that EM Library can use (see next section).
6.2Select a user account
To select the account that EM Library uses to place software in central locations on your network:
1.
In the Welcome to the Network Account Configuration Wizard dialog box, click Next.
2.
In the Select network account type dialog box, click Create a new local account.EM Library
will create an account called EMLibUser1. This is a member of “Administrators”. Click Next.
3.
In the Enter account password dialog box, enter and confirm the password. It must be the
same as that which you set when you created the account on the NetWare server (see Create
the EM Library user account on the NetWare server (page 10)). Click Next.
13
Sophos Endpoint Security and Control network startup guide: NetWare edition
4.
In the Completing the Network Account Configuration Wizard dialog box, click Finish.
Now you set up automatic downloading of software (see next section).
6.3Set the library to download updates automatically
Now you configure the library to download and update software automatically.
6.3.1Select where you will download updates from
1.
In the console, in the details pane, the Configuration view is displayed. Click Select Parent.
The parent is the location from which you download software.
14
2.
In the Primary parenttabbed page, select Website. Click the drop-down arrow and selecthttp://es-latest-3.sophos.com/update/. Click Set access.
Sophos Endpoint Security and Control network startup guide: NetWare edition
3.
In the Web server access settings dialog box, do as follows:
a)
Select Use an account to access the server.
b)
In the User nameand Password fields, enter the username and password that are printed
on your license schedule.
c)
If you access the internet through a proxy server, select Use a proxy server and enter the
server’s address and port number. If you need to enter credentials to use the proxy, click
Advanced and enter the proxy username and password.
If you access the internet via a dial-up connection, make sure you have changed your internet
connection settings as described in EM Library supplement for companies with a dial-upconnection to the internet.
EM Library attempts to validate your account details. If it cannot (for example, because the details
are incorrect, or because no network connection has been made), it prompts you to make changes
and try again.
When the account details are validated, the primary parent is displayed in the Configuration view.
Next you schedule downloads (see next section).
15
Sophos Endpoint Security and Control network startup guide: NetWare edition
6.3.2Schedule the downloads
To schedule downloads:
1.
In the Configuration view, click Schedule Downloads.
2.
In the Update schedules tabbed page, click New schedule. A wizard guides you through the
steps for creating a schedule.
In the Schedule type dialog box, Sophos recommends that you select Frequent updates, as
this ensures that you have the most up-to-date protection possible.
3.
When the schedule has been set up, it is displayed in the list on the Update schedules tabbed
page. Ensure that the check box beside it is selected and click OK.
Note: You can activate only one schedule (by selecting its check box) at a time.
Next select the software you want EM Library to download and update (see next section).
6.3.3Select the software you want to download
1.
In the Configuration view, click Select Packages.
Packages are the files needed to install and update Sophos Anti-Virus and Sophos Client Firewall.
There is a package for each operating system.
2.
In the Packages dialog box, the default packages for Windows and Mac are shown. Do as
follows:
a)
If you need to see other packages, for example for NetWare, clear the Show default packagesonly check box.
b)
Select the check box(es) beside the packages you want. Click OK.
For Sophos Anti-Virus for UNIX, version 7, select the relevant package that says
(Manageable).
16
The Sophos Endpoint Security and Control package includes Sophos Anti-Virus, Sophos Client
Firewall, and Sophos Network Access Control.
Sophos Endpoint Security and Control network startup guide: NetWare edition
Next select where EM Library places downloads (see next section).
6.3.4Select where you will place downloads
When EM Library downloads software, it places it in central installation directories (CIDs), from
which it can be distributed across your network. By default, EM Library creates these CIDs on the
same computer as the library.
However, Sophos recommends that you change the default directories to subdirectories of the
directory that you created on the NetWare server (see Create the EM Library user account on the
NetWare server (page 10) ), as follows.
1. In the console tree, click Central Installations.
The default CIDs created by EM Library are displayed.
2. Right-click the CID that you want to change and select Properties.
17
Sophos Endpoint Security and Control network startup guide: NetWare edition
3.
In the Properties dialog box, click the Location tab. Click Custom CID location. Replace the
InterChk share with the path of the directory on the NetWare server.
For example, the default location of the CID for the Sophos Anti-Virus for NetWare package
is
\\<Windows server>\InterChk\NLMINST
which should be changed to
\\<NetWare server>\SYS\SWEEP\NLMINST
where <Windows server> and <NetWare server> are the names of the Windows and NetWare
servers, respectively.
4.
Click the Credentials tab. Click NDS details. In the NDS Information dialog box, enter the
details of the EM Library user account.
You must enter:
■
The fully distinguished User name as noted in step 5 of Create the EM Library user account
on the NetWare server (page 10). For example:
cn=<user>.o=<Organization>
■
The Tree name.
■
The fully distinguished Server name as noted in step 10 of Create the EM Library user account
on the NetWare server (page 10). For example:
cn=<NetWare server>.o=<Organization>
Click OK.
18
Sophos Endpoint Security and Control network startup guide: NetWare edition
5.
In the Properties dialog box, click Test to check that the account can access the CID. ClickOK to close the Properties dialog box.
6. In the details pane, check that the new CID location is displayed.
Repeat steps 1 to 6 for all the packages that you are downloading. You must download one of the
packages for Windows 2000 or later to be able to protect the computer that is running EM Library.
Next download the software for the first time (see next section).
6.4Download software
Now download Sophos software and place it in central installation directories, as follows:
1.
In the Configuration view, click Download Packages.
2.
In the EM Library message box, click Yes.
The Updating packages from the parent progress bar is displayed.
When downloading is complete, the Updating your central installations progress bar is displayed.
You are ready to pre-configure your anti-virus software and install it on your networked computers.
Note: If you turned off User Account Control before installation, you can now turn it on again.
Note: Even if you do not want to manage your anti-virus software from a central console, you
should set up the updating and anti-virus policies for Windows computers as explained in Create
groups for your computers (page 20) and Set up policies (page 21). You should then protect a few
Windows computers that are typical of those on your network (Protect computers with a script
(page 29)), then set up policies for suspicious behavior (Detect suspicious behavior (page 35)),
suspicious files (Scan for suspicious files (page 37)), adware/PUAs (Scan for adware and potentially
unwanted applications (PUAs) (page 38)), and controlled applications (Scan for controlled
applications (page 40)). Then protect the rest of your Windows computers (Protect Windows
computers without using Enterprise Console (page 46)) and protect your NetWare servers (Protect
NetWare servers (page 31)).
Click the Start Enterprise Console button in the Configuration view and go to the next section.
19
Sophos Endpoint Security and Control network startup guide: NetWare edition
7Create groups for your computers
You can protect computers only if they are in groups, with policies applied to them.A group holds
a number of computers (which do not all have to run the same operating system). The computers
in the group use the same policies and update from the same location.
You can use groups to put together computers that need a special configuration. For example,
you could have a group for Exchange servers on which you do not want to run on-access scanning.
Note: The computers on which you want to install Sophos Anti-Virus for Mac OS X, version 4.9
must be in a different group from those computers on which you want to install Sophos Anti-Virus
for Mac OS X, version 7.
1.
To create your first group, click the Create group icon.
2.
A New Group is added in the left-hand pane, with its name highlighted. Type in the name you
want to use for the group.
3. To create further groups, go to the left-hand pane. Select the server shown at the top if you
want another top-level group. Select a group if you want a sub-group within it. Then repeat
step 1.
Each new top-level group has a set of default policies applied to it. A new sub-group initially uses
the same settings as the group it is within.
Now you can create policies.
20
Sophos Endpoint Security and Control network startup guide: NetWare edition
8Set up policies
Note: A policy is a collection of settings that can be applied to the computers in a group or groups.
When groups are created, default policies are applied.You can edit these policies or create new
policies. This section describes:
■
How to create or edit a policy.
■
How to apply a policy to your computer groups.
■
What the default policies are and whether you need to change them.
8.1Create or edit a policy
Note: You cannot create NAC policies. You can only edit them.
To create or edit a policy:
1.
In the Policies pane (bottom, left-hand side of the window), do one of the following:
■
To create a new policy, right-click the type of policy you want, for example, Updating Policy,
and select Create policy.
■
To edit a default policy, double-click the type of policy you want to edit. Then highlight
Default.
If you created a policy, aNew Policy is added to the list, with its name highlighted. Type a name.
2. Double-click the policy. Enter the settings you want.
Now you need to apply your policy to a computer group (see next section).
8.2Apply policies to groups
1.
In the Policies pane, highlight the policy.
2. Click the policy and drag it onto the group to which you want to apply the policy.
8.3Default policies
This section tells you about the default policies and about any changes you should make.
21
Loading...
+ 47 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.