Sophos Endpoint Security upgrade guide

Download

Sophos Endpoint Security and Control 9

advanced upgrade guide

Describes upgrading to:

Sophos Enterprise Console version 4.0

Sophos NAC version 3.3

Sophos Endpoint Security and Control version 9.0

Document date: September 2009

1 About this guide........................................................................................................................................3

2 What's new?...............................................................................................................................................4

3 System requirements.................................................................................................................................5

4 Upgrade overview.....................................................................................................................................6

5 Prepare for upgrade..................................................................................................................................8

6 Upgrade NAC Manager and Enterprise Console..................................................................................11

7 Do I need to migrate to Sophos Update Manager manually?...............................................................20

8 Migrate to Sophos Update Manager......................................................................................................21

9 Upgrade the security software on endpoint computers........................................................................29

10 Check existing policies..........................................................................................................................34

11 Transfer device control settings to the new policy..............................................................................35

12 Configure new features.........................................................................................................................36

13 Troubleshooting....................................................................................................................................37

14 Appendix: What types of update are available?...................................................................................44

15 Technical support..................................................................................................................................46

16 Copyright..............................................................................................................................................47

Sophos Endpoint Security and Control 9 advanced upgrade guide

1 About this guide

This guide tells you how to upgrade:

■

Sophos NAC Manager from version 3.1 to version 3.3.

■

Sophos Enterprise Console from version 3.x to version 4.0.

■

Sophos Anti-Virus and Sophos Client Firewall to Sophos Endpoint Security and Control 9.0.

This guide is for you if some or all of the following statements apply:

■

You have Enterprise Console and NAC Manager components installed on different servers.

■

You have Enterprise Console and EM Library installed on different servers.

■

You use a non-default SQL Server instance for Sophos database.

■

You use a non-default EM Library configuration.

■

An error occurred during the upgrade and you need to configure the software manually.

If you have all Enterprise Console and NAC Manager components installed on a single server, or on two servers where one is dedicated to Enterprise Console and the other is dedicated to NAC, see the Sophos Endpoint Security and Control quick upgrade guide.

Endpoint Security and Control documents are available from

http://www.sophos.com/support/docs/Endpoint_Security_Control-all.html.

Sophos Endpoint Security and Control 9 advanced upgrade guide

2 What's new?

This section describes the key new features in the Sophos security software. For a full list and more detailed description of new features, see the Release Notes.

Enterprise Console 4.0

Enterprise Console has these key new features:

An integrated tool for downloading updates (Sophos Update Manager).

■

Role-based administration, which enables you to specify how other users can use the console.

■

Data control, which enables you to reduce accidental data loss from workstations.

■

Device control, which enables you to prevent users from using unauthorized external storage

■

devices and wireless connection technologies.

NAC Manager 3.3

NAC Manager has these key new features:

New Dissolvable Agent that does not require guest users to be logged on to their computers

■

with administrator privileges to access the network.

Simplified DHCP (Dynamic Host Configuration Protocol) enforcement to ensure that

■

computers comply with health standards before they can access the network.

Enhanced assessment of whether computers are protected by Sophos Anti-Virus and Sophos

■

Client Firewall.

Assessment of whether computers are protected by encryption.

■

Sophos Endpoint Security and Control 9.0

This replaces Sophos Anti-Virus and Sophos Client Firewall. It also provides the data control and device control functions that you manage from Enterprise Console.

Sophos Endpoint Security and Control 9 advanced upgrade guide

3 System requirements

For a full list of system requirements, see the system requirements page of the Sophos website (http://www.sophos.com/products/all-sysreqs.html).

Note: Sophos Enterprise Console 4.0 installation requires the following:

■

Microsoft®Windows® Installer (MSI) version 3.1

■

Microsoft .NET Framework version 2.0 SP1 (2.1.21022)

■

SQL Server 2005 Express Edition

If you do not have these (or later) versions of the software, the Enterprise Console installer will install them for you. You may need to restart your computer after that.

Sophos Endpoint Security and Control 9 advanced upgrade guide

4 Upgrade overview

This guide describes upgrading of a distributed installation of Enterprise Console and NAC Manager. The following example shows a distributed installation where:

■

Enterprise Console Management Server and NAC Application Server are installed on different computers.

■

Enterprise Console and NAC databases are on a dedicated database server and attached to the same, default MSDE instance SOPHOS.

■

EM Library and Enterprise Console are installed on different computers.

Figure 1: Example of a distributed installation of Enterprise Console and NAC Manager

Sophos Endpoint Security and Control 9 advanced upgrade guide

What are the key steps?

Upgrading of such installation involves the following steps:

Prepare for upgrade (check EM Library settings to avoid migration errors, back up the

■

databases).

Upgrade NAC Manager and Enterprise Console.

■

Important: It is important that you upgrade NAC Manager before upgrading Enterprise Console. Otherwise, NAC Manager will be put into an unsupported state.

Migrate to Sophos Update Manager.

■

Upgrade endpoint software.

■

Check existing policies.

■

If you use device control, transfer device control settings from the Application control policy

■

to the new Device control policy.

Set up new policies and features (for example, data control or role-based administration).

■

For a detailed description of each step, see the following sections.

Sophos Endpoint Security and Control 9 advanced upgrade guide

5 Prepare for upgrade

Before you upgrade your Sophos Endpoint Security and Control management software and migrate to the new Sophos updating technology, Sophos Update Manager, do the following:

■

Check that your existing updating component, EM Library, is not using any packages that are no longer maintained on its parent.

This is to ensure that no migration errors occur when the migration wizard cannot find a non-existent package.

■

Back up your Enterprise Console and NAC databases.

If for some reason the upgrade is unsuccessful, you will need to recover your system to its previous state from your backup.

5.1 Check EM Library settings

To check that EM Library is not using packages that are no longer maintained on its parent:

1. In Enterprise Console, click the Libraries icon on the toolbar.

The Sophos EM Library window is displayed. The Configuration view is open by default.

2. Look in the “Notifications” pane (lower-right corner).

If EM Library is using a package that is no longer maintained on the parent, you will see the following warning:

Warning: You have a package in use that is no longer maintained on the parent. Click "Select packages" and subscribe to another package.

3. If you have a package that is no longer maintained, subscribe to another package that contains a more up-to-date version of the software or unsubscribe from the package if you no longer use it.

For information about upgrading, see the knowledgebase article “How to upgrade to the new Endpoint Security and Control products” (http://www.sophos.com/support/knowledgebase/article/14844.html).

5.2 Back up the NAC databases

Using your SQL Server Management Console, back up the ReportStore and PolicyStore

■

databases.

If the NAC Manager databases are not upgraded successfully, you will need these backups to restore NAC reporting and policy information.

Sophos Endpoint Security and Control 9 advanced upgrade guide

5.3 Back up the Enterprise Console database

Before you start upgrading, make sure you have a valid, complete backup of your Sophos Enterprise Console installation. Make sure you can recover the system from the backup. If for some reason the upgrade fails, you will need to recover your Sophos Enterprise Console system to its previous state from your backup.

Note: The default installation folder for the database is C:\Program files\Microsoft SQL Server\MSSQL$SOPHOS.

To back up Enterprise Console database:

1. On the computer where the Enterprise Console database is installed, create a folder where you want to place the database backup, for example, C:\SECBackups.

2. Open command prompt and browse to the Sophos installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.

3. Type the command in the format:

BackupDB C:\SECBackups\SOPHOS3.bak

If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:

BackupDB C:\SECBackups\SOPHOS3.bak MySQLServerInstance

4. Export the following registry key:

HKLM\SOFTWARE\Sophos\Certification Manager

You are ready to upgrade Sophos Enterprise Console.

5.3.1 Restore the Enterprise Console database

If you need to restore the installation to its previous state, follow these steps:

1. Restore the database to the instance you use.

The default SQL Server instance is SOPHOS.

a) On the computer where the Enterprise Console database is installed, open command prompt

and navigate to the Sophos installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.

b) Type the command in the format:

RestoreDB C:\SECBackups\SOPHOS3.bak

If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:

RestoreDB C:\SECBackups\SOPHOS3.bak MySQLServerInstance

Sophos Endpoint Security and Control 9 advanced upgrade guide

2. Import the following registry key:

HKLM\SOFTWARE\Sophos\Certification Manager

Sophos Endpoint Security and Control 9 advanced upgrade guide

6 Upgrade NAC Manager and Enterprise Console

Important: It is important that you upgrade Sophos NAC Manager before upgrading Sophos Enterprise Console. Otherwise, NAC Manager will be put into an unsupported state.

What are the key steps?

Upgrading NAC Manager and Enterprise Console on different computers involves the following key steps:

Download the installers from Sophos.

■

Put NAC Manager 3.1 in maintenance mode.

■

Upgrade NAC databases from version 3.1 to version 3.3.

■

Install SQL Server 2005 Express Edition on the database server, if you need to. For more

■

information, see Do I need to install SQL Server 2005 Express Edition manually? (page 14).

Upgrade Enterprise Console database from version 3.1 or 3.1.1 to version 4.0.

■

You can choose to populate the database manually, if you wish.

Upgrade NAC Application Server from version 3.1 to version 3.3.

■

If you use Sophos Web Agent, upgrade it to the new Compliance Dissolvable Agent.

■

Take NAC Manager out of maintenance mode.

■

Upgrade Enterprise Console management server from version 3.1 or 3.1.1 to version 4.0.

■

If you have an Enterprise Console remote console, upgrade it.

■

The following diagram shows the upgrade process.

Sophos Endpoint Security and Control 9 advanced upgrade guide

Figure 2: Upgrading Sophos Enterprise Console (SEC), version 3.x to version 4, and Sophos NAC, version 3.1 to version 3.3

Sophos Endpoint Security and Control 9 advanced upgrade guide

6.1 Download the installers

1. Go to http://www.sophos.com/support/updates/.

2. Type your MySophos username and password.

3. On the web page for Endpoint Security and Control downloads, download the Enterprise Console installer.

4. Download the NAC Manager installer.

5. Download the Sophos Compliance Dissolvable Agent installer.

6. Ensure that the installers are in a location that can be accessed from the servers on which you want to install the software.

Alternatively, copy them to a CD or DVD.

6.2 Put NAC in maintenance mode

To put NAC in maintenance mode, use the Maintenance Mode tool.

From the command prompt on the NAC Application Server, go to the Program

■

Files\Sophos\NAC\Support Tools directory, and then type:

MaintMode.exe /start

You do not need to put NAC databases in maintenance mode. However, you have to ensure that the upgrade is not taking place at the same time as database purging, which is set to occur every morning at 2:30 A.M. (system time).

6.3 Upgrade the NAC databases

To upgrade the NAC databases:

1. Log on as an administrator or domain administrator, as appropriate, at the computer where the databases are installed.

2. Locate the NAC Manager installer that you downloaded earlier and double-click it.

An installation wizard starts.

3. Click Install.

4. On the Welcome page of the wizard, click Next.

5. On the Select Features page, select the Advanced option.

6. Clear all check boxes, and then select the Sophos NAC Databases check box. Click Next.

If you want to change the directory where the scripts that create the NAC databases are installed, click Browse. If you want to change the SQL Server instance that NAC will use, click Select. The Select button only appears when the NAC installer detects more than one SQL Server instance.

Sophos Endpoint Security and Control 9 advanced upgrade guide

7. Type the Service Account Information in the appropriate fields. Click Next.

You created this service account on the domain controller as part of the initial Sophos NAC installation.

8. Type your Sophos download account details in the appropriate fields. Click Next.

The username and password entered during the NAC installation must match those provided to you by Sophos. If you entered them incorrectly during the NAC installation, you can correct them on the NAC Manager Download Account Details page.

9. On the Ready to Install dialog box, click Install to begin the installation.

The NAC databases are configured, and the installation progress displays. A portion of the installation takes several minutes, during which time the progress indicator may not move. Do not cancel the installation, and it will progress.

10. Click Finish.

Important: If an installation error occurs or the upgrade of the NAC databases fails, see

Troubleshooting (page 37).

6.4 Do I need to install SQL Server 2005 Express Edition manually?

Your SQL Server will be upgraded automatically if:

■

You use SQL Server 2000 Desktop Engine (MSDE), and

■

The default SQL Server instance is SOPHOS.

In this case MSDE will be replaced with SQL Server 2005 Express Edition automatically during the upgrade of the Enterprise Console database.

Your existing SQL Server version will not change if:

■

You use SQL Server 2005 or later.

SQL Server 2005 or later satisfies the Sophos Enterprise Console 4 database requirements.Your existing SQL Server version will continue to be used after the upgrade.

You need to install SQL Server 2005 Express Edition manually if:

■

You use SQL Server 2000 (not MSDE) or earlier, and/or

■

The Enterprise Console database is attached to a non-default SQL Server instance (not SOPHOS).

If this is the case, install SQL Server 2005 Express Edition on the computer where the Enterprise Console database is installed. You can download SQL Server 2005 Express Edition from the Microsoft website.

If you do not want to upgrade SQL Server now, you can use the Enterprise Console 4 database with your current version of SQL Server. However, SQL Server 2005 Express Edition provides

Sophos Endpoint Security and Control 9 advanced upgrade guide

better scalability and a larger maximum database size (4 GB as compared to 2 GB for MSDE) and therefore Sophos recommends upgrading to it.

6.5 Upgrade the Enterprise Console database

To upgrade the Enterprise Console database:

1. Log on as an administrator or domain administrator, as appropriate, at the computer where the database is installed.

2. Close any open Sophos applications.

3. Locate the Enterprise Console installer that you downloaded earlier and double-click it.

4. Follow the instructions in the Sophos Enterprise Console InstallShield Wizard.

5. When asked, select whether you want to populate the database now or later (for example, if you want to preview the scripts before running them on your database).

■

Populate database now - leave this option selected if you want the installer to create tables and stored procedures in the database.

■

Populate database later - select this option to create scripts you will use to populate the database later. Script files will be created in your installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.

6. On the Ready to Install page of the wizard, click Install.

A new database SOPHOS4 is installed alongside the old database. There is no data in the new database yet. The management server is still using the old database.

If you selected Populate database later on the Database Population page, upgrade the database manually as described in Populate the Enterprise Console database manually (page 15).

If you accepted the default, Populate database now, go to Upgrade the NAC Application Server (page 16).

Note: If the database contains a significant number of alerts, it may take some time for the console to display information about managed computers when you start the console for the first time after the upgrade.

6.5.1 Populate the Enterprise Console database manually

If you chose to preview the database scripts before running them on your database and populate the database later, the script files were created in your installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB. After you have reviewed the scripts, populate the database and move the data from the old database to the new database.

Sophos Endpoint Security and Control 9 advanced upgrade guide

To populate the database, use the batch file InstallDB.bat. It calls the .sql scripts which create tables and stored procedures in the database.

1. Go to the computer where the Enterprise Console management server is installed. Go to Control Panel, Administrative tools, Services and stop the Sophos Management Service process.

2. At the computer where you installed the database, open Command Prompt and browse to the directory <Installation Drive>:\Program Files\Sophos\Enterprise Console\DB.

Locate the batch file InstallDB.bat and run it.

If the SQL Server instance is called SOPHOS, you do not need to specify any parameters.

■

If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:

InstallDB.bat MyServer\MySQLInstance

■

If installing on a default, unnamed instance of SQL Server, enter

InstallDB.bat (local)

■

If the computer is a domain controller, you will also need to specify the name of the domain that it controls. For example:

InstallDB.bat MyServer\MySQLInstance domainname

This will create all the tables and stored procedures in the new database SOPHOS4.

6.6 Upgrade the NAC Application Server

To upgrade the NAC Application Server:

1. On the computer where you want to install the NAC Application Server, run the NAC Manager installer.

An installation wizard starts.

2. Click Install.

3. On the Welcome page, click Next.

4. Do one of the following:

■

If you see the following message, click OK.

Only the Sophos NAC Application Server can be installed. To install the Sophos NAC Application Server, click OK.

Then, on the Select Features page, click Next.

■

If the Select Features page appears, select the Advanced option button. Clear all check boxes, and then select the Sophos NAC Application Server check box. Click Next.

If you want to change the directory where the NAC Manager files are installed, click Browse.

Sophos Endpoint Security and Control 9 advanced upgrade guide

5. Type the Service Account Information in the appropriate fields. Click Next.

This is the standard domain account required by the NAC databases and the NAC Manager. This service account information must match the service account information you entered when you upgraded the NAC databases.

6. Type the NAC Database server name.

If necessary, specify the SQL Server instance name (for example, SOPHOS). Otherwise, the installer assumes that the SQL Server instance is local.

Click Next.

7. As appropriate, specify this server's internet proxy settings by selecting an option.

■

If the NAC Application Server and Enterprise Console Management Server are installed on different computers, select the Use Proxy option. The proxy can be the same or different proxy than the one specified in Enterprise Console.

■

If the NAC Application Server and Enterprise Console Management Server are installed on the same computer, and you are using a proxy that is not specified in Enterprise Console, select the Use Proxy option.

■

If the NAC Application Server and Enterprise Console Management Server are installed on the same computer, and you are using a proxy that is specified in Enterprise Console, select the Use SEC Proxy Settings option.

The username, password, and confirm password fields are required only when the NAC Manager is using an authenticated proxy.

Click Next.

8. Click Install to begin the installation.

The NAC Manager is configured, and the installation progress displays. A portion of the installation takes several minutes, during which time the progress indicator may not move. Do not cancel the installation, and it will progress.

9. Click Finish.

If an installation error occurs, use the Event Log to view additional information.

6.7 Upgrade the Web Agent

If you use the Web Agent, it is no longer supported and will not work with Sophos Endpoint Security and Control version 9. The Web Agent 3.1 or 3.1.2 can be upgraded to the new Compliance Dissolvable Agent.

The Dissolvable Agent is designed for users who do not or cannot have a Compliance Agent installed on their endpoint, such as contractors or guests. Once upgraded, users download the Dissolvable Agent using a browser. For more information on the Dissolvable Agent, see the Sophos Compliance Agent version 3.3 configuration guide.

1. Locate the Sophos Compliance Dissolvable Agent installer that you downloaded earlier and double-click it.

Sophos Endpoint Security and Control 9 advanced upgrade guide

2. On the Welcome page of the installation wizard, click Next.

3. Keep the default C:\Program Files\Sophos\Sophos Dissolvable Agent directory or click Change to select the appropriate installation directory. Click Next.

4. Type the Sophos NAC Server IP address or DNS name.

Note: If Sophos NAC was installed on more than one server, the server address is the IP address or DNS name of the NAC Manager Server and not the NAC Database Server. If you change the server address after you install the Dissolvable Agent, you must reinstall the Dissolvable Agent on the web server and specify the new server address during the installation.

5. Select the Secure Sophos Server (use HTTPS) check box if you are using HTTPS with NAC.

6. Click Install to begin the installation.

7. Click Finish to complete the installation.

Note:

■

If installation errors occur, use the Event Log on the web server to view additional information.

■

If you install the Dissolvable Agent in the default directory, endpoints can access it using the following URL: http(s)://<ip address/DNS name>/dissolvableagent. The IP address or DNS name is the web server where you installed the Dissolvable Agent.

6.8 Take NAC out of maintenance mode

Return NAC to production mode using the Maintenance Mode tool.

From the command prompt on the NAC Application Server, go to the Program

■

Files\Sophos\NAC\Support Tools directory, and then type:

MaintMode.exe /stop

6.9 Upgrade the Enterprise Console management server

Note: Sophos Enterprise Console 4.0 requires Microsoft .NET Framework version 2.0 SP1 (2.1.21022) or later. If you do not have it installed, the Enterprise Console installer will install it for you. You may need to restart your computer after that.

To upgrade the Enterprise Console management server:

1. Log on as an administrator or domain administrator, as appropriate, at the computer where the management server is installed.

2. Close any open Sophos applications.

3. Run the Enterprise Console installer.

4. Follow the instructions in the Sophos Enterprise Console InstallShield Wizard.

Sophos Endpoint Security and Control 9 advanced upgrade guide

5. On the Remote database page, you are asked to make sure you have upgraded your old database. If you have upgraded the database, click Next. If not, see Upgrade the Enterprise Console database (page 15).

After the database has been upgraded, a new database SOPHOS4 appears in the installation directory on the computer where the database is installed, usually C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\Sophos4.mdf.

Important: If you don't upgrade the database first, no data will be lost. However, you will not be able to manage Sophos Endpoint Security and Control from the management console. Once the database is upgraded, start the Sophos Management Service process to complete the upgrade. Then you will be able to manage Sophos Endpoint Security and Control from the console.

6. On the Ready to Install page, click Install.

7. When upgrade is complete, you are prompted to log off or restart. Click Yes or Finish.

You have now upgraded the Enterprise Console management server.

When you log back on, if EM Library is installed on a different computer, the Download Security Software Wizard is displayed. Cancel the wizard and migrate the remote EM Library to Sophos Update Manager as described in Migrate to Sophos Update Manager (page 21).

6.10 Upgrade an Enterprise Console remote console

If you have a remote management console, upgrade it as described below.

1. Log on as an administrator at the computer where the remote management console is installed.

2. Run the Enterprise Console installer.

3. Follow the instructions in the Sophos Enterprise Console InstallShield Wizard.

4. On the Remote database page, you are asked to make sure you have upgraded your old database. If you have upgraded the database, click Next. If not, see Upgrade the Enterprise Console database (page 15).

5. On the Ready to Install page, click Install.

6. When upgrade is complete, you are prompted to log off or restart. Click Yes or Finish.

The installer has now upgraded the remote management console, retaining your settings.

Sophos Endpoint Security and Control 9 advanced upgrade guide

7 Do I need to migrate to Sophos Update Manager

manually?

■

If you have Enterprise Console management server and EM Library installed on the same computer, you do not need to install Sophos Update Manager manually. It has already been installed along with Enterprise Console and configured on the basis of your previous updating settings (from EM Library).

If you completed the migration wizard and chose to migrate computer groups, you do not

■

need to migrate manually (that is, apply new updating policies to computers). Your computers are already using new updating policies supported by the update manager.

■

If you have EM Library that updates from Sophos and Enterprise Console installed on different computers, you will need to install Sophos Update Manager on the remote EM Library computer and migrate your updating settings (see next section).

Sophos Endpoint Security and Control 9 advanced upgrade guide

8 Migrate to Sophos Update Manager

8.1 What are the key steps in migration?

The following key steps describe the migration process for the installation where Enterprise Console management server and EM Library that updates from Sophos are installed on different computers.

This section assumes that you have previously canceled the Download Security Software Wizard, and the update manager that is always installed on the same computer as Enterprise Console is not configured.

Any updating policies that existed before the upgrade have become legacy policies and are now grouped in the Policies pane under Legacy Updating. EM Library is running as before the upgrade, and endpoint computers use legacy updating policies and continue to update from EM Library-maintained central installation directories (CIDs).

Note: NetWare computers are an exception. These automatically switch to updating from CIDs generated by Sophos Update Manager.

To migrate to Sophos Update Manager, you carry out these key steps:

■

On the computer where the EM Library connected to Sophos is installed, install Sophos Update Manager.

■

On the computer where Enterprise Console is installed, view the remote update manager's migration report to see whether the update manager has been configured successfully.

If the update manager has not been fully configured, configure the update manager and

■

create new updating policies.

■

Configure the update manager installed on the same computer as Enterprise Console to update from the remote update manager that replaces EM Library and updates from Sophos.

■

If you use any additional libraries, view the Updating Hierarchy report to see which other libraries need migrating.

■

Migrate any additional managed libraries on the network.

■

If you had custom files in any of the CIDs, add them to the new update locations.

■

Test the new update shares and updating policies.

■

Apply new updating policies to computer groups.

■

Uninstall EM Library once it is no longer required for endpoint updating.

After you perform these steps, you will have migrated to use the update manager. However, the update manager will be using the “old” updating settings from EM Library and your endpoint computers will still be using the “old” security software. To make full use of the new Enterprise Console features, you will need to upgrade your endpoint computers as described in Upgrade the

security software on endpoint computers (page 29).

Sophos Endpoint Security and Control 9 advanced upgrade guide

The following diagram shows the migration process.

Sophos Endpoint Security and Control 9 advanced upgrade guide

Figure 3: Migrating remote EM Library to Sophos Update Manager

Sophos Endpoint Security and Control 9 advanced upgrade guide

8.2 Install Sophos Update Manager

If you have EM Library and Enterprise Console management server installed on different computers, you need to install Sophos Update Manager on the computer where EM Library is installed.

Note: The Enterprise Console installer always installs Sophos Update Manager on the computer where the Enterprise Console management server is installed. It also places the Sophos Update Manager installer in the SUMInstallSet share on that computer.

You can use Windows Remote Desktop to install Sophos Update Manager.

To install Sophos Update Manager manually:

1. If the computer where EM Library is installed is protected by Sophos Anti-Virus managed from Enterprise Console, uninstall Sophos Remote Management System. In Control Panel, open Add or Remove Programs, locate Sophos Remote Management System from the list, and click Change/Remove or Remove. Follow the instructions for uninstalling the component.

2. Locate the Sophos Update Manager installer. In Enterprise Console, on the View menu, click Update Manager Installer Location.

In the Update Manager Installer Location dialog box, note the location of the installer.

3. Go to the computer where EM Library is installed and run the installer.

Alternatively, use Windows Remote Desktop to install Sophos Update Manager on the computer.

4. Follow the instructions in the Sophos Update Manager InstallShield Wizard.

5. On the Sophos Update Manager Account page, select an account that endpoint computers will use to access the default update share created by the update manager. (The default update share is \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed.) This account must have read rights to the share and does not need to have administrative rights.

You can select the default user, select an existing user, or create a new user.

By default, the installer will create the SophosUpdateMgr account with read rights to the default update share and no interactive logon rights.

6. On the Sophos Update Manager Account Details page, depending on the option you selected on the previous page, enter a password for the default user, details for the new user, or select an existing account.

The password for the account must comply with your password policy.

7. On the Ready to Install the Program page, click Install.

8. When installation is complete, click Finish.

9. In Enterprise Console, in the Endpoints view, select the computer where you installed Sophos Update Manager, right-click and click Protect Computers. Follow the instructions in the Protect computers wizard to reprotect the computer.

Sophos Endpoint Security and Control 9 advanced upgrade guide

The computer where you installed Sophos Update Manager should appear in Enterprise Console,

Update managers view. (On the View menu, click Update Managers.)

Note: It may take a few minutes before the new update manager appears in Enterprise Console.

If your updating settings could be successfully migrated from EM Library to Sophos Update Manager, the update manager will be configured on the basis of those settings. To see if the migration process was successful, view the update manager’s migration report.

8.3 View the update manager's migration report

Go to the computer where Enterprise Console is installed. In Enterprise Console, make sure you are in the Update managers view. If you are in the Endpoints view, on the View menu, click

Update Managers.

Note: It may take a few minutes before the new update manager appears in Enterprise Console.

Open the update manager's migration report and check whether the update manager has been configured successfully on the basis of EM Library settings.

To view the update manager's migration report:

1. Select the computer with the update manager whose migration report you want to view, right-click and then click View Migration Report.

2. In the update manager's Migration Report check that:

■

The updating sources that the update manager uses are correct.

If this is the master update manager that downloads updates from Sophos, its primary update source must be Sophos. For instructions on selecting an update source, see Select

an update source for the update manager (page 39).

■

The updating schedule was successfully migrated from EM Library. (If not, a default updating schedule would have been applied.)

■

The endpoint update locations were migrated successfully.

■

The updating policies were successfully migrated from legacy updating policies.

Depending on whether the updating settings have been migrated successfully or not:

If your updating settings have been successfully migrated from EM Library, the update manager

■

is configured on the basis of those settings. New updating policies, corresponding to the legacy ones, are created, but endpoint computers are not using them yet. Continue the migration as described in the next section.

If some of the updating settings could not be migrated, see Update settings could not be migrated

■

to Sophos Update Manager (page 37).

Sophos Endpoint Security and Control 9 advanced upgrade guide

8.4 Configure the update manager on the Enterprise Console computer

Enterprise Console cannot protect the network fully until the update manager installed on the same computer as the Enterprise Console management server is configured with an update source. This will enable Enterprise Console to receive necessary updates (for example, information about the versions of security software that endpoint computers should be running, new and updated Content Control Lists for data control, or the list of new controlled devices and applications).

To configure the update manager:

1. In the Update managers view, select the computer where Enterprise Console is installed. Right-click and click View/Edit Configuration.

2. In the Configure update manager dialog box, on the Sources tab, click Add.

3. In the Source Details dialog box, click the drop-down arrow in the Address field and select the default update share created by the update manager that updates from Sophos.

Alternatively, type in the address or click Browse to browse to the share.

The default update share is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager that updates from Sophos is installed.

4. Enter the username, password, and proxy settings, as appropriate.

This will enable the update manager to download updates for Enterprise Console.

If you want to configure the update manager on the Enterprise Console computer to distribute endpoint software updates across the network, configure the software subscription, distribution, and schedule settings similarly to how you configured such settings for the update manager that updates from Sophos.

If you wish, you can change the default settings for the update manager log and self-updating. You do this on the Logging and Advanced tabs, respectively.

8.5 Migrate additional managed libraries

If you have any additional libraries that you manage from Enterprise Console, migrate their updating settings to Sophos Update Manager.

You can use the Updating Hierarchy report to view a list of update managers and libraries on your network, update shares that they maintain, and the number of computers that update from these shares. To view the report, on the Tools menu, click Manage Reports. In the Report Manager dialog box, select Updating hierarchy and click Run.

To migrate the updating settings from an additional library, you carry out these key steps:

Install Sophos Update Manager on the EM Library computer (see Install Sophos Update Manager

■

(page 24)).

Sophos Endpoint Security and Control 9 advanced upgrade guide

On the computer where Enterprise Console is installed, view the new update manager's

■

migration report to see whether the update manager has been configured successfully (see View

the update manager's migration report (page 25)).

If the update manager has not been fully configured, configure the update manager and create

■

new updating policies (see Update settings could not be migrated to Sophos Update Manager (page 37)).

8.6 Test the new update share or shares

You may want to check that the new update share or shares are correct and are being updated, especially if you use an HTTP location (for example, a web update share) or a share that is not maintained by a managed update manager.

To test an update share, migrate one endpoint computer or a small group of test computers to update from a new update manager-maintained share by applying an updating policy pointing to that share.

1. In the Endpoints view, Groups pane, select the test group, right-click and click View/Edit Group Policy Details.

2. In the Group Details dialog box, select the updating policy that points to the share you want to test and click OK.

The test computers will check for updates during the next scheduled update.

3. Wait until the computers have checked for updates. Then, on the Status tab, look in the Up to date column, or go to the Update details tab.

■

If you see “Yes” in the Up to date column, the computers have updated successfully from the new update share.

■

If you see a clock icon, the computer is out of date. The text indicates how long the computer has been out of date. For information about updating such out-of-date computers, see the section “Updating computers” in the Sophos Enterprise Console Help.

8.7 Apply the new updating policies to the computers

To apply a new updating policy to a group of computers:

1. In the Endpoints view, Groups pane, select the group, right-click and click View Group Policy Details.

2. In the Group Details dialog box, clear the Legacy updating check box.

If you want to apply to the group an updating policy whose name differs from the legacy updating policy name that the group was using previously, select an updating policy from the drop-down list.

Sophos Endpoint Security and Control 9 advanced upgrade guide

Once all endpoint computers have been migrated to use new updating policies maintained by the update manager, uninstall EM Library.

Note: Running both EM Library and Sophos Update Manager will increase network traffic.

You can now use the update manager to upgrade the software running on your endpoint computers when you are ready (see next section).

Sophos Endpoint Security and Control 9 advanced upgrade guide

9 Upgrade the security software on endpoint computers

This section describes how to plan and carry out an upgrade of the security software on your endpoint computers.

The procedures described here upgrade all the endpoint security software components - Sophos Anti-Virus, Sophos Client Firewall, and Sophos NAC Agent (if you already use Sophos Client Firewall and Sophos NAC).

9.1 About upgrading endpoint computers

After your endpoint computers have been migrated to be updated by the update manager, they are still using the same version of the endpoint software that they were using before the migration.

■

If you want to continue using your existing versions of Sophos Anti-Virus, Sophos Client Firewall, and Sophos NAC Agent, you can do so.When Sophos stops supporting these versions, your computers will be upgraded automatically, provided that you leave selected the check box Automatically upgrade fixed version software when it is no longer supported by Sophos in the Software Subscription dialog box.

■

If you want to make full use of the new Enterprise Console features, you can upgrade the endpoint software on your Windows 2000 or later computers to the new version of Sophos security software, Sophos Endpoint Security and Control 9 (see next section).

9.2 Subscribe to new endpoint software

To subscribe to the new software, you can do either of the following:

■

Change your existing software subscriptions to download the new software.

■

Create new software subscriptions.

Changing existing software subscriptions

If you change an existing subscription to download a different software version, you do not need to perform any other configuration steps. The update manager is already configured to maintain the subscription and distribute the software into update shares on the network. You already have updating policies that refer to that subscription and are applied to endpoint computers. Your endpoint computers will be automatically upgraded to the new version.

Important: Do not upgrade to Sophos Endpoint Security and Control 9 any Windows 2000 computers running SP3 or earlier. The minimum requirement for the software is Windows 2000 with SP4.

Sophos Endpoint Security and Control 9 advanced upgrade guide

Creating new software subscriptions

If you want to test the new software on a small group of computers before releasing it to the network, you may want to create a new subscription. Then you will need to perform the following steps in addition to creating a new subscription:

Configure the update manager to maintain the subscription, that is, download the software

■

from Sophos and put it in network shares from which endpoint computers will update.

Create new updating policies that will refer to the new subscription and point to the update

■

shares set up for it in the update manager.

Upgrade endpoint computers by applying the new updating policies to them.

■

9.2.1 Change an existing software subscription

To change an existing software subscription to download a new software version:

1. On the View menu, click Update Managers.

2. In the Software Subscriptions pane, double-click the subscription you want to change.

The Software Subscription dialog box appears.

3. Click in the Version field next to Windows 2000 and later and then click again.

A drop-down list of available versions appears.

4. Select the type of update you want to download for version 9 of Sophos Endpoint Security and Control.

Normally you subscribe to “Recommended” to ensure that your software is kept up to date automatically. To learn what other types of update are available, see Appendix: What types of

update are available? (page 44).

Important: If you select a fixed version, for example, 9.1.2, Sophos recommends that you leave the Automatically upgrade fixed version software when it is no longer supported by Sophos check box selected. Running unsupported software leaves you unprotected against new security threats.

The new version will be downloaded according to the update manager’ s schedule and your endpoint computers will be upgraded next time they check for updates.

If you want to download the new version immediately, in the Update managers view, select the update manager that maintains the subscription you have changed, right-click and click Update Now.

If you want to upgrade computers immediately, wait until the update manager finishes downloading the software. (In the Update managers view, look in the Download status column next to the update manager.) In the Endpoints view, select the computers in the computer list or a group of computers in the Groups pane, right-click and click Update Computers Now.

Sophos Endpoint Security and Control 9 advanced upgrade guide

9.2.2 Create a new software subscription

To create a new software subscription:

1. On the View menu, click Update Managers.

2. In the Software Subscriptions pane, click the Add button at the top of the pane to create a new subscription.

The Software Subscription dialog box appears.

Alternatively, if you want to create a copy of an existing subscription, select the subscription, right-click and click Duplicate Subscription. Type a new name for the subscription and then double-click it to open the Software Subscription dialog box.

3. In the Software Subscription dialog box, edit the name of the subscription, if you wish.

4. Click in the Version field next to Windows 2000 and later and then click again.

A drop-down list of available versions appears.

5. Select the type of update you want to download for version 9 of Sophos Endpoint Security and Control.

Normally, you subscribe to the “Recommended” versions to ensure that your software is kept up to date automatically. To learn what other types of update are available, see Appendix: What

types of update are available? (page 44).

After you have created a new software subscription, configure the update manager to maintain it as described in the following sections.

Then you can set up subscription email alerts, if you wish. For more information about subscription email alerts, see the topic “Set up subscription alerts” in the “Setting up alerts” section of the Sophos Enterprise Console Help.

9.3 Add a subscription in the update manager

If you created a new subscription for the new software version, configure the update manager to maintain this subscription.

1. In the Update managers view, select the update manager, right-click and click View/Edit Configuration.

Sophos Endpoint Security and Control 9 advanced upgrade guide

2. In the Configure update manager dialog box, on the Subscriptions tab, select the software subscription in the list of available subscriptions.

To view the details of the subscription, for example, what software is included in the subscription, click View details.

3. To move the selected subscription to the “Subscribed to” list, click the “Add” button.

By default, the software is downloaded to the share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed. You can specify additional shares as described in Specify where the software is placed (page 40).

If you want to download the new version immediately, select the update manager, right-click and click Update Now.

9.4 Configure updating policies

If you created a new software subscription and configured the update manager to maintain this subscription, configure updating policies to update the computers with the software specified in the subscription.

You can do either of the following:

Change your existing updating policy or policies to refer to the new subscription.

■

If you do this, your endpoint computers will be upgraded to the new version next time they check for updates.

Create new updating policies.

■

You will then need to apply the new policies to endpoint computers to upgrade them and keep up to date with the new version.

1. If you want to create a new updating policy, in the Endpoints view, Policies pane, right-click Updating and select Create policy.

A “New Policy” is added to the list, with its name highlighted.

2. Type a new name for the policy.

3. Double-click the policy to edit it.

4. In the Updating policy dialog box, click the Subscriptions tab and select the subscription for the software you want to keep up to date.

5. Edit other settings, as appropriate. For more information, see Create new updating policies (page 42).

If you created a new updating policy, apply it to a group or groups of endpoint computers to upgrade them, as described in the following section.

Sophos Endpoint Security and Control 9 advanced upgrade guide

9.5 Upgrade security software on Windows computers

Important: Do not upgrade to Sophos Endpoint Security and Control 9 any Windows 2000 computers running SP3 or earlier. The minimum requirement for the software is Windows 2000 with SP4.

Note: Computers that have been upgraded to Endpoint Security and Control 9 take their device control settings from the new Device control policy. Any device control settings you have set up previously in the Application control policy will only be enforced on computers still running Sophos Anti-Virus 7. To make the upgraded computers use the “old” device control settings, transfer the settings from the Application control policy to the Device control policy as described in Transfer device control settings to the new policy (page 35).

To apply a new updating policy to a group of computers:

1. In the Policies pane, highlight the updating policy.

2. Click the policy and drag it onto the group to which you want to apply the policy. When prompted, confirm that you want to continue.

Alternatively, you can right-click a group and select View group policy details. You can then select policies for that group from drop-down menus.

During the next update, computers will be upgraded to the new version of the security software, Sophos Endpoint Security and Control 9.

Note: When computers upgrade to Sophos Endpoint Security and Control 9, the computer details in the computer list in Enterprise Console may show “Differs from policy” in the Policy Compliance column. To correct this, right-click the computers and select Comply with and then the relevant policy or policies.

Sophos Endpoint Security and Control 9 advanced upgrade guide

10 Check existing policies

After the upgrade, your policy settings should be preserved. You may want to verify that this has happened. To do this, you should:

Check that the settings in the policies are correct.

■

Check that the groups have the correct policies applied to them.

■

1. To check policy settings, in the Policies pane, double-click a policy type, for example, Anti-virus and HIPS. Then double-click the policy you want to view.

2. In the dialog box that is displayed, review the settings.

For more information about policy settings, see the Sophos Enterprise Console Help.

3. To check that the each group has the correct policies applied to it, in the Groups pane, right-click a group to display a menu. Select View group policy details.

4. In the Group details dialog box, verify that the group is assigned the right policies. If not, for a policy type, select a different policy from the drop-down list and confirm your selection.

To configure new policy settings (for example, data control or role-based administration) for Windows 2000/XP/2003/Vista computers, see Configure new features (page 36).

Sophos Endpoint Security and Control 9 advanced upgrade guide

11 Transfer device control settings to the new policy

If you used device control with Enterprise Console 3.1 and Sophos Anti-Virus 7, your device control settings are in the Application control policy. To transfer them to the new Device control policy, which is used by computers upgraded to Endpoint Security and Control 9, use the DeviceControlMigration tool.

The DeviceControlMigration tool will create new device control policies corresponding to your application control policies that specify blocked devices, and apply them to computer groups accordingly. Your existing application control policies will remain unchanged.

To transfer device control settings from application control policies to device control policies:

1. On the computer where the Enterprise Console management server is installed, in your installation directory (usually C:\Program Files), browse to the folder Sophos\Enterprise Console.

Locate the tool DeviceControlMigration.exe and run it.

You do not need to specify any parameters to run the migration tool.

The following extra options are available:

-h

-noconfirm

-v

DescriptionOption

Displays command-line help.

Runs the tool without asking for confirmation from the user.

Displays verbose output.

Sophos Endpoint Security and Control 9 advanced upgrade guide

12 Configure new features

Role-based administration

For information about role-based administration and creating roles and sub-estates, see the section “Managing roles and sub-estates” in the Sophos Enterprise Console Help.

Data control

For information about setting up data control, see the section “ Configuring the data control policy” in the Sophos Enterprise Console Help.

Important: For data control to work after the upgrade, the endpoint computers need to be restarted after the installation of Sophos Endpoint Security and Control 9.

Set up alerting

After you have subscribed to the security software, you can set up subscription email alerts.

After you have configured new features in Enterprise Console, you can set up alerting for those features.

For more information about setting up alerts, see the section “Setting up alerts” in the Sophos Enterprise Console Help.

Sophos Endpoint Security and Control 9 advanced upgrade guide

13 Troubleshooting

13.1 NAC Manager upgrade causes errors

Use the Event Log to view additional information.

13.2 Upgrade of the NAC databases fails

If for some reason the upgrade of the NAC databases fails:

1. Delete the following NAC databases if they have been created:

■

AlertStore

■

AuditStore

■

GeneralStore

■

PolicyStore

■

ReportStore

■

SecurityStore

2. Re-attach the ReportStore and PolicyStore databases from the backup.

3. Attempt a reinstallation.

You can use the Event Log on the database server to view additional information.

13.3 Update settings could not be migrated to Sophos Update Manager

Sometimes it may not be possible to migrate the EM Library settings to Sophos Update Manager for a number of reasons, for example, because EM Library is using custom packages that cannot be migrated or EM Library is updating from a location that is not a valid update source for an update manager.

If some or all of the updating settings could not be migrated, you will need to carry out some or all of the following steps:

■

Configure subscriptions (see Subscribe to Sophos software and updates (page 38)).

■

Configure the update manager to use the subscriptions to download and distribute the software across the network (see Configure the update manager (page 39)).

■

Create new updating policies (see Create new updating policies (page 42)).

Sophos Endpoint Security and Control 9 advanced upgrade guide

13.3.1 Subscribe to Sophos software and updates

Subscriptions allow you to define what software should be downloaded from Sophos.

In a subscription, you can specify one software version for each supported platform. If you want to download several different software versions for the same platform, you will need to create several subscriptions.

Important: If you want to download Sophos Anti-Virus for NetWare, please read Sophos support knowledgebase article 59192 (http://www.sophos.com/support/knowledgebase/article/59192.html).

To subscribe to Sophos security software and updates:

1. In the Update managers view, in the Software Subscriptions pane, double-click the subscription you want to change (for example,“Recommended”), or click the Add button at the top of the pane to create a new subscription.

2. In the Software Subscription dialog box, edit the name of the subscription, if you wish.

3. Next to the platform for which you want to download software, click in the Version field, and then click again.

A drop-down list of available versions appears.

4. Select the type of update and software version you want to download (for example, “Recommended:7” for Windows 2000 or later).

Normally, you subscribe to the “Recommended” versions to ensure that your software is kept up to date automatically. To learn what other types of update are available, see Appendix: What

types of update are available? (page 44).

Important: If you select a fixed version, for example, 7.6.5, Sophos recommends that you leave selected the check box Automatically upgrade fixed version software when it is no longer supported by Sophos. Running unsupported software leaves you unprotected against new security threats.

5. Repeat steps 3 and 4 for each platform for which you want to download software.

After you have subscribed to the security software, you need to configure the update manager to maintain those subscriptions and distribute the software over the network.

You can also set up subscription email alerts. For more information about subscription email alerts, see the topic “Set up subscription alerts” in the “Setting up alerts” section of the Sophos Enterprise Console Help.

Sophos Endpoint Security and Control 9 advanced upgrade guide

13.3.2 Configure the update manager

To configure the update manager:

1. In the Update managers view, select the update manager you want to configure. Right-click and click View/Edit Configuration.

The Configure update manager dialog box appears.

2. Edit the configuration as described in the following topics.

13.3.2.1 Select an update source for the update manager

You need to select a source from which the update manager will download security software and updates for distribution across the network.

You can select several sources. If you do this, the first source in the list of the update sources you selected is the primary source. Additional sources in the list are optional alternate locations that the update manager uses if it cannot collect an update from the primary source.

The update manager at the top of the updating hierarchy, which downloads software from Sophos, must have “Sophos” as its primary source.

To select an update source:

1. In the Configure update manager dialog box, on the Sources tab, click Add.

2. In the Source details dialog box, in the Address field, enter the address of the update source. The address can be a UNC or HTTP path.

If you want to download software and updates directly from Sophos, select Sophos.

3. If necessary, in the Username and Password fields, enter the username and password for the account that will be used to access the update source.

■

If the update source is Sophos, enter the download credentials supplied by Sophos.

■

If the update source is the default update share created by an update manager located higher in the updating hierarchy, the Username and Password fields will be pre-populated.

The default update share is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed.

■

If the update source is a non-default update share on your network, enter credentials for the account that has read rights to the share. If the Username needs to be qualified to indicate the domain, use the form domain\username.

4. If you access the update source via a proxy server, select Use a proxy server to connect. Then enter the proxy server Address and Port number. Enter a Username and Password that give access to the proxy server. If the username needs to be qualified to indicate the domain, use the form domain\username. Click OK.

The new source appears in the list in the Configure update manager dialog box.

Sophos Endpoint Security and Control 9 advanced upgrade guide

If you are configuring an additional update manager and you have already installed an update manager on a different computer, the share where that update manager downloads software and updates will appear on the list of addresses. You can select it as a source for the update manager you are configuring. Then you can move the address that you want to be the primary one to the top of the list, using the Move up and Move down buttons to the right of the list.

13.3.2.2 Select which software to download

You need to select the subscriptions that the update manager will be using to download and distribute the software across the network.

To select a subscription or subscriptions:

1. In the Configure update manager dialog box, on the Subscriptions tab, select a subscription in the list of available subscriptions.

To view the details of the subscription, for example, what software is included in the subscription, click View details.

2. To move the selected subscription to the “Subscribed to” list, click the > button.

To move all subscriptions to the “Subscribed to” list, click the >> button.

13.3.2.3 Specify where the software is placed

After you have selected which software to download, you can specify where it should be placed on the network. By default, the software is placed in a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed.

You can distribute downloaded software to additional shares on your network. To do this, add an existing network share to the list of available shares and then move it to the list of update shares as described below.

To specify where the software is placed:

1. In the Configure update manager dialog box, on the Distribution tab, select a software subscription from the list.

2. Select a share from the “Available” shares list and move it to the “Update to” list by clicking the > button.

The default share \\<ComputerName>\SophosUpdate is always present in the “Update to” list. You cannot remove this share from the list.

The “Available” shares list includes all the shares that Enterprise Console knows about and that are not already being used by another update manager.

You can add an existing share to or remove a share from the “Available” shares list, using the Add or Remove button.

3. If you want to enter a description for a share or credentials needed to write to the share, select the share and click Configure.

4. In the Share manager dialog box, enter the description and credentials.

The software that you have selected is downloaded to the shares that you have specified during the next scheduled update.

If you want to edit the default update schedule, see Edit an update schedule (page 41).

If you want to download the software immediately, select the update manager, right-click and click Update Now.

13.3.2.4 Edit an update schedule

By default, an update manager will check for threat detection data updates every 10 minutes. You can change this update interval. The minimum is 5 minutes. The maximum is 1440 minutes (24 hours). Sophos recommends an update interval of 10 minutes for threat detection data, so that you receive protection from new threats promptly after the detection data is published by Sophos.

By default, an update manager will check for software updates every 60 minutes. You can change this update interval. The minimum is 10 minutes. The maximum is 1440 minutes (24 hours).

For software updates, you can either specify an update interval that is used every hour of every day, or you can create more sophisticated schedules, in which each day can be specified independently and each day can be divided into periods with different update intervals.

Sophos Endpoint Security and Control 9 advanced upgrade guide

Note: You can create a different schedule for each day of the week. Only a single schedule can be associated with a day of the week.

If you want to change the default schedule:

In the Configure update manager dialog box, on the Schedule tab, enter new update intervals

■

or create a more sophisticated schedule, or different schedules for different days of the week.

You can also change the default settings for the update manager log and self-updating, if you wish. You do this by editing the settings on the Logging and Advanced tabs, respectively.

13.3.3 Publish security software on a web server

You might want to publish Sophos security software on a web server for computers to access via HTTP. If you want to install Sophos Anti-Virus for UNIX, version 4, you must do this, although you can leave this until you have downloaded Sophos Anti-Virus for UNIX, version 4 if you want to.

To publish security software on a web server:

1. To find out the path of the shared folder to which the security software has been downloaded, known as the bootstrap location:

a) In Enterprise Console, on the View menu, click Bootstrap Locations.

Sophos Endpoint Security and Control 9 advanced upgrade guide

In the Bootstrap Locations dialog box, the Location column displays the bootstrap location for each platform.

b) Make a note of the path up to but not including the CIDs folder. For example:

\\server name\SophosUpdate

2. Make the bootstrap location, including subfolders, available on the web server.

3. Specify usernames and passwords to prevent unauthorized access to this folder on the web server.

Note: The documentation for your web server should describe how to share a folder over the web and how to set up usernames and passwords for it. For more information about how to do this, contact your web server vendor.

13.3.4 Create new updating policies

If some or all of the new updating policies that correspond to the legacy updating policies could not be created during the migration to Sophos Update Manager, create them manually.

To create a new updating policy:

1. In the Endpoints view, Policies pane, right-click Updating and select Create policy.

A “New Policy” is added to the list, with its name highlighted.

2. Type a new name for the policy.

3. Double-click the new policy. In the Updating policy dialog box, click the Subscription tab and select the subscription for the software you want to keep up to date.

4. On the Primary server tab, in the Address field, accept the default or specify a different share (UNC path or web address) from which endpoint computers will usually download updates.

By default, computers update from a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed.

Important: If you choose to use an HTTP location (for example, a web update share) or a share that is not maintained by a managed update manager, Enterprise Console will not be able to check that the software specified in the subscription policy is available at that address. You must manually ensure that the share contains the software that is specified in the subscription policy. Otherwise, computers will not be updated.

5. If you have Macs that you want to manage from Enterprise Console and you specified a UNC path in the Address field, under Mac OS-specific options, select a protocol that Macs will use to access the update share.

Sophos Endpoint Security and Control 9 advanced upgrade guide

6. If necessary, in the Username field, enter the username for the account that will be used to access the server, and then enter and confirm the password. This account should have read rights to the share you entered in the address field above.

Note: If the username needs to be qualified to indicate the domain, use the form domain\username.

7. If you access the update source via a proxy server, click Proxy details. In the Proxy details dialog box, select Access the server via a proxy. Then enter the proxy server Address and Port number. Enter a Username and Password that give access to the proxy server. If the username needs to be qualified to indicate the domain, use the form domain\username.

You can now apply this policy to a group or groups of computers to keep them up to date with your chosen security software.

You can also limit the bandwidth used, set up an alternative source for updates, or change the default schedule, logging, and initial install source details, if you wish. For more information about configuring updating policies, see the section “Configuring the updating policy” in the Sophos Enterprise Console Help.

Continue the migration as described in Configure the update manager on the Enterprise Console

computer (page 26).

Sophos Endpoint Security and Control 9 advanced upgrade guide

14 Appendix: What types of update are available?

There are several versions of the software associated with each major version of a solution (for example, Sophos Endpoint Security and Control 9) and platform (for example, Windows 2000 or later).You can choose which software version to download from Sophos for further deployment to endpoint computers by selecting an update type in the subscription.You can select among three labeled versions and three fixed versions of the software.

Labeled versions

There are three labeled versions:

DescriptionLabel

Recommended

Oldest

The version that Sophos considers to be the most appropriate for those who want the most up-to-date version of the product. Sophos normally recommends that the latest version of the endpoint software is deployed to endpoints as soon as it is released.

The version that was recommended prior to the one that currently is.

The oldest version that Sophos is still supporting with updates.

Note: Sophos may add new labels over time.

The Download Security Software Wizard sets up a subscription that specifies the recommended versions of any selected software.

When subscribed to a labeled version, for example,“recommended” or “previous”, Enterprise Console will always download the version that is labeled as such at Sophos. The actual versions downloaded will usually change each month.

Fixed versions

Fixed versions are updated with new threat detection data, but not with the latest software version each month.

If you want to evaluate new versions of the software before placing them on your main network, you may want to consider using fixed versions of the software on the main network while evaluating the new versions.

Usually, there are three fixed versions for each operating system, representing the previous three monthly releases. An example of a fixed version is Sophos Endpoint Security and Control for Windows 2000 and later, version 9.4.3.

Fixed versions are downloaded for as long as they are available from Sophos. If a fixed version is due to retire, you will see an alert in the Update managers view next to any update managers that

Sophos Endpoint Security and Control 9 advanced upgrade guide

download that version. If you configured email alerting, the administrator will also receive an email alert.

By default, when a fixed version that is being used in a subscription is retired, Enterprise Console will redefine the subscription to use the oldest fixed version that is still available.

Note: You can change that in the subscription by clearing the check box Automatically upgrade fixed version software when it is no longer supported by Sophos. Be aware, however, that running

unsupported software will leave you unprotected against new security threats. Therefore, Sophos recommends that you upgrade an unsupported version as soon as possible.

Sophos Endpoint Security and Control 9 advanced upgrade guide

15 Technical support

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible, including the following:

■

Sophos software version number(s)

■

Operating system(s) and patch level(s)

■

The exact text of any error messages

16 Copyright

Copyright © 2009 Sophos Group.All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

The Sophos software that is described in this document includes or may include some software programs that are licensed (or sublicensed) to the user under the Common Public License (CPL), which, among other rights, permits the user to have access to the source code. The CPL requires for any software licensed under the terms of the CPL, which is distributed in object code form, that the source code for such software also be made available to the users of the object code form. For any such software covered under the CPL, the source code is available via mail order by submitting a request to Sophos; via email to support@sophos.com or via the web at

http://www.sophos.com/support/queries/enterprise.html. A copy of the license agreement for any

such included software can be found at http://opensource.org/licenses/cpl1.0.php

Sophos Endpoint Security and Control 9 advanced upgrade guide

ACE™, TAO™, CIAO™, and CoSMIC

ACE1, TAO2, CIAO3, and CoSMIC4 (henceforth referred to as “DOC software”) are copyrighted by Douglas C. Schmidt5 and his research group6 at Washington University7, University of California8, Irvine, and Vanderbilt University9, Copyright © 1993–2005, all rights reserved.

Since DOC software is open-source10, free software, you are free to use, modify, copy, and distribute–perpetually and irrevocably–the DOC software source code and object code produced from the source, as well as copy and distribute modified versions of this software. You must, however, include this copyright statement along with code built using DOC software.

You can use DOC software in commercial and/or binary software releases and are under no obligation to redistribute any of your source code that is built using DOC software. Note, however, that you may not do anything to the DOC software code, such as copyrighting it yourself or claiming authorship of the DOC software code, that will prevent DOC software from being distributed freely using an open-source development model.You needn’t inform anyone that you’re using DOC software in your software, though we encourage you to let us11 know so we can promote your project in the DOC software success stories12.

DOC software is provided as is with no warranties of any kind, including the warranties of design, merchantability, and fitness for a particular purpose, noninfringement, or arising from a course of dealing, usage or trade practice. Moreover, DOC software is provided with no support and without any obligation on the part of Washington University, UC Irvine, Vanderbilt University, their employees, or students to assist in its use, correction, modification, or enhancement. A number of companies13 around the world provide commercial support for DOC software, however. DOC software is Y2K-compliant, as long as the underlying OS platform is Y2K-compliant.

™

Sophos Endpoint Security and Control 9 advanced upgrade guide

Washington University, UC Irvine, Vanderbilt University, their employees, and students shall have no liability with respect to the infringement of copyrights, trade secrets or any patents by DOC software or any part thereof. Moreover, in no event will Washington University, UC Irvine, or Vanderbilt University, their employees, or students be liable for any lost revenue or profits or other special, indirect and consequential damages.

The ACE14, TAO15, CIAO16, and CoSMIC17 web sites are maintained by the DOC Group18 at the Institute for Software Integrated Systems (ISIS)19 and the Center for Distributed Object Computing of Washington University, St. Louis20 for the development of open-source software as part of the open-source software community21. By submitting comments, suggestions, code, code snippets, techniques (including that of usage), and algorithms, submitters acknowledge that they have the right to do so, that any such submissions are given freely and unreservedly, and that they waive any claims to copyright or ownership. In addition, submitters acknowledgethat any such submission might become part of the copyright maintained on the overall body of code, which comprises the DOC software. By making a submission, submitter agree to these terms. Furthermore, submitters acknowledge that the incorporation or modification of such submissions is entirely at the discretion of the moderators of the open-source DOC software projects or their designees.

The names ACE, TAO, CIAO, CoSMIC, WashingtonUniversity, UC Irvine, and Vanderbilt University, may not be used to endorse or promote products or services derived from this source without express written permission from Washington University, UC Irvine, or Vanderbilt University. Further, products or services derived from this source may not be called ACE, TAO, CIAO, or CoSMIC nor may the name Washington University, UC Irvine, or Vanderbilt University appear in their names, without express written permission from Washington University, UC Irvine, and Vanderbilt University.

If you have any suggestions, additions, comments, or questions, please let me22 know.

Douglas C. Schmidt

The ACE home page is http://www.cs.wustl.edu/ACE.html

References

1. http://www.cs.wustl.edu/~schmidt/ACE.html

2. http://www.cs.wustl.edu/~schmidt/TAO.html

3. http://www.dre.vanderbilt.edu/CIAO/

4. http://www.dre.vanderbilt.edu/cosmic/

5. http://www.dre.vanderbilt.edu/~schmidt/

6. http://www.cs.wustl.edu/~schmidt/ACE-members.html

7. http://www.wustl.edu/

8. http://www.uci.edu/

9. http://www.vanderbilt.edu/

10. http://www.the-it-resource.com/Open-Source/Licenses.html

11. mailto:doc_group@cs.wustl.edu

12. http://www.cs.wustl.edu/~schmidt/ACE-users.html

13. http://www.cs.wustl.edu/~schmidt/commercial-support.html

Sophos Endpoint Security and Control 9 advanced upgrade guide

14. http://www.cs.wustl.edu/~schmidt/ACE.html

15. http://www.cs.wustl.edu/~schmidt/TAO.html

16. http://www.dre.vanderbilt.edu/CIAO/

17. http://www.dre.vanderbilt.edu/cosmic/

18. http://www.dre.vanderbilt.edu/

19. http://www.isis.vanderbilt.edu/

20. http://www.cs.wustl.edu/~schmidt/doc-center.html

21. http://www.opensource.org/

22. mailto:d.schmidt@vanderbilt.edu

23. http://www.dre.vanderbilt.edu/~schmidt/

OpenSSL cryptographic toolkit

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts.Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL license

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”

4. The names “ OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

Sophos Endpoint Security and Control 9 advanced upgrade guide

DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay license

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape’s SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”

The word “cryptographic” can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement:

“This product includes software written by Tim Hudson (tjh@cryptsoft.com)”

Sophos Endpoint Security and Control 9 advanced upgrade guide

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

Sophos Endpoint Security and Control 9 advanced upgrade guide

Index

applying updating policies 27

backing up Enterprise Console database 9 backing up NAC databases 8

checking EM Library settings 8 checking policies 34 Compliance Dissolvable Agent

upgrading 17 configuring new features 36 creating updating policies 42

data control 36 device control

transferring settings 35

endpoint software

upgrading 29 Enterprise Console

upgrading 11

upgrading database 15

upgrading management server 18

upgrading remote console 19 Enterprise Console database

backing up 9

populating 15

restoring 9

upgrading 15

installers

downloading 13

installing SQL Server 2005 Express Edition

do I have to? 14 reasons for 14

labeled software versions 44

maintenance mode 13, 18 migrating to Sophos Update Manager 20, 21

additional libraries 26 key steps 21 troubleshooting problems with 37

NAC Application Server

upgrading 16

NAC databases

backing up 8 upgrade failure 37

NAC Manager

upgrade errors 37 upgrading 11 upgrading NAC Application Server 16 upgrading NAC databases 13

NAC Manager maintenance mode

putting in 13 taking out of 18

new features 4

configuring 36 data control 36 role-based administration 36

fixed software versions 44

populating Enterprise Console database 15 preparing for upgrade 8

backing up Enterprise Console database 9 backing up NAC databases 8

Sophos Endpoint Security and Control 9 advanced upgrade guide

preparing for upgrade (continued)

checking EM Library settings 8 publishing software on a web server 41

restoring Enterprise Console database 9 role-based administration 36

selecting software 40 software

selecting 40 software distribution 40 Sophos Update Manager

installing 24

migrating to 21

migration report 25 subscribing to new software 29 subscribing to software 31 subscribing to software and updates 38 subscriptions

adding in update manager 31

changing 30

copying 31

creating 31

duplicating 31

editing 30 system requirements 5

testing update shares 27 testing updating policies 27 transferring device control settings 35 troubleshooting

NAC databases upgrade failure 37

troubleshooting (continued)

NAC Manager upgrade errors 37

types of update 44

update manager

adding subscriptions 31 configuring 39 installing 24 migrating to 21 migration report 25 on the Enterprise Console computer 26 scheduling 41 selecting update source 39

software distribution 40 update schedule 41 update shares

testing 27 update source 39

web server 41 updating

fixed software versions 44

labeled software versions 44

publishing software on a web server 41

types 44 updating policies

applying 27

configuring 32

creating 42

testing 27 upgrade overview 6 upgrading endpoint computers

overview 29 upgrading endpoint software 29, 33 upgrading Enterprise Console 11 upgrading NAC Manager 11

Sophos Endpoint Security upgrade guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

1 About this guide

2 What's new?

3 System requirements

4 Upgrade overview

5 Prepare for upgrade

5.1 Check EM Library settings

5.2 Back up the NAC databases

5.3 Back up the Enterprise Console database

5.3.1 Restore the Enterprise Console database

6 Upgrade NAC Manager and Enterprise Console

6.1 Download the installers

6.2 Put NAC in maintenance mode

6.3 Upgrade the NAC databases

6.4 Do I need to install SQL Server 2005 Express Edition manually?

6.5 Upgrade the Enterprise Console database

6.5.1 Populate the Enterprise Console database manually

6.6 Upgrade the NAC Application Server

6.7 Upgrade the Web Agent

6.8 Take NAC out of maintenance mode

6.9 Upgrade the Enterprise Console management server

6.10 Upgrade an Enterprise Console remote console

8 Migrate to Sophos Update Manager

8.1 What are the key steps in migration?

8.2 Install Sophos Update Manager

8.3 View the update manager's migration report

8.4 Configure the update manager on the Enterprise Console computer

8.5 Migrate additional managed libraries

8.6 Test the new update share or shares

8.7 Apply the new updating policies to the computers

9 Upgrade the security software on endpoint computers

9.1 About upgrading endpoint computers

9.2 Subscribe to new endpoint software

9.2.1 Change an existing software subscription

9.2.2 Create a new software subscription

9.3 Add a subscription in the update manager

9.4 Configure updating policies

9.5 Upgrade security software on Windows computers

10 Check existing policies

11 Transfer device control settings to the new policy

12 Configure new features

13 Troubleshooting

13.1 NAC Manager upgrade causes errors

13.2 Upgrade of the NAC databases fails

13.3 Update settings could not be migrated to Sophos Update Manager

13.3.1 Subscribe to Sophos software and updates

13.3.2 Configure the update manager

13.3.2.1 Select an update source for the update manager

13.3.2.2 Select which software to download

13.3.2.3 Specify where the software is placed

13.3.2.4 Edit an update schedule

13.3.3 Publish security software on a web server

13.3.4 Create new updating policies

14 Appendix: What types of update are available?

15 Technical support

16 Copyright

Index