How it Works
Sophos
Loading...
ENDPOINT SECURITY
network startup guide
68 pgs1.38 Mb0
Quick start guide
9 pgs571.5 Kb0
quick upgrade guide
9 pgs388.17 Kb0
upgrade guide
53 pgs1.48 Mb0
User Manual
54 pgs1.29 Mb0
user manual
51 pgs1.72 Mb0
user manual
9 pgs572.96 Kb0
Table of contents
Loading...

Sophos Endpoint Security upgrade guide

Sophos Endpoint Security and Control 9
advanced upgrade guide
Describes upgrading to:
Sophos Enterprise Console version 4.0
Sophos NAC version 3.3
Sophos Endpoint Security and Control version 9.0
Document date: September 2009

Contents

4 Upgrade overview.....................................................................................................................................6
5 Prepare for upgrade..................................................................................................................................8
6 Upgrade NAC Manager and Enterprise Console..................................................................................11
7 Do I need to migrate to Sophos Update Manager manually?...............................................................20
9 Upgrade the security software on endpoint computers........................................................................29
10 Check existing policies..........................................................................................................................34
11 Transfer device control settings to the new policy..............................................................................35
14 Appendix: What types of update are available?...................................................................................44
2
Sophos Endpoint Security and Control 9 advanced upgrade guide

1 About this guide

This guide tells you how to upgrade:
Sophos NAC Manager from version 3.1 to version 3.3.
Sophos Enterprise Console from version 3.x to version 4.0.
Sophos Anti-Virus and Sophos Client Firewall to Sophos Endpoint Security and Control 9.0.
This guide is for you if some or all of the following statements apply:
You have Enterprise Console and NAC Manager components installed on different servers.
You have Enterprise Console and EM Library installed on different servers.
You use a non-default SQL Server instance for Sophos database.
You use a non-default EM Library configuration.
An error occurred during the upgrade and you need to configure the software manually.
If you have all Enterprise Console and NAC Manager components installed on a single server, or on two servers where one is dedicated to Enterprise Console and the other is dedicated to NAC, see the Sophos Endpoint Security and Control quick upgrade guide.
Endpoint Security and Control documents are available from
http://www.sophos.com/support/docs/Endpoint_Security_Control-all.html.
3
Sophos Endpoint Security and Control 9 advanced upgrade guide

2 What's new?

This section describes the key new features in the Sophos security software. For a full list and more detailed description of new features, see the Release Notes.
Enterprise Console 4.0
Enterprise Console has these key new features:
An integrated tool for downloading updates (Sophos Update Manager).
Role-based administration, which enables you to specify how other users can use the console.
Data control, which enables you to reduce accidental data loss from workstations.
Device control, which enables you to prevent users from using unauthorized external storage
devices and wireless connection technologies.
NAC Manager 3.3
NAC Manager has these key new features:
New Dissolvable Agent that does not require guest users to be logged on to their computers
with administrator privileges to access the network.
Simplified DHCP (Dynamic Host Configuration Protocol) enforcement to ensure that
computers comply with health standards before they can access the network.
Enhanced assessment of whether computers are protected by Sophos Anti-Virus and Sophos
Client Firewall.
Assessment of whether computers are protected by encryption.
Sophos Endpoint Security and Control 9.0
This replaces Sophos Anti-Virus and Sophos Client Firewall. It also provides the data control and device control functions that you manage from Enterprise Console.
4
Sophos Endpoint Security and Control 9 advanced upgrade guide

3 System requirements

For a full list of system requirements, see the system requirements page of the Sophos website (http://www.sophos.com/products/all-sysreqs.html).
Note: Sophos Enterprise Console 4.0 installation requires the following:
Microsoft®Windows® Installer (MSI) version 3.1
Microsoft .NET Framework version 2.0 SP1 (2.1.21022)
SQL Server 2005 Express Edition
If you do not have these (or later) versions of the software, the Enterprise Console installer will install them for you. You may need to restart your computer after that.
5
Sophos Endpoint Security and Control 9 advanced upgrade guide

4 Upgrade overview

This guide describes upgrading of a distributed installation of Enterprise Console and NAC Manager. The following example shows a distributed installation where:
Enterprise Console Management Server and NAC Application Server are installed on different computers.
Enterprise Console and NAC databases are on a dedicated database server and attached to the same, default MSDE instance SOPHOS.
EM Library and Enterprise Console are installed on different computers.
Figure 1: Example of a distributed installation of Enterprise Console and NAC Manager
6
Sophos Endpoint Security and Control 9 advanced upgrade guide
What are the key steps?
Upgrading of such installation involves the following steps:
Prepare for upgrade (check EM Library settings to avoid migration errors, back up the
databases).
Upgrade NAC Manager and Enterprise Console.
Important: It is important that you upgrade NAC Manager before upgrading Enterprise Console. Otherwise, NAC Manager will be put into an unsupported state.
Migrate to Sophos Update Manager.
Upgrade endpoint software.
Check existing policies.
If you use device control, transfer device control settings from the Application control policy
to the new Device control policy.
Set up new policies and features (for example, data control or role-based administration).
For a detailed description of each step, see the following sections.
7
Sophos Endpoint Security and Control 9 advanced upgrade guide

5 Prepare for upgrade

Before you upgrade your Sophos Endpoint Security and Control management software and migrate to the new Sophos updating technology, Sophos Update Manager, do the following:
Check that your existing updating component, EM Library, is not using any packages that are no longer maintained on its parent.
This is to ensure that no migration errors occur when the migration wizard cannot find a non-existent package.
Back up your Enterprise Console and NAC databases.
If for some reason the upgrade is unsuccessful, you will need to recover your system to its previous state from your backup.

5.1 Check EM Library settings

To check that EM Library is not using packages that are no longer maintained on its parent:
1. In Enterprise Console, click the Libraries icon on the toolbar.
The Sophos EM Library window is displayed. The Configuration view is open by default.
2. Look in the “Notifications” pane (lower-right corner).
If EM Library is using a package that is no longer maintained on the parent, you will see the following warning:
Warning: You have a package in use that is no longer maintained on the parent. Click "Select packages" and subscribe to another package.
3. If you have a package that is no longer maintained, subscribe to another package that contains a more up-to-date version of the software or unsubscribe from the package if you no longer use it.
For information about upgrading, see the knowledgebase article “How to upgrade to the new Endpoint Security and Control products (http://www.sophos.com/support/knowledgebase/article/14844.html).

5.2 Back up the NAC databases

Using your SQL Server Management Console, back up the ReportStore and PolicyStore
databases.
If the NAC Manager databases are not upgraded successfully, you will need these backups to restore NAC reporting and policy information.
8
Sophos Endpoint Security and Control 9 advanced upgrade guide

5.3 Back up the Enterprise Console database

Before you start upgrading, make sure you have a valid, complete backup of your Sophos Enterprise Console installation. Make sure you can recover the system from the backup. If for some reason the upgrade fails, you will need to recover your Sophos Enterprise Console system to its previous state from your backup.
Note: The default installation folder for the database is C:\Program files\Microsoft SQL Server\MSSQL$SOPHOS.
To back up Enterprise Console database:
1. On the computer where the Enterprise Console database is installed, create a folder where you want to place the database backup, for example, C:\SECBackups.
2. Open command prompt and browse to the Sophos installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.
3. Type the command in the format:
BackupDB C:\SECBackups\SOPHOS3.bak
If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:
BackupDB C:\SECBackups\SOPHOS3.bak MySQLServerInstance
4. Export the following registry key:
HKLM\SOFTWARE\Sophos\Certification Manager
You are ready to upgrade Sophos Enterprise Console.

5.3.1 Restore the Enterprise Console database

If you need to restore the installation to its previous state, follow these steps:
1. Restore the database to the instance you use.
The default SQL Server instance is SOPHOS.
a) On the computer where the Enterprise Console database is installed, open command prompt
and navigate to the Sophos installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.
b) Type the command in the format:
RestoreDB C:\SECBackups\SOPHOS3.bak
If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:
RestoreDB C:\SECBackups\SOPHOS3.bak MySQLServerInstance
9
Sophos Endpoint Security and Control 9 advanced upgrade guide
2. Import the following registry key:
HKLM\SOFTWARE\Sophos\Certification Manager
10
Sophos Endpoint Security and Control 9 advanced upgrade guide

6 Upgrade NAC Manager and Enterprise Console

Important: It is important that you upgrade Sophos NAC Manager before upgrading Sophos Enterprise Console. Otherwise, NAC Manager will be put into an unsupported state.
What are the key steps?
Upgrading NAC Manager and Enterprise Console on different computers involves the following key steps:
Download the installers from Sophos.
Put NAC Manager 3.1 in maintenance mode.
Upgrade NAC databases from version 3.1 to version 3.3.
Install SQL Server 2005 Express Edition on the database server, if you need to. For more
information, see Do I need to install SQL Server 2005 Express Edition manually? (page 14).
Upgrade Enterprise Console database from version 3.1 or 3.1.1 to version 4.0.
You can choose to populate the database manually, if you wish.
Upgrade NAC Application Server from version 3.1 to version 3.3.
If you use Sophos Web Agent, upgrade it to the new Compliance Dissolvable Agent.
Take NAC Manager out of maintenance mode.
Upgrade Enterprise Console management server from version 3.1 or 3.1.1 to version 4.0.
If you have an Enterprise Console remote console, upgrade it.
The following diagram shows the upgrade process.
11
Sophos Endpoint Security and Control 9 advanced upgrade guide
12
Figure 2: Upgrading Sophos Enterprise Console (SEC), version 3.x to version 4, and Sophos NAC, version 3.1 to version 3.3
Sophos Endpoint Security and Control 9 advanced upgrade guide

6.1 Download the installers

1. Go to http://www.sophos.com/support/updates/.
2. Type your MySophos username and password.
3. On the web page for Endpoint Security and Control downloads, download the Enterprise Console installer.
4. Download the NAC Manager installer.
5. Download the Sophos Compliance Dissolvable Agent installer.
6. Ensure that the installers are in a location that can be accessed from the servers on which you want to install the software.
Alternatively, copy them to a CD or DVD.

6.2 Put NAC in maintenance mode

To put NAC in maintenance mode, use the Maintenance Mode tool.
From the command prompt on the NAC Application Server, go to the Program
Files\Sophos\NAC\Support Tools directory, and then type:
MaintMode.exe /start
You do not need to put NAC databases in maintenance mode. However, you have to ensure that the upgrade is not taking place at the same time as database purging, which is set to occur every morning at 2:30 A.M. (system time).

6.3 Upgrade the NAC databases

To upgrade the NAC databases:
1. Log on as an administrator or domain administrator, as appropriate, at the computer where the databases are installed.
2. Locate the NAC Manager installer that you downloaded earlier and double-click it.
An installation wizard starts.
3. Click Install.
4. On the Welcome page of the wizard, click Next.
5. On the Select Features page, select the Advanced option.
6. Clear all check boxes, and then select the Sophos NAC Databases check box. Click Next.
If you want to change the directory where the scripts that create the NAC databases are installed, click Browse. If you want to change the SQL Server instance that NAC will use, click Select. The Select button only appears when the NAC installer detects more than one SQL Server instance.
13
Sophos Endpoint Security and Control 9 advanced upgrade guide
7. Type the Service Account Information in the appropriate fields. Click Next.
You created this service account on the domain controller as part of the initial Sophos NAC installation.
8. Type your Sophos download account details in the appropriate fields. Click Next.
The username and password entered during the NAC installation must match those provided to you by Sophos. If you entered them incorrectly during the NAC installation, you can correct them on the NAC Manager Download Account Details page.
9. On the Ready to Install dialog box, click Install to begin the installation.
The NAC databases are configured, and the installation progress displays. A portion of the installation takes several minutes, during which time the progress indicator may not move. Do not cancel the installation, and it will progress.
10. Click Finish.
Important: If an installation error occurs or the upgrade of the NAC databases fails, see
Troubleshooting (page 37).

6.4 Do I need to install SQL Server 2005 Express Edition manually?

Your SQL Server will be upgraded automatically if:
You use SQL Server 2000 Desktop Engine (MSDE), and
The default SQL Server instance is SOPHOS.
In this case MSDE will be replaced with SQL Server 2005 Express Edition automatically during the upgrade of the Enterprise Console database.
Your existing SQL Server version will not change if:
You use SQL Server 2005 or later.
SQL Server 2005 or later satisfies the Sophos Enterprise Console 4 database requirements.Your existing SQL Server version will continue to be used after the upgrade.
You need to install SQL Server 2005 Express Edition manually if:
You use SQL Server 2000 (not MSDE) or earlier, and/or
The Enterprise Console database is attached to a non-default SQL Server instance (not SOPHOS).
If this is the case, install SQL Server 2005 Express Edition on the computer where the Enterprise Console database is installed. You can download SQL Server 2005 Express Edition from the Microsoft website.
14
If you do not want to upgrade SQL Server now, you can use the Enterprise Console 4 database with your current version of SQL Server. However, SQL Server 2005 Express Edition provides
Sophos Endpoint Security and Control 9 advanced upgrade guide
better scalability and a larger maximum database size (4 GB as compared to 2 GB for MSDE) and therefore Sophos recommends upgrading to it.

6.5 Upgrade the Enterprise Console database

To upgrade the Enterprise Console database:
1. Log on as an administrator or domain administrator, as appropriate, at the computer where the database is installed.
2. Close any open Sophos applications.
3. Locate the Enterprise Console installer that you downloaded earlier and double-click it.
4. Follow the instructions in the Sophos Enterprise Console InstallShield Wizard.
5. When asked, select whether you want to populate the database now or later (for example, if you want to preview the scripts before running them on your database).
Populate database now - leave this option selected if you want the installer to create tables and stored procedures in the database.
Populate database later - select this option to create scripts you will use to populate the database later. Script files will be created in your installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB.
6. On the Ready to Install page of the wizard, click Install.
A new database SOPHOS4 is installed alongside the old database. There is no data in the new database yet. The management server is still using the old database.
If you selected Populate database later on the Database Population page, upgrade the database manually as described in Populate the Enterprise Console database manually (page 15).
If you accepted the default, Populate database now, go to Upgrade the NAC Application Server (page 16).
Note: If the database contains a significant number of alerts, it may take some time for the console to display information about managed computers when you start the console for the first time after the upgrade.

6.5.1 Populate the Enterprise Console database manually

If you chose to preview the database scripts before running them on your database and populate the database later, the script files were created in your installation directory, usually C:\Program Files\Sophos\Enterprise Console\DB. After you have reviewed the scripts, populate the database and move the data from the old database to the new database.
15
Sophos Endpoint Security and Control 9 advanced upgrade guide
To populate the database, use the batch file InstallDB.bat. It calls the .sql scripts which create tables and stored procedures in the database.
1. Go to the computer where the Enterprise Console management server is installed. Go to Control Panel, Administrative tools, Services and stop the Sophos Management Service process.
2. At the computer where you installed the database, open Command Prompt and browse to the directory <Installation Drive>:\Program Files\Sophos\Enterprise Console\DB.
3.
Locate the batch file InstallDB.bat and run it.
If the SQL Server instance is called SOPHOS, you do not need to specify any parameters.
If the SQL Server instance is anything other than SOPHOS, run the batch file with the name of the SQL Server instance, for example:
InstallDB.bat MyServer\MySQLInstance
If installing on a default, unnamed instance of SQL Server, enter
InstallDB.bat (local)
If the computer is a domain controller, you will also need to specify the name of the domain that it controls. For example:
InstallDB.bat MyServer\MySQLInstance domainname
This will create all the tables and stored procedures in the new database SOPHOS4.

6.6 Upgrade the NAC Application Server

To upgrade the NAC Application Server:
1. On the computer where you want to install the NAC Application Server, run the NAC Manager installer.
An installation wizard starts.
2. Click Install.
3. On the Welcome page, click Next.
4. Do one of the following:
If you see the following message, click OK.
Only the Sophos NAC Application Server can be installed. To install the Sophos NAC Application Server, click OK.
Then, on the Select Features page, click Next.
If the Select Features page appears, select the Advanced option button. Clear all check boxes, and then select the Sophos NAC Application Server check box. Click Next.
16
If you want to change the directory where the NAC Manager files are installed, click Browse.
Loading...
+ 37 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use