Agent Deployment Guide
Agent Deployment Guide
Copyright © 2010 Sophos Limited. All
rights reserved. No part of this publication
may be reproduced, stored in retrieval
system, or transmitted, in any form or
by any means electronic, mechanical,
photocopying, recording or otherwise
unless you are either a valid licensee
where the documentation can be
reproduced in accordanc e with the licence
terms or you otherwise have the prior
permission in writing of the copyright
owner.
Sophos and Sophos Anti-Virus are
registered trademarks of Sophos Limited.
All other product and company names
are trademarks or registered trademarks
of their respective owners.
Document version 3.2
Published December 2010
2
Agent Deployment Guide
Table of Contents
Agent Deployment Methods .......................................................................................................... 4
Agent Install Parameters ........................................................................................................................................ 4
Group Policy Logon Script ...................................................................................................................................... 4
PsExec .................................................................................................................................................................... 6
Troubleshooting ...................................................................................................................................................... 6
3
Agent Deployment Guide
Agent Deployment Methods
This document provides information on how to deploy the Sophos Compliance Agent using either Group Policy
Logon scripts or the Microsoft Sysinternals PsExec tool (http://technet.microsoft.com/en-
us/sysinternals/bb897553.aspx). If the installation is meant to be silent, then all parameters must be passed to the
installer as additions to the MSI installation command. If these commands are not set properly, then the Agent will
prompt the user for any information that was not set properly.
This document also provides information on how to use PsExec to push and install the Agent from the Compliance
Application Server. With this method, you will need a list of IP addresses that you want to install to, as well as an
Administrator’s account that has full access on each of the computers. Using PsExec, the MSIExec attributes will
be pushed to each computer in order to complete the installation process.
It is important to note that it is also possible to install the Agent using other tools such as SMS, CA Unicenter, and
many more. However, this guide is meant to show how to install the Agent using two free, commonly-used tools.
Important: We recommend that only knowledgeable GPO users use this guide since doing something wrong can
have undesired and pote nti all y disastr ous results.
Agent Install Parameters
Agent parameters must be passed with the installation c ommand to force the Agent to remain silent to the end user
and install successfully. The Agent installation parameter descriptions can be found in further detail in the NAC
Advanced Installation Guide, located at:
Here is the list of possible parameters and the expected criteria for each:
AGENT_SERVER – This parameter specifies the IP or DNS Name of the server.
AGENT_INSTALLTYPE – Specifies the “Continuous” or “Quarantine” Agent, with “Quarantine” as the default.
AGENT_SERVERMODE – Can be set to “HTTP” or “HTTPS”, with “HTTPS” as the default.
AGENT_SETTINGS – This parameter should be used when utilizing the single sign-on feature, with the value
“Register=usecomputerlogon”.
AGENT_DHCPCLASS – Used to specify the User Class on the machine. This setting is usually used when the
DHCP server doesn’t support the DHCP Enforcer.
http://www.sophos.com/sophos/docs/eng/instguid/nacadv_32_seng.pdf
Group Policy Logon Script
To install the Agent on each of the machines using Group Policy Object (GPO), you will need to create a script to
set the command line parameters for the installer. Additionally, you must include logic to determine if the Agent is
already installed. If you do not include the logic to determine installed status, the script will try to install the Agent
each time the user logs in.
In this example, we are creating a VBScript that can run when the user logs in. The script will check for the
existence of the Agent, and if the Agent is not present, it will run the installation. The GPO logon script should be
located on the Domain Controller in a location reachable (shared SysVol location) by all of the client computers. If
the computers cannot reach the script’s location, then the script will not run, resulting in the computer not being able
to install the Agent.
4
Loading...