Sophos Endpoint Security

and Control
on-premise installation
best practice guide
Endpoint Security and Control 10
Enterprise Console 5

Document date: May 2014

Contents

1 About this guide........................................................................................................................................3

2 What software is installed as part of Endpoint Security and Control?..................................................4

3 What features require planning?..............................................................................................................5

4 General installation planning considerations..........................................................................................6

5 Main installation scenarios.......................................................................................................................7

6 Additional configurations.......................................................................................................................16

7 Technical support....................................................................................................................................20

8 Legal notices............................................................................................................................................21

2
 on-premise installation best practice guide

1 About this guide

This guide is for you if you are a network administrator who will be installing Enterprise Console
and Endpoint Security and Control on your company network. The guide is designed to answer
your preliminary questions and suggest the ways that Endpoint Security and Control can be best
adapted for your network. It begins with a few general questions to set the context and then
describes more specific network scenarios.
For more detailed advice on installing and configuring Enterprise Console and Endpoint Security
and Control, see Best Practices for Endpoint Security and Control.

3
Sophos Endpoint Security and Control

2 What software is installed as part of Endpoint Security

and Control?
The Endpoint Security and Control on-premise option includes the following software:
■ Management console: Enterprise Console.
■ Anti-virus and other software on your endpoint computers: Endpoint Security and Control
(Sophos Anti-Virus, Client Firewall, software to handle updates and messaging, etc.).
■ Management database that stores information about the configuration of your endpoint
computers.
■ Management server (and management service) that handle communications between the
console, the database, and the endpoint computers.

4
 on-premise installation best practice guide

3 What features require planning?

3.1 Installation locations and methods

The location of the management database, management server and management consoles can be
customized to suit your needs. For instance you could install:
■ All components on the same server – this is referred to as a "standard" or "default" installation
throughout our documentation.
■ Each component on a separate server.
■ Only the databases on a separate server, possibly on a dedicated SQL cluster.
■ Enterprise Console on your local computer and the other components on a separate server.
■ The whole product on VMWare to be managed from within a virtual machine.
■ All components on a server in a server room and you use Remote Desktop sessions to use
Enterprise Console from your local computer.
We don’t describe each of these installation configurations in this document, but we do explain
generally how to install the management software and the software on your endpoint computers
in each of the network configuration scenarios that follow.

3.2 Other features

Some features in the management console require a little foreplanning as well. The considerations
that go into each are described in this document for each network configuration scenario:
■ Update Manager. This component creates a structure for updating the anti-virus (and other)
software on your endpoint computers. It will automatically create a central location for your
network to update from, but you can choose to create more update locations as you see fit.
Update locations can either be set up as a UNC path or a web folder.
■ Role-Based Administration. This is an optional feature that allows you to subdivide the
management of your network so that other users can monitor the network's health and perform
actions.

5
Sophos Endpoint Security and Control

4 General installation planning considerations

In general, if you consider the following items before you read this document, you’ll get the most
out of this guide:
1. Think about the numbers. The number of end users you have will determine how many
sub-estates and update locations you should set up.
2. Think about your network configuration. Your network configuration will determine how you
should install the software on your client computers, how you will distribute updates, and how
many sub-estates you should set up.
3. Think about who will manage your network. The number of IT staff who will monitor and
respond to malware alerts and firewall events will determine the number of sub-estates you
should set up.
4. Think about how you would like to deploy updates. There are countless ways of doing this.
Think about whether you would want everyone on the network downloading from one shared
folder, or whether you want every department to have their own update location with a failover
location as well.
The rest of this document describes various deployment scenarios (like WANs, remote users, or
networks with no servers) that we have anticipated.

6
 on-premise installation best practice guide

5 Main installation scenarios

5.1 Single-site network

5.1.1 Installation

Management software
Install Enterprise Console on one server (to be used to manage the network) or install the
database(s) on a separate server if you have a large network. For more information on installing
the Enterprise Console database on a SQL cluster, please see Installing Enterprise Console databases
in a clustered SQL Server environment.
If you use Active Directory, use it to import containers (OUs) first. Then, once you’ve adjusted
your groups and created the subgroups that you need, synchronize with Active Directory to import
the computers.
If your network has more than 10,000 computers (4,000 if you use Windows Server 2008), you
should set up at least one message relay to reduce the load of communications to and from the
management server. See Enterprise Console: configuring message relay computers for more
information.

Client software
You have many options for deploying Endpoint Security and Control to your client computers:
■ Deploy directly from Enterprise Console, as described in the Sophos Enterprise Console quick
startup guide (for smaller networks) or the Sophos Enterprise Console advanced startup guide(for
larger networks). The guides are available from
http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx
■ Use SMS/SCCM (Microsoft recommends that you use SCCM to distribute software when you
have 250 or more client computers in your network). For detailed instructions, see Using SCCM
2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus).
■ Create a script to invoke special features when running the installation with setup.exe. You
can then use a Group Policy Object to deploy the script and installation file.

7
Sophos Endpoint Security and Control

5.1.2 Role-based administration

Consider whether you would like to use sub-estates to divide up the day-to-day management of
your network. Consider who will have what roles and install Enterprise Console on their computers
when you are ready.
We recommend that you have at least one sub-estate at each of your locations, with more than
one IT person assigned to each one. That way, they can manage two networks when one person
is off sick or on vacation.

5.1.3 Updating structure

There are many considerations that go into planning an update structure. When planning,
remember that the update manager pushes the files to each share in turn, so the number of shares
should be tailored to fit your network bandwidth. Also remember that you shouldn’t put a share
on a computer that may go into standby or otherwise be unavailable for long periods of time.

How big is your network?

On a network with fewer than 1,000 computers, you can install a single update manager and create
one or more update locations for your client computers to download updates from.
On a network of 1,000 or more computers, you’ll want to design your update structure to take
advantage of the best network architecture and the most effective servers. If you use a UNC path
for your update location, it should be used by a maximum of 1,000 computers, unless it is on a
dedicated file server. If you set up a web location for updating, it can handle somewhere between
5,000 and 10,000 computers updating from it.
You could also set up additional update managers to spread the load. They could either update
from the primary update manager or directly from Sophos. This kind of scenario could also be
used for designing failovers. For detailed instructions about installing an additional update manager,
see section 7 of the Sophos Enterprise Console advanced startup guide (available from
http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx).
As a general rule, you should install an additional update manager for each 25,000 client computers
on your network.

What computers are on your network?

Your update shares can publish software for all the different supported operating systems.
Consider whether you may want more than one update location for a specific operating system.
For example, you might want half your Windows 2000+ operating systems to use one update
location and the other half to use another, and use a separate server for Mac OS X, Linux, and
UNIX updates.
You can also download software for NetWare and set up a share on any server for these computers
to update from. This is described in an appendix to the Sophos Enterprise Console advanced startup
guide.

8
 on-premise installation best practice guide

Do you have roaming or remote users connecting to your network?

We’ve tried to illustrate the most common "additional network configuration" scenarios in the
rest of this document. Refer to the type of installation that applies to your situation to learn how
to install Endpoint Security and Control on the client computers and how to structure your
updating structure to support them.

9
Sophos Endpoint Security and Control

5.2 WAN

Note: The following sections apply to both single-domain and multiple-domain (or workgroup)
networks.
Choose the scenario that best applies to your situation:
■ Scenario 1: Sites are managed independently.
In this scenario, there is an administrator at each site who will administer their own site
independently.

■ Scenario 2: Sites are primarily centrally managed.

■ There is admin or helpdesk staff who will administer groups across the two domains/sites,
or
■ There is one administrator who will administer both domains/sites from site A.

5.2.1 Scenario 1: Sites are managed independently

There is an administrator at each site who will administer their own site independently
5.2.1.1 Installation
Install Enterprise Console at each site and use Active Directory to synchronize with the local
domain only.

5.2.1.2 Role-based administration

If there is only one person responsible for checking the network at each site, set up the other site
administrator with the right to monitor alerts and events to ensure that there is coverage to deal
with malware outbreaks and other security events in the event that the local admin is not present.
If there are several people at each site who can check the network, set them up with roles and
sub-estates as required.

5.2.1.3 Updating structure

If you wish, you could configure the update manager on site B to download its updates from site
A, but you could also have it download its updates directly from Sophos.
Read the advice for the "standard" scenario described above to see what other issues you should
consider before installing Endpoint Security and Control at each site.

10
 on-premise installation best practice guide

5.2.2 Scenario 2: Sites are primarily centrally managed

There is admin or helpdesk staff who will administer groups across the two
domains/sites
OR
There is one administrator who will administer both domains/sites from site A
5.2.2.1 Installation
Install Enterprise Console at site A and use RDP or TS to manage the computers at site B. If you
have staff at site B who should be allowed to perform certain tasks, install Enterprise Console only
at site B.
If the sites are on different domains, remember that once you install Enterprise Console, you will
need to set it up for multiple domains. For more information, see Protecting computers in a multiple
domain environment.
Ensure that your web filtering equipment allows the following ports for Sophos communications:
Network: allow ports 137-139 and 445
Weblink: allow port 80

5.2.2.2 Role-based administration

This depends on how the IT department is structured. If all the IT staff is on one site, you’d
probably want to break down the network into sub-estates based on location. If there is IT staff
at each site, you could divide each site into sub-estates as well. It’s up to you.

5.2.2.3 Updating structure

Wherever possible, we recommend that you install an additional update manager in a remote
location. There are a few reasons, but most important is the amount of bandwidth needed to
update the shared folders on site B and the danger that the shares would be incomplete if the link
went down.
Your updating structure would depend on whether or not there is a server or other suitable
Windows computer on site B which could be used to distribute updates.
Note: Suitable computers are those running Windows 2003/Vista/Windows 7/2008/SBS 2011.
For system requirements for Enterprise Console and its components, go to
http://www.sophos.com/en-us/support/knowledgebase/118635.aspx
■ If there is a server or other suitable Windows computer on site B which could be used to
distribute updates
Install an Update Manager at site B to update the local computers. This update manager could
either download its updates from site A or directly from Sophos.
If you have a firewall between your sites, you’ll have to update via HTTP. Set up a web folder
at site A so that the site B computers can get their updates.

11
Sophos Endpoint Security and Control

■ If there is no server or suitable Windows computer on site B

Use the update manager at site A to create a share for site B. This shared folder could be located
at site A, or at site B if bandwidth is a concern. If the link would be too slow to download
updates from site A once an hour, consider creating a web folder for the site B computers to
update from.
No matter what you choose as the primary source for updates, ensure that the secondary
updating source in the updating policy for Site B computers point to Sophos in case the link
between the two sites goes down or the web location is unavailable.

12
 on-premise installation best practice guide

5.3 No server

5.3.1 Installation
If you have a small network with no server (ten or fewer computers), you can still download and
use Enterprise Console to manage your network as long as you have a computer that satisfies
system requirements for Enterprise Console.
Follow the advice for the "Single-site network" scenario, described above.
Alternatively, if all of your computers are connected to the Internet, you could install the standalone
version of Endpoint Security and Control on those computers and they would all update directly
from Sophos.

5.3.2 Role-based administration

If you install Enterprise Console on one of your computers, you could set up another user to
monitor your network when you are away from the office.

5.3.3 Updating
If you install Enterprise Console on one of your computers, use the update manager to set up an
updating system with a single share.
If you install the standalone version of Endpoint Security and Control on all of your computers,
they will update directly from Sophos.

13
Sophos Endpoint Security and Control

5.4 No suitable Windows computer

If you don’t have a Windows Server, or a suitable Windows computer that satisfies system
requirements for Enterprise Console, you will have to download Sophos Anti-Virus for your
non-Windows computers and they will update separately.

5.4.1 Installation
Download and install:
■ Sophos Anti-Virus for Mac OS X
■ Sophos Anti-Virus for Linux
■ Sophos Anti-Virus for UNIX
Documentation for Sophos Anti-Virus for all supported platforms is available at
http://www.sophos.com/en-us/support/documentation.aspx.

5.4.2 Role-based administration

Does not apply as Enterprise Console can only be run on a Windows server or suitable workstation.

5.4.3 Updating
Sophos Anti-Virus for Linux can be updated by one computer and the cache folder can be shared
with the other Linux computers in your network.

14
 on-premise installation best practice guide

5.5 No Enterprise Console

Please note that this scenario is not supported. You should make every effort to use Enterprise
Console or other security management product from the range of Sophos products, for example,
Sophos Unified Threat Management (UTM). If you have a small network and no dedicated
server, you could also use Sophos Cloud.

5.5.1 Installation
Download the standalone installer and install Endpoint Security and Control on each computer
individually. Each computer would then update directly from Sophos.

5.5.2 Role-based administration

Not applicable, as these computers are not managed and Enterprise Console is not being used.

5.5.3 Updating
The computers would update directly from Sophos.

15
Sophos Endpoint Security and Control

6 Additional configurations

6.1 Roaming users connecting via VPN

6.1.1 Installation
Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console
on the management server.
For your roaming users, because the computers will connect to the network via VPN, you should
deploy Endpoint Security and Control software to these computers from Enterprise Console.
When they next connect, they will download and install the security software.

6.1.2 Role-based administration

Supporting roaming users is an additional security concern. To make monitoring and
administration easier, you might want to set up one sub-estate for roaming users so that one
person could closely monitor their security status.

6.1.3 Updating
Ensure that the updating policies for roaming computers have Sophos set up as a secondary source
for updates, in case the user can't connect to your network while they're away from the office.
Alternatively, you may also consider creating a web location for them to update from, so that they
can update their security software even if they can't connect to your network.

16
 on-premise installation best practice guide

6.2 Air gapped network

6.2.1 Installation
Follow the advice for the "standard" scenario for recommendations for installing Enterprise Console
on the management server on the outside network.
For your air-gapped network, you have two options:
■ Install Enterprise Console and an update manager and deploy to the client computers from
the management server in the air-gapped network.
■ Install Endpoint Security and Control on each of the computers individually and have them
update from a shared folder copied from the outside network. You won't be able to manage
the computers on the air-gapped network, nor would you be able to take advantage of all the
features of Endpoint Security and Control, because Application Control, Device Control and
Data Control are all configured using Enterprise Console.

6.2.2 Role-based administration

You will have separate installations of Enterprise Console on the two networks, so you won't be
able to monitor both networks from one Enterprise Console. You could break your air-gapped
network into sub-estates, if it's big enough. As with any network, you'd probably want to define
at least one extra role to monitor the network when the administrator is busy.

6.2.3 Updating
When you configure the update manager in the air-gapped network, ensure that it uses a folder
on the management server, or a removable device that you manually update with data from the
outside network as its update source.
For detailed instructions on setting up an air gapped network, please see Installing and configuring
an air gap with Sophos Update Manager.

17
Sophos Endpoint Security and Control

6.3 Remote workers, no VPN access

6.3.1 Installation
There are two options for protecting off-site computers without VPN connection:
■ You could download the standalone installer and install Endpoint Security and Control on
each computer individually. The users would then update directly from Sophos.
■ You could create a self-extracting .exe file for your users to install the software themselves.
These users would update from a web location that you configure and update.

6.3.2 Role-based administration

Not applicable, as these computers are not managed.

6.3.3 Updating
Either the computers would update directly from Sophos or they would update from a web location
that you configure.

18
 on-premise installation best practice guide

6.4 Home users (extended license)

6.4.1 Installation
The only supported installation for home users is a self-extracting .exe file that you build for them.
We do not permit home users to update from the Sophos databanks directly. You will have to
create a web folder where your home users can download their updates from.

6.4.2 Role-based administration

Does not apply.

6.4.3 Updating
Create a web folder that will copy the updates from your update manager and allow you to distribute
them to your employees' personal computers at home.
Please see our Best Practice article about setting up home users for more information.

19
Sophos Endpoint Security and Control

7 Technical support
You can find technical support for Sophos products in any of these ways:
■ Visit the SophosTalk community at community.sophos.com/ and search for other users who are
experiencing the same problem.
■ Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.
■ Download the product documentation at www.sophos.com/en-us/support/documentation/.
■ Send an email to [email protected], including your Sophos software version number(s),
operating system(s) and patch level(s), and the text of any error messages.

20
 on-premise installation best practice guide

8 Legal notices
Copyright © 2009–2014 Sophos Limited. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the
documentation can be reproduced in accordance with the license terms or you otherwise have
the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.

21