This article answers some of the frequently asked questions regarding location roaming.
Known to apply to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control 9.7
Sophos Endpoint Security and Control 10.0
Sophos Endpoint Security 9.7
Frequently asked questions
- What is location roaming?
Location roaming is a system that allows roaming laptops to determine the most appropriate location from which to update. A full description can be found in the product Help pdf and the online Help.
- Which endpoints can use location roaming?
This functionality applies only to endpoints managed by the same Console and updating from locations within the same subscription policy. An updating policy can be made to use location roaming only if a primary update location is specified in the Console. This is to avoid the possibility of having a group of endpoints with location roaming switched on that don’t have an update location to reply with.
- Will a fixed endpoint respond with its primary, secondary, or last successful location? What if the primary location was not available at the time of the last check?
The fixed endpoint always replies with its primary policy update location.
- Will endpoints be deployed from the Console (or third party tools) with port 51235 listening?
Yes, port 51235 is the default, and will be in listening mode.
- Can you change the port used by location roaming?
Yes. The port used for the broadcast can be modified if you need to define the port used due to a clash or because of your company's security restrictions. The port can be changed locally in the registry, locally in iupd.cfg or more centrally in sauconf.xml. The port used by default is 51235. Full details of how to change this are given in the knowledgebase article How to configure the Location Roaming port in Sophos AutoUpdate
- How do you enable/disable location roaming?
In the Console, the group policy configuration window gives you the option to enable or disable location roaming. Note that endpoints are always listening to broadcast messages even when location roaming is disabled.
- Can location roaming be turned on / off from the endpoint client (i.e. override the Console policy) ?
Yes, the broadcasting can be switched off on the endpoint by going into the SAU configuration file iupd.cfg and setting the flag ‘Enabled’ under [global.IntelligentUpdating] to 0. Note this applies only to the endpoint asking; the endpoints replying will always reply, even if their configuration for IU is switched off.
- What happens if a Sophos endpoint computer from network 'A' is added to a different network, e.g. network 'B'?
If a user wants to enable roaming for an endpoint it must be protected by the Console that is managing the endpoints/location where the local CID is. Also, for example, a visitor who plugs their computer in to another network will NOT pick up updates because their computer configured to be managed from a different Enterprise Console.
- How does location roaming operate on a wireless network?
The nature of the location detection (gateway MAC addresses comparison) means that on a wireless network, the availability of the connection can result in the endpoint believing it has moved location, thus causing repeated local broadcasts. If this proves to be a problem, it can be controlled indirectly by reducing the updating frequency, as a check is only made when the endpoint updates.
- What additional security measures are applied when location roaming is used?
Sophos has incorporated additional security measures to hide sensitive information:
- Passwords are obscured using Enterprise Console obfuscation.
- The data contains a hash to verify its integrity: all the fields are concatenated and hashed using SHA1 with the Subscription ID, which is stored in the updating policy.
- The policy is delivered to the endpoints via RMS, which is PKI-secured with keys and certificates created and managed by SEC. Once on the endpoint the policy is saved in the RMS Adapter storage, which is then obscured (not encrypted).
- What if an endpoint connects to an update location that contains a customized sauconf.xml file and this causes the endpoint to stop updating correctly?
- as explained above, the endpoint will continue communicating with the Console; therefore, if you right-click the affected computer and select 'Comply with Policy', it will go back to its original settings.