Installing and configuring an air gap with Sophos Update Manager

  • N.º del artículo: 64899
  • Actualizado: 30 dic 2013

This article describes how to set up and maintain an air gapped network.  You will need to follow the instructions in this article if your Sophos Update Manager (SUM) is installed on a network which is not connected to the internet.

Important: The version of Enterprise Console should be the same on either side of the air-gap. If it is not this can lead to errors such as that described in article: 117736.

Known to apply to the following Sophos product(s)

Enterprise Console

Installation

Installing on the non-air-gapped network

Follow the instructions in the Quick Startup Guide for installing Enterprise Console on your non-air-gapped network. Ensure that you subscribe to the software packages that you require on both the air-gapped and non-air-gapped networks.

Installing on the air-gapped network

To install Endpoint Security and Control on your air-gapped network, you have two options:

1. Install Enterprise Console on one of the servers in the air gap to centrally manage and update the endpoint computers in the air gap.

  1. Follow the instructions in the Quick Startup Guide to install the management software and cancel the installer when it reaches the Download Security Software wizard.
  2. Create a new directory in the location of your choice to be used as your update source. Call this folder Update Source and share the folder as SophosUpdateManager.
  3. Ensure that the update manager is not currently an performing an update, otherwise the files copied in the step below will be incomplete and you will have a folder that appears corrupt to the air-gapped update manager.  You can view update activity with the Logviewer.exe program.
    Note: If an update is in progress when copying the files you will see the error could not create catalogue sdds.local when configuring the air-gapped update manager.
  4. Copy the Warehouse directory from the non-air-gapped network onto a removable storage device or CD and submit this medium to your required verification:-
    On the non-air-gapped network, the Warehouse directory containing the packages is as follows.
    • Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
    • Windows Server 2008: C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
  5. Paste the Warehouse directory into the folder Update Source (i.e., the one you created in step 2 above), in the air-gapped network.
  6. On the air-gapped Update Manager, on the 'Sources' tab, set the primary source to be the UNC path to the 'SophosUpdateManager' share, e.g.,  \\servername\SophosUpdateManager
  7. Configure your software subscriptions to use the appropriate packages.
  8. Once your update manager has downloaded the packages, deploy them to the air-gapped network.

2. Install the standalone version of Endpoint Security and Control on each of the computers in the air gap.

Note: If you choose this option, you will not be able to ensure compliance with policies on the endpoint computers in the air gap, nor will you be able to take advantage of all the features of Endpoint Security and Control, because Application Control, Device Control and Data Control policies are all configured using Enterprise Console.

Installing Endpoint Security and Control is described in the Endpoint Security and Control standalone startup guide.

Once you have followed this guide and the standalone version is installed on each of the computers in the air gap, you will have to configure them to update from a shared folder in the air gap, as follows:

  1. Create a new folder on the desktop of one of the air-gapped endpoints to be used as your update source.
  2. Copy the appropriate packages from the non-air-gapped network onto a removable storage device or CD.  We recommend you perform a complete scan of the media being used to copy the files (CD-R, CD-RW, USB pen drive, etc.) with an up to date version of Sophos Anti-Virus before using it on your air-gapped network.

    For example, the default location of the Endpoint Security and Control package is:
    • Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
    • Windows Server 2008: C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
  3. Paste the copied files to the folder on the desktop in the air-gapped network.
  4. Share this folder to the network.
  5. Set each of the endpoint computers to update from this shared location.

Updating

To update the air-gapped network, you will have to manually copy the update files from the non-air-gapped network using a removable device or CD. After you have subjected this medium to your necessary checks, copy the contents to the shared folder on the air-gapped network. We recommend that you update your air-gapped network once a day.

 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios