Sophos NAC
--------------------------------------------------

Sophos NAC : 3.1
Endpoint Security and Control : 8

www.sophos.com


Contents
--------

1 About Sophos NAC
2 New in this version
3 Known problems
4 Additional information
5 System requirements


1 About Sophos NAC
------------------

Sophos NAC provides easy-to-deploy network access control (NAC). It
allows administrators to centrally define and manage security policies 
to identify and isolate non-compliant, compromised, or misconfigured
computers accessing the corporate network. It seamlessly integrates with
existing network infrastructures and security applications for a wide range
of vendors. 

For information on installing Sophos NAC for the first time, see the 
"Sophos Quick Start guide". 


This guide is available from the Sophos website or from the Sophos
Endpoint Security and Control CD.


2 New in this version
---------------------

* Simplified NAC installation and configuration

  The NAC installation and configuration has been simplified for Sophos Endpoint
  Endpoint Security and Control so that minimal configuration is required. 

* Deploy and Update NAC Agent from Enterprise Console

  From Sophos Enterprise Console, you can deploy and update the NAC Agent 
  on endpoints.

* Pre-defined policies that work out-of-the-box

  Sophos NAC provides pre-defined policies that contain profiles
  for Sophos applications with messaging and remediation actions, 
  making policy setup and maintenance simple and efficient.

* Access NAC Manager from Enterprise Console

* Complete group assignment for NAC within Enterprise Console

* Extended support for Sophos Anti-Virus

  Sophos NAC offers extended application capabilities for Sophos Anti-Virus 
  that enable administrators to set NAC policy based on detection of unwanted 
  components on an endpoint and identify how Sophos Anti-Virus is managed. 
  Endpoints can be evaluated to determine if viruses, spyware, adware, potentially 
  unwanted applications (PUA), suspicious behavior, or suspicious files have been 
  detected by Sophos Anti-Virus. Administrators can also define capabilities that 
  determine if the Sophos Anti-Virus application is managed by Sophos Enterprise 
  Console, if the application conforms to Sophos Enterprise Console policy, and 
  if controlled applications, as defined in Sophos Enterprise Console policy, are 
  detected.


3 Known problems
----------------

Some descriptions include the relevant identifier in brackets. You can use
this if you need to contact Sophos technical support.


3.1 Sophos NAC


* If you are using a proxy server for Internet access, you must run the NAC 
  Proxy Setup tool after you install NAC. This tool configures Sophos NAC 
  to use a proxy server for retrieving the latest dates for the current 
  signature for anti-virus and anti-spyware applications. The NAC Proxy Setup
  tool is on the Sophos Endpoint Security and Control CD or it can be downloaded
  from the Sophos website. If you are using an authenticated proxy, access the 
  Sophos website and read the KB article 36577.

* (DEF13468) The NAC installation progress window displays progress very slowly and
  the time remaining value may not change for a period of time.

* (DEF20257) You cannot install Sophos NAC on the same server as PureMessage for
  Exchange or Notes/Domino if PureMessage is installed first. PureMessage installs 
  SQL Server 2005 Express. Sophos NAC runs on SQL Server 2000 MSDE with SP3a or 
  higher. Sophos NAC will begin installing on servers with unsupported SQL Server 
  versions. An installation error displays after the installation has begun. The 
  workaround is to install SQL Server 2000 prior to installing PureMessage so 
  PureMessage uses the SQL Server instance that is pre-installed.

* (SUG21670) Sophos NAC will not install on the same server as Microsoft 
  Sharepoint server.

* In the NAC Manager, the Save As New option on the Agent Enforcer access template 
  displays an error when a network resource is added.

  (TT 18935 or 19077) If you open an Agent Enforcer access template to update, 
  add a network resource, and then save it as a new template, an error displays.

  The workaround is to save the template as a new template prior to adding 
  network resources, or update the existing template and save the changes.
  
* In the NAC Manager, 0s (zeros) can be typed in the Agent Policy Update Threshold 
  field on the Enforcer Settings page.

  (TT 19069) You can type a 0 (zero) in the Agent Policy Update Threshold field 
  on the Configure System > Enforcer Settings page, even though the valid value 
  should be between 1 and 999. 

* On endpoints running the Windows Vista operating system, the NAC Web Agent 
  cannot be installed automatically if the NAC Agent was previously 
  installed and uninstalled.

  (TT 19250) If the NAC Agent was previously installed and then uninstalled on 
  an endpoint running the Windows Vista operating system, and then a Web 
  Agent installation is attempted on that same endpoint, the Web Agent 
  installation will fail. The issue is in how the Vista operating system 
  uses XML DOM, which is included as part of the Web Agent installation 
  CAB file. For the installation to work correctly, you must first manually 
  install XML DOM, and then attempt to install the Web Agent again.

* The NAC Agent uses settings from previous installations.

  (TT 18506) If the Agent was previously installed with a particular setting set, 
  and then is uninstalled and reinstalled with another Agent where that 
  setting is not set, the setting from the first installation is used.

  The workaround is to specify default values for all settings that you 
  have used in previous installations.

* The NAC Web Agent doesn’t run in IE 7 with Protected Mode on.

  (TT 18848) The Web Agent will fail when run in IE 7 if the Protected Mode 
  is set to On. This is the default setting for every zone except the 
  Trusted Sites zone. The workaround is to add the Web Agent URL to the Trusted 
  Sites zone, which has Protected Mode set to Off by default.

* The Update remediation action for McAfee AntiSpyware 2.0 requires user 
  interaction.

  (TT 18853) If the Agent launches an Update remediation action for McAfee 
  AntiSpyware 2.0, a dialog box is displayed and the update is not started 
  until the user clicks Update.
  
* The Enabled capability is not detected correctly for Symantec Client Security 
  10.x Firewall.

  (DEF11485) For Symantec Client Security 10.x Firewall, if the Enabled capability 
  check is run on the endpoint less than 60 seconds after the firewall is 
  enabled, the software returns inconsistent results when detecting the Enabled 
  capability. 

  The workaround is to ensure that more than 60 seconds has passed after the 
  firewall was enabled before attempting to detect the Enabled capability.

* (DEF11506) The NAC Agent and Web Agent do not detect Proventia Desktop 
  Firewall 8.x.
  
* (DEF11438) The Last Scan Grace Period or Last Scan Date capability for 
  McAfee Anti-Virus 4.5.1 on Windows XP SP2 always returns a non-compliant 
  result.

* (DEF11396) The Last Scan Grace Period or Last Scan Date capability for Sophos 
  Anti-Virus 7.x on the French operating system always returns a non-compliant 
  result.

3.2 DHCP Enforcement with Sophos NAC
  
* The NAC Manager DHCP reports return entries outside of the specified 
  date/time criteria.

  (TT 19073) In the DHCP Enforcer and DHCP Exemption reports, the results 
  include report entries that are outside of the defined date/time range that 
  is specified when the report is run.

* In the NAC Manager, an error displays after being prompted for a 
  unique name for the DHCP scope exemption.

  (TT 19300) In the Enforce > Exemptions area of the NAC Manager, if you 
  create a DHCP scope exemption, assign an existing name to the exemption, 
  and then attempt to save the exemption, you are prompted for a unique name. 
  However, once you type a unique name and attempt to save the exemption, an 
  error displays.

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible,
including the following:

* Sophos software version number(s)
* Operating system(s) and patch level(s)
* The exact text of any error messages


4 Additional information
------------------------

Some descriptions include the relevant identifier in brackets. You can use
this if you need to contact Sophos technical support.


5 System requirements
---------------------

For installations that are 1,000 endpoints or less, Sophos NAC can be installed 
on the same server as Sophos Enterprise Console. For installations that are 1,001 
to 25,000 endpoints, the Sophos NAC application, the Sophos NAC databases, and Sophos 
Enterprise Console each requires their own server, for a total of three servers. 


5.1 NAC Server

* 2 GHz Pentium 4 or equivalent

* 1 GB RAM

* Windows 2003 server base or higher or Windows 2003 R2 base or higher

* Internet Access

* 3 GB of free hard disk space on the C drive

* TCP/IP Protocol

* Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor
  for wireless broadband connection

* Web Certificate if you are using HTTPS

5.2 NAC Databases

The computer where you place the NAC databases (which may be the same
computer or a different one) also needs:

*  Windows Server 2003 base or higher or Windows Server 2003 R2 base or higher if
   installing on the same server. If installing on a different server, Windows Server
   2000 with SP3 and higher is supported.

*  SQL Server 2000 - Desktop Engine Edition (MSDE) with SP3a or higher

* If you use MSDE, the maximum size that a database can reach is 2 GB. If you 
  use Microsoft SQL Server 2000, there is no limit apart from that set by the 
  administrator.