Antivirus and Security Software from Sophos

Psst, Mac user! We have a free Mac anti-virus just for you.

Online support

Product maintenance

Contact support

Support services

Resource centers

UK IT Security Events

Get the low-down on our cup winning security solutions to provide you with a defence dream team

How to locally configure computers to ensure that you can protect and manage computers with endpoint software centrally

The limitation of a workgroup network or isolated computers rather than a domain is that you cannot centrally control a client computer's system settings.

This article explains how to configure a computer locally to ensure that:

  • Computers can be protected with endpoint software from the console
  • You are able to manage clients from the console
  • Clients can update from the software distribution point

Is this the right article for you?

Console version Domain environment Workgroup environment
Enterprise Console v5.1 only See article 116754 See article 116755
Enterprise Console v5.0 and v4.x
Enterprise Manager v4.7
Control Center v4.x		 See article 111180 See this article.

Known to apply to the following Sophos product(s) and version(s)
Enterprise Console 4.0.0
Enterprise Console 4.5.0
Enterprise Console 4.7.0
Sophos Enterprise Manager 4.7.0
Sophos Control Center 4.0.1
Sophos Control Center 4.1
Enterprise Console 4.7.1
Enterprise Console 4.5.1
Enterprise Console 5.0.0

What to do

As well as ensuring that computers meet the system requirements, you must perform further steps before you can install software on them automatically.

Assumptions

  • The requirements for deployment mentioned herein, have been determined using ‘Out of the box’ Windows installations; specific environmental security changes are not covered.
  • The network environment is compatible with either a Windows Workgroup or Windows Domain (SMB equivalent with UNC accessibility).
  • The user performing the deployment has the required Administrator or equivalent level credentials over the endpoint computers.
  • Endpoints are able to resolve the name of the Sophos distribution server either by NetBIOS/WINS or DNS and vice-versa.

Computer Discovery Overview

Discover on the network

This relies on Windows networking to discover computers. The Computer Browser service on the Sophos server must be started. Using credentials during the Protect Computers wizard will reveal more details in the endpoint information; this is not a requirement however.

Discover by IP Range

By default, IP discovery will use ICMP, SNMP and Windows networking to discover PCs on the network for more information please see Enterprise Console: IP address discovery. Endpoint Deployment and Communications Requirements.

Deployment Requirements Table

Requirement 2000/XP/2003 Vista/2008/7/2008 R2
Windows Firewall Rules and Ports File and Printer Sharing Network Discovery (LLMNR-UDP-In)
Remote Service Management (NP-In)
TCP 8194 (Endpoints)
TCP 8192 and TCP 8194 (Server)
Services Remote Registry (Started)
Task Scheduler (Started)
Windows Installer (Stopped but not Disabled)
User Access Control - Disabled

Deployment Preparation - Workgroups and single computers

Preparing Windows 7/2008 R2 computers for deployment and communication

  1. Ensure that the Network Location has not been set to Public within Network and Sharing Center.
    This article explains network location awareness in Vista and above operating systems.
  2. Click Start | Run | Type: services.msc | Press return.
  3. From the list of services that appear, check the properties and ensure that the following services are started and set to the correct start-up type:
    Remote Registry, set to Automatic startup with a status of Started.
    Task Scheduler, set to Automatic startup with a status of Started.
  4. Change ‘User Account Control’ to Never notify. A restart will be required.
  5. Open ‘Advanced settings' in 'Windows Firewall', by navigating through the 'System and Security' group in Control Panel.
    • Change Inbound Rules to enable the following built-in rule(s):
      Network Discovery (LLMNR-UDP-In)
      Remote Service Management (NP-In)
      Note: Ensure you select Profile rule that applies to the endpoints Network Location. Domain endpoints should select the Domain profile.
    • Use New Rule… to add a Sophos RMS port with the following details:
      Rule Type: Port
      Protocols and Ports: TCP - Specific Ports - 8194
      Action: Allow the connection
      Profile: Domain, Private
      Name: Sophos RMS

Preparing Windows Vista/2008 computers for deployment and communication

  1. Ensure that the Network Location has not been set to Public within Network and Sharing Center.
    This article explains network location awareness in Vista and above operating systems.
  2. Click Start | Run | Type: services.msc | Press return.
  3. From the list of services that appear, check the properties and ensure that the following services are started and set to the correct start-up type:
    Remote Registry, set to Automatic startup with a status of Started.
    Task Scheduler, set to Automatic startup with a status of Started.
  4. Change ‘User Account Control’ to Never notify. A restart will be required.
  5. Click Start | Run | Type: mmc.exe | Press return.
  6. From MMC under File select ‘Add/Remove snap-in’, add ‘Windows Firewall with Advanced security’.
    • Change Inbound Rules to enable the following built-in rule(s):
      Network Discovery (LLMNR-UDP-In)
      Remote Service Management (NP-In)
      Note: Ensure you select Profile rule that applies to the endpoints Network Location. Domain endpoints should select the Domain profile.
  7. Use New Rule… to add a Sophos RMS port with the following details:
    Rule Type: Port
    Protocols and Ports: TCP - Specific Ports - 8194
    Action: Allow the connection
    Profile: Domain, Private
    Name: Sophos RMS

Preparing Windows 2000/XP/2003 computers for deployment and communication

  1. From the list of services that appear, check the properties and ensure that the following services are started and set to the correct start-up type:
    • Remote Registry, set to Automatic startup with a status of Started.
    • Task Scheduler, set to Automatic startup with a status of Started.
  2. Workgroups: Ensure Use simple file sharing is disabled. Computers that are a member of a Domain network need not change this option..
  3. Open Windows Firewall, using Control Panel.
    • Under Exceptions, change the Programs and Services rules as follows:
      File and Printer Sharing
    • Use Add Port to add two Sophos ports with the following details:
      Name: Sophos RMS 8194
      Port number: 8194
      Type: TCP

Post Deployment Recommendations

Once deployment is complete it is recommended that the following be returned to their original settings:

  • Vista and above: Under services stop Remote Registry and set to disabled startup.
  • Vista and above: User Access Control should be set to Default..

Advanced Firewall Port Information

Windows Firewall Name Direction Protocol Port Program
File and Printer Sharing (XP/2003) Inbound TCP 445 -
Remote Service Management (NP-In) Inbound TCP 445 -
Network Discovery (LLMNR-UDP-In) Inbound UDP 5355 Svchost.exe

Deployment Workflow

There are three distinct phases to deployment, install task creation, execution and then installation.

  1. The Protect Computers wizard will prompt for credentials that are used to authenticate on the remote computer (Administrator or equivalent access). These credentials need to be able to log onto the machine where the Sophos Management Service resides.
  2. The Sophos Management Service (mgntsvc.exe) then connects to the Microsoft Task Scheduler interface on the remote computer.
  3. If the requirements have been met, a task will be created (Sophos_inst) set with a command line to use Setup.exe.
    NOTE: The location of the specific Setup.exe run can be located in the "Initial Install Source" tab of the AutoUpdate policy applied to the computer's group that is being protected. This path can also be referenced in Enterprise Console under "View" - "Bootstrap Locations...".
  4. The account specified in the Protect Computers wizard will be used to execute the task immediately.
  5. Sophos AutoUpdate will install after Setup.exe has started, once complete it will then fetch the additional required packages by connecting to the Updating policy location.
    This will always include Sophos Anti-Virus and Sophos Remote Management.
    Optionally Sophos Client Firewall, Sophos Compliance Agent or Sophos Patch Agent will be downloaded if select during the Protect Computers wizard.
  6. Once all packages have been successfully downloaded, they will be installed in the following order:
    1. Sophos Remote Management System
    2. Sophos Anti-Virus
    3. (Optional) Sophos Client Firewall
    4. (Optional) Sophos Compliance Agent
    5. Sophos AutoUpdate
    6. (Optional) Sophos Patch Agent
  7. Should the installation Setup.exe fail to execute successfully, the return code will be returned to Enterprise Console as a failure to install.

If you need more information or guidance, then please contact technical support.