Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors. These guidelines cover the steps necessary to deploy Endpoint and Security and Control Sophos NAC. You are strongly encouraged to follow these guidelines. These guidelines complement the following documentation.They are not a replacement for it.

• Sophos Endpoint Security and Control startup guide
• Sophos NAC Installation Guide
• Sophos NAC Manager Guide
• Sophos NAC Troubleshooting Guide

1. System requirements
2. Installing Sophos NAC
3. Accessing the NAC Manager
4. Pre-defined NAC policies and policy customization
5. Sophos Enterprise Console configuration
6. Sophos NAC Agent deployment
7. Phased deployment of network access control
8. Troubleshooting

NAC Server

• 800 MHz or faster Pentium 4 with 1 CPU for typical installations
• 2 GHz or faster Xeons with 2 CPUs for larger installations
• 2 GB RAM
• Windows 2003 server base or higher or Windows 2003 R2 base or higher
• Internet Access
• 3.1 GB if .NET 2.0 is installed and 3.5 GB if .Net 2.0 must be installed
• TCP/IP Protocol
• Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor for wireless broadband connection

Databases

The computer where you place the NAC databases (which may be the same computer or a different one) also needs:

• Windows 2003 server base or higher or Windows 2003 R2 base or higher if installing on the same server. If installing on a different server, Windows 2000 server with SP3 and higher is supported.
• SQL Server 2000 - Desktop Engine Edition (MSDE) with SP3a

If you use MSDE, the maximum size that a database can reach is 2 GB. If you use Microsoft SQL Server, there is no limit apart from that set by the administrator

You can install Sophos NAC as a single server or multiple server installation.

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. This implementation requires one server running Windows 2003 Server. For larger installations, the Sophos NAC application, the Sophos NAC databases, and Sophos Enterprise Console each requires their own server, for a total of three servers. The Sophos NAC application requires Windows 2003 Server and the Sophos NAC database requires Windows 2003 Server or Windows 2000 Server with SP3.

1. Run the SophosNACSetup.exe file to install Sophos NAC.

When you install Sophos NAC on a single server, the installation installs the Sophos NAC databases first and the application second. The Sophos NAC installation requires that you use an account with local administrator privileges.

Important: If you are using a proxy server for Internet access, you must run the NAC Proxy Setup tool after you install Sophos NAC. This tool configures Sophos NAC to use a proxy server to retrieve the latest dates for the current signature for anti-virus and anti-spyware applications.

Note: The Sophos Enterprise Console installation attempts to pre-populate the NAC URL with the correct server address. If successful, the NAC Manager opens when you click the NAC toolbar icon in Sophos Enterprise Console. If not successful, you are prompted to type the correct server address when you click the NAC toolbar icon. The Agent uses the NAC URL to communicate with the NAC server. For more information, see the Sophos Endpoint Security and Control network startup guide.

2. Run the Sophos NAC Web Agent.msi file to install the Web Agent.

For guest and other unmanaged users, you must also install the Web Agent. The Web Agent may be installed on the server where you installed Sophos NAC or another Web server. The Web Agent uses the Unmanaged policy to enforce compliance and grant guest users appropriate network access. Once the Web Agent is installed, users can access the Web Agent using the following
URL:  http://<ip address/DNS name>/webagent if you install the Web Agent to the default directory. The IP address or DNS name is the Web server where you installed the Web Agent.

For more information, see the Sophos NAC Installation Guide.

The NAC Manager provides a centralized location for policy definition and endpoint compliance reporting. The NAC Manager installs as a Default Web Site in following location: <LocalDrive>\Inetpub\wwwroot\SophosNAC, unless you changed the location during installation.

Since you have installed Sophos NAC as part of Sophos Endpoint Security and Control, you can access the NAC Manager from Sophos Enterprise Console. For more information, see the Sophos Endpoint Security and Control network startup guide.

OR

Access the NAC Manager directly using the following steps:

1. Open Internet Explorer.

2. Type the following address: http://<ip address/DNS of the Sophos NAC server>/SophosNAC. The NAC Manager Logon page appears.

3. Type Admin in the Account Name field and a password of your choice in the Password field.

4. Click OK.

Important: For the NAC Manager to display and save information and to display graphics appropriately, you must:

• Add the NAC Manager as a trusted Web site in Internet Explorer 6.x. This setting is not needed for Internet Explorer 7.x.
• Turn off pop-up block when you access the NAC Manager.

Using the NAC Manager, you can update the pre-defined policies, profiles, and access templates as appropriate. Policies control access to enterprise network resources based on profile evaluations on the endpoint. Policies manage the configuration that determines the endpoint compliance state, messages that display, remediation actions that are performed, and enforcement actions that are taken.

Use Pre-defined Policies

Use the pre-defined policies to enforce security compliance for both managed and unmanaged endpoints. The pre-defined policies include Default, Managed, and Unmanaged. During the endpoint compliance assessment, the Agent retrieves the policy associated with the endpoint's group in Sophos Enterprise Console. For more information, see step 5: Sophos Enterprise Console configuration.

• Default: This policy is assigned if an endpoint has the Agent installed and no other policy has been assigned. By default, the policy mode is set to Report Only. This policy performs remediation actions on the endpoint if the policy mode is set to Remediate or Enforce.
• Managed: This policy can be used for endpoints that are managed with Sophos Enterprise Console and have an Agent installed. By default, the policy mode is set to Report Only. This policy performs remediation actions on the endpoint if the policy mode is set to Remediate or Enforce.
• Unmanaged: This policy can be used for endpoints that are not managed with Sophos Enterprise Console and do not have an Agent installed. This policy does not perform remediation actions on the endpoint. The Web Agent uses the Unmanaged policy.

Customize Pre-defined Policies

Ensure that the correct enterprise profiles, messaging, and enforcement are applied to the Managed and Unmanaged policies in the NAC Manager:

1. Verify Agent settings.

2. Ensure that the correct profiles are added to the appropriate policies. You can create production-ready profiles or update the profiles that are pre-defined by the software so they are production-ready.

Note: Production-ready profiles should contain the operating systems and applications, as well as the required messaging and remediation actions.

3. Ensure that the correct access templates are added to the appropriate policies. You can create new production-ready access templates as necessary.

4. Ensure that the policy mode is set to Report Only.

Once you deploy the Agent and start reporting on endpoint compliance, ensure that for each profile, the conditions were evaluated, accurate compliance states were applied, appropriate messaging displayed, and remediation actions were performed. View the Assessment Details page in the NAC Manager reports for compliance assessment details regarding each profile and its capabilities.

Once you start enforcing endpoint compliance, ensure that for each access template, the correct enforcement actions were performed for the access states or exemptions to which they were applied. View the Agent Enforcer report in the NAC Manager to view which access template was applied on the endpoint, the reason the access template was applied, and details about the enforcement action.

For more information on updating pre-defined policies in the NAC Manager, see the Sophos NAC Manager Guide.

NAC URL Server Address

Ensure that the NAC URL server address is configured correctly.

Note: The Sophos Enterprise Console installation attempts to pre-populate the NAC URL with the correct server address. If successful, the NAC Manager opens when you click the NAC toolbar icon in Sophos Enterprise Console. If not successful, you are prompted to type the correct server address when you click the NAC toolbar icon. The Agent uses the NAC URL to communicate with the NAC server. For more information, see the Sophos Endpoint Security and Control network startup guide.

Sophos Enterprise Console Group and Policy Assignment

Once you have installed Sophos NAC as part of Sophos Enterprise Console, you must use Sophos Enterprise Console to create or import groups and apply NAC policies to groups. For more information, see the Sophos Endpoint Security and Control network startup guide.

Note: Install Sophos Anti-Virus and Client Firewall prior to enabling enforcement in Sophos NAC. Sophos NAC defaults to Report Only. For more information, see step 7: Phased deployment of network access control.

Once you have used Sophos Enterprise Console to create or import groups and apply NAC policies to groups, you can deploy Sophos NAC Agents to endpoints using the Protect computers wizard. For more information, see the Sophos Endpoint Security and Control network startup guide.

Note: The Sophos Enterprise Console installation attempts to pre-populate the NAC URL with the correct server address. If successful, the NAC Manager opens when you click the NAC toolbar icon in Sophos Enterprise Console. If not successful, you are prompted to type the correct server address when you click the NAC toolbar icon. The Agent uses the NAC URL to communicate with the NAC server.

NAC URL: This URL is the IP address or DNS name of the Sophos NAC server. If Sophos NAC was installed on more than one server, this URL is the IP address or DNS name of the application server and not the database server. Guest and other unmanaged users can access the Web Agent using the following URL: http://<ip address/DNS name>/webagent if you install the Web Agent to the default directory. The IP address or DNS name is the Web server where you installed the Web Agent.

Use a phased deployment to roll out Sophos NAC. Change the Policy Mode for your policies from Report Only to Remediate to Enforce to ensure a seamless deployment.

Report-only policy

Implement report-only policy. Sophos recommends that you do not remediate or enforce policy across your entire network until your policy configuration has been thoroughly checked and tested.

1. Assess enterprise compliance using Report Only policy mode. The Managed policy defaults to Report Only policy mode.

2. Use the reports in the NAC Manager to determine the current enterprise compliance state.

Note: The reports provide a realistic view of how compliant users are with the enterprise security policy.

Remediation policy

Implement remediation policy.

1. Update the Managed policy. Change the policy mode from Report Only to Remediate.

2. Use the reports in the NAC Manager to determine the current enterprise compliance state.

Note: Over time, endpoints that are non-compliant and partially-compliant should remediate to improve the overall compliance state.

Enforcement policy

Implement enforcement policy. Once you enforce policy, all endpoints that are non-compliant will be quarantined with Internet access until they become compliant.

1. Update the Managed policy. Change the policy mode from Remediate to Enforce.

2. Use the reports in the NAC Manager to determine the current enterprise compliance state.

Note: Over time, endpoints that are non-compliant or partially-compliant must remediate or those users are denied access to network resources. Review the NAC Manager reports to determine the current enterprise compliance state.

If you need more information or guidance, then please contact technical support.