Enterprise Console: how to install a remote Enterprise Console

You would like to install a Remote Enterprise Console in order to manage the network without having to log on to the main server.

Sophos product and version
Enterprise Console 4.5.0
Enterprise Console 4.7.0 

What to do

1. On the management server (on which you installed the main Enterprise Console), ensure that the account you will use to run the remote console is a member of the following groups:
   • Sophos Console Administrators
   • Distributed COM Users
   • Sophos DB Users (to enable a non administrator to run reports from the Sophos Console (in a distributed installation, this group will exist on the SQL server.)
2. At the computer on which you will install the remote console, log off and log back on using the user account that you checked in step 1.
3. Download the Enterprise Console installation file.
4. Click 'Install' to extract the files.
5. On the 'Setup type' installation screen, select 'Custom' install.
6. On the next screen, select only 'Management Console'.
7. When prompted, enter the name or IP address of your Enterprise Console server.
8. Complete the installation.

If the Sophos Management server is running on a Windows 2008 server, or a server with a firewall blocking inbound connections you may have to add a firewall rule to allow DCOM communication from the remote console to the management server. Instructions on how to add an inbound DCOM rule to the Windows 2008 firewall are below.

On the Windows 2008 server that you wish to allow DCOM connections to:

1. Open the Windows Firewall with Advanced Security application from Administrative Tools
2. Select then right click on the Inbound Rules node in the tree view and select New Rule from the context menu
3. When the New Inbound Rule Wizard opens, select the Rule Type page
4. Select Custom and click the Next button
5. On the Program page, select All Programs and click Customize
6. On the resulting Customize Service Settings dialogue, make sure that Apply to all programs and services is selected and click the OK button
7. Back on the Program page, click the Next button
8. On the Protocol and Ports page, select TCP for the Protocol Type
9. Select Dynamic RPC for the Local Port (DCOM uses the Dynamic RPC ports)
10. Select All Ports for the Remote Port and click the Next button
11. On the Scope page, select Any IP Address for the Local IP Address
12. Enter the IP Address (recommended if only one machine is going to connect via DCOM), subnet or IP Address range (recommended if you have a number of machines that will connect via DCOM) of the machine(s) to allow access from for the "Remote IP Address" (or select Any IP Address - recommended if you don't care which machines connect via DCOM) and click the Next button
13. On the Action page, select Allow the connection and click the Next button
14. On the Profile page, select only the Domain option and click the Next button
15. On the Name page, name your rule and click the Finish button
16. If the rule shows as disabled, enable it