On machines installed with the SafeGuard Device Encryption Client and activated Power-On Authentication (POA), upon rebooting the machine, Wake on LAN (WoL) stops at the Power On Authentication (POA) and does not continue booting to the Operating System.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Management Center / Local Policy Editor
SafeGuard Device Encryption
What to do
Following changes need to be performed in the SafeGuard Secure Wake on LAN policy to configure and setup SafeGuard Secure Wake On LAN:
1. SafeGuard Secure Wake on LAN (WOL) policy
The 'Secure Wake On LAN' policy enables the client to prepare for software roll-outs in which the necessary parameters (such as temporary deactivation of POA and a time interval for WOL) can be imported directly into, and analyzed by, the client. The roll-out team can design a scheduling script using the commands provided, to guarantee maximum client protection despite deactivated POA.
Please note: Deactivating the POA, even for a limited number of boot processes, reduces the level of security for your system.
Example: The Software roll-out team notifies the SafeGuard Enterprise Security Officer (SO) about a planned roll-out for the 25th September 2010 between 03:00 and 06:00 am. 2 reboots are required.
The local software roll-out agent must be able to log on to Windows.
- The SO creates the following policy and assigns it to the corresponding clients:
- Number of automatic logons (0 = no WOL): 5
- Windows logon permitted during WOL: Yes
- Start of time window for external WOL Start: 24th Sept. 2010, 12:00
- End of time window for external WOL Start: 25th Sept. 2010, 06:00
- The SO provides a buffer of 3 for automatic logons.
The security officer sets the time interval to 12 o'clock midday on the day before the software roll-out, to allow the scheduling script SGMCMDIntn.exe to be started promptly, and WoL starts no later than the 25th September at 3:00 am.
- The software roll-out team produces 2 commands for the scheduling script:
Starting 24th Sept.2010, 12:15 am,
Starting 26th Sept.2010, 09.00 am
The software roll-out script is dated 25.09.2010, 03:00. WOL can be explicitly deactivated again at the end of the script using
All clients that log in before the 24th of September 2010 and which connect to the roll-out servers, will receive the new policy and the scheduling commands.
Any client on which the schedule triggers the command
SGMCMDIntn -WOLstart between 24th Sept. 2010,12:00 midday and 25th Sept. 2010, 06:00 am falls within the WOL time interval and therefore Wake on LAN will be activated.
2. Number of automatic logons (0 = no WOL)
This defines the number of reboots while Power-on Authentication is switched off for WoL.
This setting temporarily overrides the “Enable Power-on Authentication” setting until the automatic logons reach the preset number. Power-on Authentication is then reactivated. For example:
- The number of automatic logons is set to 2,
- “Enable Power-on Authentication” is switched on.
- The PC boots twice without authentication via POA.
Hint: For Wake On LAN, Sophos always recommends allowing three more reboots than necessary to overcome any unforeseen problems.
3. Windows logon allowed during WoL
This determines whether Windows logon is permitted during a Wake On LAN, e.g. for a software update. This setting is analyzed by the POA.
4.Start of time slot for external WoL start / End of time slot for external WoL start
Date and time can either be selected or input for the start and end of the Wake On LAN (WOL).
Date format: MM/DD/YYYY Time format: HH:MM
The following input combinations are possible:
- Defined start and end of WOL.
- End of WOL is defined, start is open.
- No entries: no time interval has been set for the client In the event of a planned software roll-out. The SO should set the time frame for the WOL so that the scheduling script can be started early enough to allow all clients sufficient time for booting.
WOL start: The starting point for the WOL in the scheduling script must be within the time interval set in the policy. If no interval is defined, WOL is not locally activated on the SGN Client.
WOL stop: This command is carried out irrespective of the final point set for the WOL.