Location Roaming is a method of intelligent updating for roaming laptops where updates are performed from a ''best'' update location and updating does not rely solely on the primary and secondary update locations specified in the laptops' updating policy.
This article answers some of the frequently asked questions regarding location roaming.
First seen in
Sophos Endpoint Security and Control 9.7
What is location roaming?
Some laptop users may roam extensively or internationally within an organization. When location roaming is enabled (on an updating policy for roaming laptops), roaming laptops attempt to locate and update from the nearest update server location by querying other (fixed) endpoints on the local network they are connected to, minimizing update delays and bandwidth costs.
A roaming laptop gets update server locations and credentials by querying fixed computers on the same local network. If multiple locations are returned, the laptop determines which is nearest and uses that. If none work, the laptop uses the primary (then secondary) location(s) defined in its updating policy.
How does location roaming work?
When location roaming is enabled, the following happens:
- When a laptop changes its location, the Sophos AutoUpdate component of Endpoint Security and Control installed on the laptop determines that the MAC address of the default gateway on the connected network has changed since the last update. It then sends an ICMP broadcast over the local subnet to neighboring AutoUpdate installations, using UDP port 51235 by default.
- The neighboring AutoUpdate installations reply with their updating policy, using the same port. Only the primary update location is sent in the response.
All Endpoint Security and Control 9.7 or later installations listen for broadcasts regardless of whether location roaming is enabled or not.
Sensitive information in replies is obfuscated and fields are hashed for integrity.
Reply messages have a randomized reply time, to avoid message storms. The replies are also ICMP broadcasts, so any other machine that would have replied with the same details will also receive the broadcast and know not to respond.
- AutoUpdate chooses the "best" location from the locations received and checks whether the sender is managed by the same Enterprise Console and the subscription ID matches the one used by AutoUpdate on the laptop.
The "best" update location is determined based on the amount of hops required to access the update location.
- An update is then attempted and, if successful, the location is cached.
A maximum of four accessible update locations with the same subscription ID and the lowest hop count are stored on the laptop (in the file iustatus.xml in the following location: C:\Program Files\Sophos\AutoUpdate\data\status\iustatus.xml).
These update locations are checked every time AutoUpdate performs an update.
Note: If you need to revert back to using the primary and secondary update locations specified in the updating policy (for example, if you wish to roll out customizations from the update location specified in the policy), you will need to disable location roaming.
Which endpoints can use location roaming?
This functionality applies only to endpoints managed by the same Console and updating from locations within the same subscription policy. An updating policy can be made to use location roaming only if a primary update location is specified in the Console. This is to avoid the possibility of having a group of endpoints with location roaming switched on that don’t have an update location to reply with.
Will a fixed endpoint respond with its primary, secondary, or last successful location? What if the primary location was not available at the time of the last check?
The fixed endpoint always replies with its primary policy update location.
Will endpoints be deployed from the Console (or third party tools) with port 51235 listening?
Yes, port 51235 is the default, and will be in listening mode.
Can you change the port used by location roaming?
Yes. The port used for the broadcast can be modified if you need to define the port used due to a clash or because of your company's security restrictions. The port can be changed locally in the registry, locally in iupd.cfg or more centrally in sauconf.xml. The port used by default is 51235. Full details of how to change this are given in the knowledgebase article How to configure the Location Roaming port in Sophos AutoUpdate
How do you enable/disable location roaming?
You should only enable location roaming on groups of machines that frequently move from office to office.
To enable location roaming:
- In the Policies pane, double-click Updating. Then double-click the updating policy you want to change.
- In the Updating Policy dialog box, on the Primary Server tab, select the Allow location roaming check box.
- In the Groups pane, select a group that uses the updating policy you just changed. Right-click and select Comply with, Group updating policy.
Repeat this step for each group that uses this updating policy.
Can location roaming be turned on / off from the endpoint client (i.e. override the Console policy) ?
Yes, the broadcasting can be switched off on the endpoint by going into the SAU configuration file iupd.cfg and setting the flag ‘Enabled’ under [global.IntelligentUpdating] to 0. Note this applies only to the endpoint asking; the endpoints replying will always reply, even if their configuration for IU is switched off.
What happens if a Sophos endpoint computer from network 'A' is added to a different network, e.g. network 'B'?
If a user wants to enable roaming for an endpoint it must be protected by the Console that is managing the endpoints/location where the local CID is. Also, for example, a visitor who plugs their computer in to another network will NOT pick up updates because their computer configured to be managed from a different Enterprise Console.
How does location roaming operate on a wireless network?
The nature of the location detection (gateway MAC addresses comparison) means that on a wireless network, the availability of the connection can result in the endpoint believing it has moved location, thus causing repeated local broadcasts. If this proves to be a problem, it can be controlled indirectly by reducing the updating frequency, as a check is only made when the endpoint updates.
What additional security measures are applied when location roaming is used?
Sophos has incorporated additional security measures to hide sensitive information:
- Passwords are obscured using Enterprise Console obfuscation.
- The data contains a hash to verify its integrity: all the fields are concatenated and hashed using SHA1 with the Subscription ID, which is stored in the updating policy.
- The policy is delivered to the endpoints via RMS, which is PKI-secured with keys and certificates created and managed by SEC. Once on the endpoint the policy is saved in the RMS Adapter storage, which is then obscured (not encrypted).
What if an endpoint connects to an update location that contains a customized sauconf.xml file and this causes the endpoint to stop updating correctly?
As explained above, the endpoint will continue communicating with the Console; therefore, if you right-click the affected computer and select 'Comply with Policy', it will go back to its original settings.