Sophos Endpoint Security and Control 9.

7 upgrade guide

Document date: April 2011

Contents
1 About this guide........................................................................................................................................3 2 What are the steps in upgrading?.............................................................................................................4 3 Check existing policies..............................................................................................................................5 4 Upgrade endpoint computers..................................................................................................................6 5 Upgrade the Compliance Dissolvable Agent.........................................................................................11 6 Migrate to Sophos Update Manager......................................................................................................12 7 Technical support....................................................................................................................................27 8 Legal notices............................................................................................................................................28

upgrade guide

1 About this guide

This guide tells you how to upgrade the software that is used to protect your endpoint computers.

Before you start

This guide assumes that you have already upgraded the Sophos management tools (Sophos Enterprise Console 4.7 and optionally NAC Manager 3.7). If you haven't upgraded the Sophos management tools yet, go to the Upgrade Center at http://www.sophos.com/support/upgrades/ and follow the instructions there.

Other Sophos documentation

Sophos documentation is published at http://www.sophos.com/support/docs/.

Sophos Endpoint Security and Control 9.7

2 What are the steps in upgrading?

Upgrading the software that is used to protect your endpoint computers involves the following steps.

Check existing policies

You may want to check that your existing policies have been preserved by the upgrade to Enterprise Console 4.7.

Upgrade endpoint computers

There are two ways that you can upgrade the Sophos security software on your endpoint computers:

If you want to begin using the latest versions of the security software immediately, you can upgrade your endpoint computers in one step. See Upgrade endpoint computers immediately (page 6).

If you want to try out the latest versions of the security software before upgrading all computers, you can upgrade your endpoint computers gradually. See Subscribe to the new endpoint software (page 7) and the other topics in the Upgrade endpoint computers gradually section.

Upgrade Sophos Compliance Dissolvable Agent (optional)

If you use NAC Manager, you may want to upgrade the Sophos Compliance Dissolvable Agent on the NAC Manager server.

Migrate to Sophos Update Manager (optional)

If you are still using EM Library, all of your EM Library settings and updating policies will remain unchanged after you upgrade to Enterprise Console 4.7. You may, however, want to migrate from EM Library to Sophos Update Manager, which supports more versions of the endpoint software.

upgrade guide

3 Check existing policies

3.1 Check policy settings
Note: If you use role-based administration, you must have the Computer search, protection and groups right to perform these tasks. For more information, see "About roles and sub-estates" in the section "Managing roles and sub-estates" in the Sophos Enterprise Console Help. To check that your policy settings have been preserved after upgrading Enterprise Console: 1. 2. 3. 4. Start Enterprise Console. In the Policies pane, double-click a policy type (for example, Anti-virus and HIPS). Double-click the policy you want to check. In the dialog box that is displayed, review the policy settings.

3.2 Check policies applied to computer groups

Note: If you use role-based administration, you must have the Computer search, protection and groups right to perform these tasks. For more information, see "About roles and sub-estates" in the section "Managing roles and sub-estates" in the Sophos Enterprise Console Help. To check that your groups have the correct policies applied to them after upgrading Enterprise Console: 1. Start Enterprise Console. 2. In the Groups pane, right-click a group, and then click View/Edit Group Policy Details. 3. In the Group Details dialog box, verify that the group is assigned the right policies. If not, for a policy type, select a different policy from the drop-down list.

Sophos Endpoint Security and Control 9.7

4 Upgrade endpoint computers

4.1 About upgrading endpoint computers
To upgrade your Windows endpoint computers and make full use of the new features, you must change the version of the software that the computers are kept up to date with to Sophos Endpoint Security and Control 9.7. The latest endpoint software for operating systems other than Windows remains unchanged at the time of this release. The information in this section covers the following upgrade scenarios:

Upgrade Sophos Endpoint Security and Control 9.0 or 9.5 to version 9.7 Upgrade Sophos Anti-Virus 7 and Sophos Client Firewall 1.5 to Sophos Endpoint Security and Control 9.7

The procedures described here upgrade all of the security software components, including the Compliance Agent for NAC (if you use NAC Manager).

4.2 Upgrade endpoint computers immediately

To upgrade your endpoint computers immediately, you change your existing software subscriptions to download the new version of the endpoint security software. To change your existing software subscriptions: 1. In Enterprise Console, on the View menu, click Update Managers. 2. In the Software Subscriptions pane, double-click the subscription you want to change. The Software Subscription dialog box appears. 3. Next to Windows 2000 and later, click in the Version field, and then click again. 4. In the list of available versions, select 9.7 Recommended. The next time Enterprise Console downloads updates, it will download the new version of the endpoint software. Your Windows computers will then upgrade themselves to version 9.7 automatically. You do not need to perform any other configuration steps:

The update manager is already configured to maintain the subscription and distribute the software into update shares on the network. You already have updating policies that refer to that subscription and are applied to endpoint computers.

upgrade guide

Notes

During the Sophos Client Firewall installation, there will be a temporary disconnection of network adapters. The interruption may cause the disconnection of networked applications, such as Remote Desktop. When computers upgrade to Sophos Endpoint Security and Control 9.7, the computer details in Enterprise Console may show "Differs from policy" in the Policy Compliance column. To correct this, right-click the computers, click Comply with, and then click the relevant policy or policies.

4.3 Upgrade endpoint computers gradually

4.3.1 Subscribe to the new endpoint software
Creating new software subscriptions
If you want to test the new software on a small group of computers before releasing it to the network, you can create a new subscription. After you have created a new subscription, you will need to perform the following steps:

Configure the update manager to maintain the subscription: that is, download the software from Sophos and put it in network shares from which endpoint computers will update. Create new updating policies that will refer to the new subscription and point to the update shares set up for it in the update manager. Upgrade endpoint computers by applying the new updating policies to them.

Important: Do not upgrade to Sophos Endpoint Security and Control 9.7 on any Windows 2000 computers running SP3 or earlier. The minimum requirement for the software is Windows 2000 with SP4.

Continue using your existing versions

If you are subscribed to a fixed version of Sophos Endpoint Security and Control and Compliance Agent for NAC and want to continue using that version, you can do so. When Sophos stops supporting that version, your computers will be upgraded automatically, provided that you leave selected the check box Automatically upgrade fixed version software when it is no longer supported by Sophos in the Software Subscription dialog box. If you want to evaluate new versions of the software before placing them on your main network, you may want to consider using fixed versions of the software on the main network while evaluating the new versions. Fixed versions are updated with new threat detection data, but not with the latest software version each month. If you want to continue using your existing versions of Sophos endpoint security software you can do so. However, you will eventually be automatically upgraded to version 9.7. You will be warned about this well in advance. 7

Sophos Endpoint Security and Control 9.7

4.3.2 Create a new software subscription

To create a new software subscription: 1. In Enterprise Console, on the View menu, click Update Managers. 2. In the Software Subscriptions pane, click the Add button at the top of the pane to create a new subscription. The Software Subscription dialog box appears. Alternatively, if you want to create a copy of an existing subscription, select the subscription, right-click and click Duplicate Subscription. Type a new name for the subscription and then double-click it to open the Software Subscription dialog box. 3. In the Software Subscription dialog box, edit the name of the subscription, if you wish. 4. Click in the Version field next to Windows 2000 and later and then click again. A drop-down list of available versions appears. 5. Select the type of update you want to download for version 9.7 of Sophos Endpoint Security and Control. Normally, you subscribe to the Recommended versions to ensure that your software is kept up to date automatically. To learn what other types of update are available, see Appendix: What types of update are available? (page 25). Important: If you select a fixed version, for example, 9.7.1, Sophos recommends that you leave the Automatically upgrade fixed version software when it is no longer supported by Sophos check box selected. Running unsupported software leaves you unprotected against new security threats. After you have created a new software subscription, configure the update manager to maintain it as described in Add a subscription in the update manager (page 8). You can also set up subscription email alerts. For more information about subscription email alerts, see the topic Set up subscription alerts in the Setting up alerts and messages section of the Sophos Enterprise Console Help.

4.3.3 Add a subscription in the update manager

If you created a new subscription for the new software version, configure the update manager to maintain this subscription. 1. In the Update managers view, select the update manager, right-click and click View/Edit Configuration. 2. In the Configure update manager dialog box, on the Subscriptions tab, select the software subscription in the list of available subscriptions. To view the details of the subscription, for example, what software is included in the subscription, click View details. 8

upgrade guide

3. To move the selected subscription to the Subscribed to list, click the > button. By default, the software is downloaded to the share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed. You can specify additional shares as described in Specify where the software is placed (page 20). If you want to download the new version immediately, select the update manager, right-click and click Update Now.

4.3.4 Configure your updating policies

If you created a new software subscription and configured the update manager to maintain this subscription, configure updating policies to update the computers with the software specified in the subscription. You can choose either of the following options.

Change your existing updating policies to refer to the new subscription For information on how to do this, see the section Select a subscription in the Sophos Enterprise Console Help. If you choose this option, your endpoint computers will be upgraded to the new version next time they check for updates.

Create new updating policies For information on how to do this, see Create new updating policies (page 21). If you choose this option, you will then need to apply the new policies to endpoint computers to upgrade them and keep up to date with the new version.

4.3.5 Apply a new updating policy to a group of Windows computers

Important: Do not upgrade Sophos endpoint security software to Sophos Endpoint Security and Control 9.7 on Windows 2000 computers running SP3 or earlier. The minimum requirement for the software is Windows 2000 with SP4. To apply a new updating policy to a group of computers: 1. In the Policies pane, highlight the updating policy. 2. Click the policy and drag it onto the group to which you want to apply the policy. When prompted, confirm that you want to continue. Alternatively, you can right-click a group and select View group policy details. You can then select policies for that group from drop-down menus. During the next update, computers will be upgraded to the new version of the security software, Sophos Endpoint Security and Control 9.7.

Sophos Endpoint Security and Control 9.7

Notes

During the Sophos Client Firewall installation, there will be a temporary disconnection of network adapters. The interruption may cause the disconnection of networked applications, such as Remote Desktop. When computers upgrade to Sophos Endpoint Security and Control 9.7, the computer details in Enterprise Console may show "Differs from policy" in the Policy Compliance column. To correct this, right-click the computers, click Comply with, and then click the relevant policy or policies.

10

upgrade guide

5 Upgrade the Compliance Dissolvable Agent

If you use NAC Manager, you can upgrade the Sophos Compliance Dissolvable Agent from version 3.5 to version 3.7. To upgrade the Compliance Dissolvable Agent: 1. 2. 3. 4. 5. 6. Go to http://www.sophos.com/support/updates/. Type your MySophos username and password. Download the Sophos NAC Compliance Dissolvable Agent version 3.7 installer. Start the Sophos NAC Compliance Dissolvable Agent version 3.7 installer. A wizard guides you through installation. Accept the default options, except as shown below. On the Sophos Server page, type the IP address or DNS name of the server on which you installed NAC Manager.

If Sophos NAC was installed on more than one server, the server address is the IP address or DNS name of the NAC Manager Server and not the NAC Database Server. If you change the NAC Manager server address later, you must reinstall Compliance Dissolvable Agent on the web server and specify the new address during the installation.

7. If you are using HTTPS with NAC, select the Secure Sophos Server (use HTTPS) check box. The web certificate IP address or DNS name must be the same as the NAC Manager server.

11

Sophos Endpoint Security and Control 9.7

6 Migrate to Sophos Update Manager

6.1 Do I need to migrate to Update Manager manually?
Your main EM Library is the update library that downloads security software and updates directly from Sophos. Choose the statement below that applies to you.

My main EM Library and Enterprise Console are both installed on the same computer.
If you successfully ran the Migrate to Sophos Update Manager wizard as part of your upgrade to Enterprise Console 4.7, you do not need to migrate to Sophos Update Manager manually.

Update Manager is installed automatically on the same computer as the Enterprise Console management server. Update Manager is configured to use a set of updating policies and shares that mirror your existing EM Library updating settings. The Migrate to Sophos Update Manager wizard applies the new updating policies to your endpoint computers so that they can begin updating from the new shares managed by Update Manager.

If the migration did not succeed, or you did not use the migration wizard, you need to perform the steps described in Migrate settings to Update Manager manually (page 17).

My main EM Library and Enterprise Console are installed on different computers.

After upgrading the Enterprise Console management server, you canceled the Download Security Software wizard. You now need to migrate your main EM Library to Update Manager as described in What are the key steps in migration? (page 12).

6.2 What are the key steps in migration?

The following key steps describe the migration process for an installation where the Enterprise Console management server and main EM Library are installed on different computers. This section assumes that you have previously canceled the Download Security Software Wizard, and the update manager that is always installed on the same computer as Enterprise Console is not configured. Any updating policies that existed before the upgrade have become legacy policies and are now grouped in the Policies pane under Legacy Updating. EM Library is running as before the upgrade, and endpoint computers use legacy updating policies and continue to update from EM Library-maintained central installation directories (CIDs).

12

upgrade guide

Note: NetWare computers are an exception. These automatically switch to updating from CIDs generated by Sophos Update Manager. Important: If you have computers running Sophos Anti-Virus for UNIX/Linux version 4.x (unmanaged), you will need to manually configure them to use the new update locations. For details, see Sophos support knowledgebase article 64214 (http://www.sophos.com/support/knowledgebase/article/64214.html). Computers running Sophos Anti-Virus for UNIX/Linux version 7.x will automatically detect and use the new update locations. To migrate to Sophos Update Manager, you carry out these key steps:

Check EM Library settings, to avoid migration errors. On the computer where the main EM Library is installed, install Sophos Update Manager. On the computer where Enterprise Console is installed, view the remote update manager's migration report to see whether the update manager has been configured successfully. If the update manager has not been fully configured, configure the update manager and create new updating policies. Configure the update manager installed on the same computer as Enterprise Console to update from the remote update manager that replaces EM Library and updates from Sophos. If you use any additional libraries, view the Updating Hierarchy report to see which other libraries need migrating. Migrate any additional managed libraries on the network. If you had custom files in any of the CIDs, add them to the new update locations. Test the new update shares and updating policies. Apply new updating policies to computer groups. Uninstall EM Library once it is no longer required for endpoint updating.

After you perform these steps, you will have migrated to use the update manager. However, the update manager will be using the old updating settings from EM Library and your endpoint computers will still be using the old security software. To make full use of the new Enterprise Console features, you will need to upgrade your endpoint computers as described in About upgrading endpoint computers (page 6). The following flowchart shows the process of migrating remote EM Library to Sophos Update Manager.

13

Sophos Endpoint Security and Control 9.7

14

upgrade guide

6.3 Check EM Library settings

Before you migrate from EM Library to Update Manager, check that EM Library is not using any packages that are no longer maintained on its parent. This is to ensure that no migration errors occur when the migration wizard cannot find a non-existent package. To check that EM Library is not using packages that are no longer maintained on its parent: 1. In Enterprise Console, click the Libraries icon on the toolbar. The Sophos EM Library window is displayed. The Configuration view is open by default. 2. Look in the Notifications pane (lower-right corner). If EM Library is using a package that is no longer maintained on the parent, you will see the following warning: Warning: You have a package in use that is no longer maintained on the parent. Click "Select packages" and subscribe to another package. 3. If you have a package that is no longer maintained, subscribe to another package that contains a more up-to-date version of the software or unsubscribe from the package if you no longer use it. For information about upgrading, see the knowledgebase article How to upgrade to the new Endpoint Security and Control products (http://www.sophos.com/support/knowledgebase/article/14844.html).

6.4 Install Update Manager

If you have EM Library and Enterprise Console management server installed on different computers, you need to install Sophos Update Manager on the computer where EM Library is installed. All servers where Update Manager is installed must have hostnames which are unique within your network of computers protected by Sophos Endpoint Security and Control. Note: The Enterprise Console installer always installs Sophos Update Manager on the computer where the Enterprise Console management server is installed. It also places the Sophos Update Manager installer in the SUMInstallSet share on that computer. You can use Windows Remote Desktop to install Sophos Update Manager. To install Sophos Update Manager manually: 1. If the computer where EM Library is installed is protected by Sophos Anti-Virus managed from Enterprise Console, uninstall Sophos Remote Management System. In Control Panel, open Add or Remove Programs, locate Sophos Remote Management System from the list, and click Change/Remove or Remove. Follow the instructions for uninstalling the component.

15

Sophos Endpoint Security and Control 9.7

2. Locate the Sophos Update Manager installer. In Enterprise Console, on the View menu, click Sophos Update Manager Installer Location. In the Sophos Update Manager Installer Location dialog box, note the location of the installer. 3. Go to the computer where EM Library is installed and run the installer. Alternatively, use Windows Remote Desktop to install Sophos Update Manager on the computer. 4. Follow the instructions in the Sophos Update Manager InstallShield Wizard. 5. On the Sophos Update Manager Account page, select an account that endpoint computers will use to access the default update share created by the update manager. (The default update share is \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed.) This account must have read rights to the share and does not need to have administrative rights. You can select the default user, select an existing user, or create a new user. By default, the installer will create the SophosUpdateMgr account with read rights to the default update share and no interactive logon rights. 6. On the Sophos Update Manager Account Details page, depending on the option you selected on the previous page, enter a password for the default user, details for the new user, or select an existing account. The password for the account must comply with your password policy. 7. On the Ready to Install the Program page, click Install. 8. When installation is complete, click Finish. The computer where you installed Sophos Update Manager should appear in Enterprise Console, Update managers view. (On the View menu, click Update Managers.) Note: It may take a few minutes before the new update manager appears in Enterprise Console. If your updating settings could be successfully migrated from EM Library to Sophos Update Manager, the update manager will be configured on the basis of those settings. To see if the migration process was successful, view the update managers migration report.

6.5 View the update managers migration report

Go to the computer where Enterprise Console is installed. In Enterprise Console, make sure you are in the Update managers view. If you are in the Endpoints view, on the View menu, click Update Managers. Note: It may take a few minutes before the new update manager appears in Enterprise Console. Open the update managers migration report and check whether the update manager has been configured successfully on the basis of EM Library settings.

16

upgrade guide

To view the update manager's migration report: 1. Select the computer with the update manager whose migration report you want to view, right-click and then click View Migration Report. 2. In the update managers Migration Report check that:

The updating sources that the update manager uses are correct. If this is the master update manager that downloads updates from Sophos, its primary update source must be Sophos. For instructions on selecting an update source, see Select an update source for the update manager (page 19).

The updating schedule was successfully migrated from EM Library. (If not, a default updating schedule would have been applied.) The endpoint update locations were migrated successfully. The updating policies were successfully migrated from legacy updating policies. Note: If you used a non-default initial install source in a legacy updating policy, this setting would not have been migrated, and the new updating policy would have been set to use the default (primary server address). This is because EM Library and Sophos Update Manager use different update directory structures and a non-default initial install source in the legacy updating policy cannot be matched to a new update directory.

Depending on whether the updating settings have been migrated successfully or not:

If your updating settings have been successfully migrated from EM Library, the update manager is configured on the basis of those settings. New updating policies, corresponding to the legacy ones, are created, but endpoint computers are not using them yet. Continue the migration as described in the next section. If some of the updating settings could not be migrated, see Migrate settings to Update Manager manually (page 17).

6.6 Migrate settings to Update Manager manually

Sometimes, it may not be possible to migrate the EM Library settings to Sophos Update Manager. For example, EM Library may be using custom packages that cannot be migrated or EM Library may be updating from a location that is not a valid update source for an update manager. If some or all of the EM Library updating settings could not be migrated, you will need to carry out some or all of the following steps:

Configure subscriptions (see Subscribe to Sophos software and updates (page 18)). Configure the update manager to use the subscriptions to download and distribute the software across the network (see Configure the update manager (page 19)). Create new updating policies (see Create new updating policies (page 21)).

17

Sophos Endpoint Security and Control 9.7

6.6.1 Subscribe to Sophos software and updates

Subscriptions allow you to define what software should be downloaded from Sophos. In a subscription, you can specify one software version for each supported platform. If you want to download several different software versions for the same platform, you will need to create several subscriptions. Important: If you want to download Sophos Anti-Virus for NetWare, please read Sophos support knowledgebase article 59192 (http://www.sophos.com/support/knowledgebase/article/59192.html). To subscribe to Sophos security software and updates: 1. In the Update managers view, in the Software Subscriptions pane, double-click the subscription you want to change (for example, Recommended), or click the Add button at the top of the pane to create a new subscription. 2. In the Software Subscription dialog box, edit the name of the subscription, if you wish. 3. Next to the platform for which you want to download software, click in the Version field, and then click again. A drop-down list of available versions appears. 4. Select the type of update and software version you want to download (for example, Recommended:7 for Windows 2000 or later). Normally, you subscribe to the Recommended versions to ensure that your software is kept up to date automatically. To learn what other types of update are available, see Appendix: What types of update are available? (page 25). Important: If you select a fixed version, for example, 7.6.5, Sophos recommends that you leave selected the check box Automatically upgrade fixed version software when it is no longer supported by Sophos. Running unsupported software leaves you unprotected against new security threats. 5. Repeat steps 3 and 4 for each platform for which you want to download software. After you have subscribed to the security software, you need to configure the update manager to maintain those subscriptions and distribute the software over the network. You can also set up subscription email alerts. For more information about subscription email alerts, see the topic Set up subscription alerts in the Setting up alerts and messages section of the Sophos Enterprise Console Help.

18

upgrade guide

6.6.2 Configure the update manager

To configure the update manager: 1. In the Update managers view, select the update manager you want to configure. Right-click and click View/Edit Configuration. The Configure update manager dialog box appears. 2. Edit the configuration as described in the following topics. 6.6.2.1 Select an update source for the update manager You need to select a source from which the update manager will download security software and updates for distribution across the network. You can select several sources. If you do this, the first source in the list of the update sources you selected is the primary source. Additional sources in the list are optional alternate locations that the update manager uses if it cannot collect an update from the primary source. The update manager at the top of the updating hierarchy, which downloads software from Sophos, must have Sophos as its primary source. To select an update source: 1. In the Configure update manager dialog box, on the Sources tab, click Add. 2. In the Source details dialog box, in the Address field, enter the address of the update source. The address can be a UNC or HTTP path. If you want to download software and updates directly from Sophos, select Sophos. 3. If necessary, in the Username and Password fields, enter the username and password for the account that will be used to access the update source.

If the update source is Sophos, enter the download credentials supplied by Sophos. If the update source is the default update share created by an update manager located higher in the updating hierarchy, the Username and Password fields will be pre-populated. The default update share is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed. If the update source is a non-default update share on your network, enter credentials for the account that has read rights to the share. If the Username needs to be qualified to indicate the domain, use the form domain\username. 4. If you access the update source via a proxy server, select Use a proxy server to connect. Then enter the proxy server Address and Port number. Enter a Username and Password that give access to the proxy server. If the username needs to be qualified to indicate the domain, use the form domain\username. Click OK. The new source appears in the list in the Configure update manager dialog box.

19

Sophos Endpoint Security and Control 9.7

If you are configuring an additional update manager and you have already installed an update manager on a different computer, the share where that update manager downloads software and updates will appear on the list of addresses. You can select it as a source for the update manager you are configuring. Then you can move the address that you want to be the primary one to the top of the list, using the Move up and Move down buttons to the right of the list. 6.6.2.2 Select which software to download You need to select the subscriptions that the update manager will be using to download and distribute the software across the network. To select a subscription or subscriptions: 1. In the Configure update manager dialog box, on the Subscriptions tab, select a subscription in the list of available subscriptions. To view the details of the subscription, for example, what software is included in the subscription, click View details. 2. To move the selected subscription to the Subscribed to list, click the > button. To move all subscriptions to the Subscribed to list, click the >> button. 6.6.2.3 Specify where the software is placed After you have selected which software to download, you can specify where it should be placed on the network. By default, the software is placed in a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed. You can distribute downloaded software to additional shares on your network. To do this, add an existing network share to the list of available shares and then move it to the list of update shares as described below. To specify where the software is placed: 1. In the Configure update manager dialog box, on the Distribution tab, select a software subscription from the list. 2. Select a share from the Available shares list and move it to the Update to list by clicking the > button. The default share \\<ComputerName>\SophosUpdate is always present in the Update to list. You cannot remove this share from the list. The Available shares list includes all the shares that Enterprise Console knows about and that are not already being used by another update manager. You can add an existing share to or remove a share from the Available shares list, using the Add or Remove button. 3. If you want to enter a description for a share or credentials needed to write to the share, select the share and click Configure.

20

upgrade guide

4. In the Share manager dialog box, enter the description and credentials. The software that you have selected is downloaded to the shares that you have specified during the next scheduled update. If you want to edit the default update schedule, see Edit an update schedule (page 21). If you want to download the software immediately, select the update manager, right-click and click Update Now. 6.6.2.4 Edit an update schedule By default, an update manager will check for threat detection data updates every 10 minutes. You can change this update interval. The minimum is 5 minutes. The maximum is 1440 minutes (24 hours). Sophos recommends an update interval of 10 minutes for threat detection data, so that you receive protection from new threats promptly after the detection data is published by Sophos. By default, an update manager will check for software updates every 60 minutes. You can change this update interval. The minimum is 10 minutes. The maximum is 1440 minutes (24 hours). For software updates, you can either specify an update interval that is used every hour of every day, or you can create more sophisticated schedules, in which each day can be specified independently and each day can be divided into periods with different update intervals. Note: You can create a different schedule for each day of the week. Only a single schedule can be associated with a day of the week. If you want to change the default schedule:

In the Configure update manager dialog box, on the Schedule tab, enter new update intervals or create a more sophisticated schedule, or different schedules for different days of the week.

You can also change the default settings for the update manager log and self-updating, if you wish. You do this by editing the settings on the Logging and Advanced tabs, respectively.

6.6.3 Create new updating policies

If some or all of the new updating policies that correspond to the legacy updating policies could not be created during the migration to Sophos Update Manager, create them manually. To create a new updating policy: 1. In the Endpoints view, Policies pane, right-click Updating and select Create policy. A New Policy is added to the list, with its name highlighted. 2. Type a new name for the policy. 3. Double-click the new policy. In the Updating policy dialog box, click the Subscription tab and select the subscription for the software you want to keep up to date.

21

Sophos Endpoint Security and Control 9.7

4. On the Primary server tab, in the Address field, accept the default or specify a different share (UNC path or web address) from which endpoint computers will usually download updates. By default, computers update from a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager is installed. Important: If you choose to use an HTTP location (for example, a web update share) or a share that is not maintained by a managed update manager, Enterprise Console will not be able to check that the software specified in the subscription policy is available at that address. You must manually ensure that the share contains the software that is specified in the subscription policy. Otherwise, computers will not be updated. 5. If you have Macs that you want to manage from Enterprise Console and you specified a UNC path in the Address field, under Mac OS-specific options, select a protocol that Macs will use to access the update share. 6. If necessary, in the Username field, enter the username for the account that will be used to access the server, and then enter and confirm the password. This account should have read rights to the share you entered in the address field above. Note: If the username needs to be qualified to indicate the domain, use the form domain\username. 7. If you access the update source via a proxy server, click Proxy details. In the Proxy details dialog box, select Access the server via a proxy. Then enter the proxy server Address and Port number. Enter a Username and Password that give access to the proxy server. If the username needs to be qualified to indicate the domain, use the form domain\username. You can now apply this policy to a group or groups of computers to keep them up to date with your chosen security software. You can also limit the bandwidth used, set up an alternative source for updates, or change the default schedule, logging, and initial install source details, if you wish. For more information about configuring updating policies, see the section Configuring the updating policy in the Sophos Enterprise Console Help. Continue the migration as described in Configure the update manager on the Enterprise Console computer (page 22).

6.7 Configure the update manager on the Enterprise Console computer

Enterprise Console cannot protect the network fully until the update manager installed on the same computer as the Enterprise Console management server is configured with an update source. This will enable Enterprise Console to receive necessary updates (for example, information about the versions of security software that endpoint computers should be running, new and updated Content Control Lists for data control, or the list of new controlled devices and applications).

22

upgrade guide

To configure the update manager: 1. In the Update managers view, select the computer where Enterprise Console is installed. Right-click and click View/Edit Configuration. 2. In the Configure update manager dialog box, on the Sources tab, click Add. 3. In the Source Details dialog box, click the drop-down arrow in the Address field and select the default update share created by the update manager that updates from Sophos. Alternatively, type in the address or click Browse to browse to the share. The default update share is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where the update manager that updates from Sophos is installed. 4. Enter the username, password, and proxy settings, as appropriate. This will enable the update manager to download updates for Enterprise Console. If you want to configure the update manager on the Enterprise Console computer to distribute endpoint software updates across the network, configure the software subscription, distribution, and schedule settings similarly to how you configured such settings for the update manager that updates from Sophos. If you wish, you can change the default settings for the update manager log and self-updating. You do this on the Logging and Advanced tabs, respectively.

6.8 Migrate additional managed libraries

If you have any additional libraries that you manage from Enterprise Console, migrate their updating settings to Sophos Update Manager. You can use the Updating Hierarchy report to view a list of update managers and libraries on your network, update shares that they maintain, and the number of computers that update from these shares. To view the report, on theTools menu, click Manage Reports. In the Report Manager dialog box, select Updating hierarchy and click Run. To migrate the updating settings from an additional library, you carry out these key steps:

Install Sophos Update Manager on the EM Library computer (see Install Update Manager (page 15)). On the computer where Enterprise Console is installed, view the new update manager's migration report to see whether the update manager has been configured successfully (see View the update managers migration report (page 16)). If the update manager has not been fully configured, configure the update manager and create new updating policies (see Migrate settings to Update Manager manually (page 17)).

23

Sophos Endpoint Security and Control 9.7

6.9 Test the new update share or shares

You may want to check that the new update share or shares are correct and are being updated, especially if you use an HTTP location (for example, a web update share) or a share that is not maintained by a managed update manager. To test an update share, migrate one endpoint computer or a small group of test computers to update from a new update manager-maintained share by applying an updating policy pointing to that share. 1. In the Endpoints view, Groups pane, select the test group, right-click and click View/Edit Group Policy Details. 2. In the Group Details dialog box, select the updating policy that points to the share you want to test and click OK. The test computers will check for updates during the next scheduled update. 3. Wait until the computers have checked for updates. Then, on the Status tab, look in the Up to date column, or go to the Update details tab.

If you see Yes in the Up to date column, the computers have updated successfully from the new update share. If you see a clock icon, the computer is out of date. The text indicates how long the computer has been out of date. For information about updating such out-of-date computers, see the section Updating computers in the Sophos Enterprise Console Help.

6.10 Apply the new updating policies to the computers

To apply a new updating policy to a group of computers: 1. In the Endpoints view, Groups pane, select the group, right-click and click View Group Policy Details. 2. In the Group Details dialog box, clear the Legacy updating check box. If you want to apply to the group an updating policy whose name differs from the legacy updating policy name that the group was using previously, select an updating policy from the drop-down list. Once all endpoint computers have been migrated to use new updating policies maintained by the update manager, uninstall EM Library. Note: Running both EM Library and Sophos Update Manager will increase network traffic. You can now use the update manager to upgrade the software running on your endpoint computers when you are ready (see About upgrading endpoint computers (page 6)).

24

upgrade guide

6.11 Appendix: What types of update are available?

There are several versions of the software associated with each major version of a solution (for example, Sophos Endpoint Security and Control 9) and platform (for example, Windows 2000 or later).You can choose which software version to download from Sophos for further deployment to endpoint computers by selecting an update type in the subscription. You can select among three labeled versions and three fixed versions of the software.

Labeled versions
There are three labeled versions:

Label Recommended

Description The version that we considers to be the most appropriate for those who want the most up-to-date version of the product. We normally recommend that the latest version of the endpoint software is deployed to endpoints as soon as it is released. The previously-recommended version. The oldest version that Sophos is still supporting with updates.

Previous Oldest

Note: We may add new labels over time. The Download Security Software Wizard sets up a subscription that specifies the recommended versions of any selected software. When subscribed to a labeled version, the actual version(s) downloaded will usually change each month.

Fixed versions
Fixed versions are updated with new threat detection data, but not with the latest software version each month. If you want to evaluate new versions of the software before placing them on your main network, you may want to consider using fixed versions of the software on the main network while evaluating the new versions. Usually, there are three fixed versions for each operating system, representing the previous three monthly releases. An example of a fixed version is Sophos Endpoint Security and Control for Windows 2000 and later, version 9.4.3. Fixed versions are downloaded for as long as they are available from Sophos. If a fixed version is due to retire, you will see an alert in the Update managers view next to any update managers that are subscribed to that version. If email alerting is active, the administrator will also receive an email alert.

25

Sophos Endpoint Security and Control 9.7

By default, when a subscribed fixed version is retired, Enterprise Console will redefine the subscription to use the oldest fixed version that is still available. Note: You can change this behavior in the subscription by clearing the check box Automatically upgrade fixed version software when it is no longer supported by Sophos. Be aware, however, that running unsupported software will leave you unprotected against new security threats. Therefore, we recommend that you upgrade any unsupported versions as soon as possible.

26

upgrade guide

7 Technical support
You can find technical support for Sophos products in any of these ways:

Visit the SophosTalk community at http://community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at http://www.sophos.com/support/. Download the product documentation at http://www.sophos.com/support/docs/. Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.

27

Sophos Endpoint Security and Control 9.7

8 Legal notices
Copyright 2011 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner. Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Common Public License

The Sophos software that is referenced in this document includes or may include some software programs that are licensed (or sublicensed) to the user under the Common Public License (CPL), which, among other rights, permits the user to have access to the source code. The CPL requires for any software licensed under the terms of the CPL, which is distributed in object code form, that the source code for such software also be made available to the users of the object code form. For any such software covered under the CPL, the source code is available via mail order by submitting a request to Sophos; via email to support@sophos.com or via the web at http://www.sophos.com/support/queries/enterprise.html. A copy of the license agreement for any such included software can be found at http://opensource.org/licenses/cpl1.0.php

ConvertUTF
Copyright 20012004 Unicode, Inc. This source code is provided as is by Unicode, Inc. No claims are made as to fitness for any particular purpose. No warranties of any kind are expressed or implied. The recipient agrees to determine applicability of information provided. If this file has been purchased on magnetic or optical media from Unicode, Inc., the sole remedy for any claim will be exchange of defective media within 90 days of receipt. Unicode, Inc. hereby grants the right to freely use the information supplied in this file in the creation of products supporting the Unicode Standard, and to make copies of this file in any form for internal or external distribution as long as this notice remains attached.

28