EM Library by wuxiangyu


									Sophos Enterprise Solutions
               This Seminar…
• Overview
  – Components — EM Library, Enterprise Console,
  – OS requirements and product functionality
• EM Library
  – In depth
• Enterprise Console
  – In depth
• Clients
  – In brief
• EM Library (essential)
  – Manages downloading of software from
• Enterprise Console (optional — sort of)
  – Manages clients
• Sophos Anti-Virus Clients (essential)
  – Client software for virus detection and
  Requirements — EM Library
• Windows
  – Windows NT SP6a
  – Windows 2000 Professional or Server (SP3+)
  – Windows XP Professional (SP1+)
  – Windows 2003 Server
• Requires MMC 1.2
• IE 5.5 SP2 or above
Requirements — Enterprise Console

• Windows 2000 (SP3+) or 2003 Server
  – If managing more than 10 PCs
• Windows 2000 (SP3+) or XP (SP1+)
  – If managing up to 10 PCs
  – May be used to define and export policies,
    regardless of PCs managed
      Function — EM Library
• Downloads package updates from Sophos
  to a library according to a schedule
  – Default is c:\program files\sophos enterprise
    manager\library shared as SophosEM
  – Library can be remote or local
• Optionally publishes packages to make
  them available to child libraries
      Function — EM Library
• Pushes updates to Central Installation
  Directories (CIDs)
  – CIDs can be on remote servers (e.g. unix)
  – CIDs can be published via a web server
• Clients check CIDs for updates and
  download as required
Function — Enterprise Console
• Deploy software to clients
• Monitor status of client installations
• Organise clients into groups
• Define and apply updating and anti-virus
  polices to groups of PCs
• Report on alerts etc.
                                                   Sophos                                        OS X
 XP       2000                                   Databank at                              OS X
                                                                                                 OS X
                    2000/XP/2003                         1. EM Library pulls
                                                         updates from        Mac OS X 10.2+
Clients             CID on samba
                        share                            Sophos according CID on AppleShare
                                                         to schedule         compatible share

                                                maintained by
                  2000/XP/2003                   EM Library                   2000/XP/2003
                 CID on Windows                                               CID on Apache
                                              2. EM Library pushes
                                                updates to central                                   XP
  XP                                         installation directories
                                                      (CIDs)                                  2003
          2000                     2000/XP/2003                    95/98/Me CID on                   2000
2003                                 CID on IIS                     Windows share

                                              3. Clients check CIDS
                                                according to their
                                            schedule and pull updates
                                                     from CIDs
                                    XP     2000                    98         95

                                         2003                            ME
How does Enterprise Console fit in?

• Not required to provide updates to clients
• May be used to manage clients
• Sophos enterprise solutions installation advisor
• Sophos Anti-Virus Startup Guide
• Knowledgebase
  – Ignore docs with references to Remote Updates,
  – Look for EM Library v1.2, Enterprise Console 1.0,
    Clients 4.5 or 5.0
• http://www.oucs.ox.ac.uk/viruses/sophos/antivirus
  as a starting point
EM Library
• Download required network installer from
• Before installation on Domain Controller
  – Optionally create domain a/c with admin privileges
     • http://www.sophos.com/support/knowledgebase/article/2522.
     • Global credentials used to access and update CIDs (Can be
       altered for individual CIDS)
• Run installer
  – Server: es10sfx.exe (unpacks to \sec10)
  – Workstation: run es10wssfx.exe – if you run setup.exe
    from unpacked files it will fail (tells you only server
• To install EM Library only
   – \sec10\Serverinstaller\EMConsole\setup.exe
• Post Installation
   – Patch MSDE 2000 engine (use MBSA to determine
     appropriate patches)
   – Not required if only installing EM Library (MSDE
     installed by Enterprise Console only)
   – Note EM Library creates share for EM Library
     installation files
      • Default is C:\Program Files\Sophos Enterprise
        Manager\console\bin\inst shared as EMLibInstaller
Configuring EM Library
              Create Library
• Location for downloaded files from Sophos
• Local or remote
• Prompts for installation path and library share
  – Defaults are C:\Program Files\Sophos Enterprise
    Manager and SophosEM
• Prompts for path and share name for Central
  Installation Directories
  – Default C:\Program Files\Sophos Sweep for NT
    shared as Interchk
Create Library
      Create network account
• Used to update library files
• May need to use pre-created domain account on
  a domain controller
• Unclear whether you need to pre-create account
  if installing on member server in a domain
  – http://www.sophos.com/support/knowledgebase/articl
• On standalone server you can choose option to
  create account
Create Network Account
Select Parent
               Select Parent
• Source of files to download to library
• Can be Sophos databank or another library
  – Will generally be the Sophos databank
• Credentials available from ITSS restricted
  facilities web page
   – https://register.oucs.ox.ac.uk:6123/cgi-
   – Under Sophos EM Library Update Service
   – Do not divulge these to anyone except ITSS!
Select Parent
Schedule Downloads
       Schedule Downloads
• Sets up schedule for downloading from
  Sophos or parent library
• Generally set up new schedule and accept
• Downloads updates once every hour
  (random offset)
• Downloads can also be triggered manually
  via EM Library
Schedule Downloads
Schedule Downloads
Select Packages
          Select Packages
• Default view shows only the current
  versions of the new Sophos clients
         Select Packages
• Uncheck options to see more packages
Download Packages
        Download packages
• Triggers initial download of packages to
  populate both library and central
  installation folders (CIDs)
  – Default CID already set up for each package
• If you want to move CIDs (e.g. to linux
  box) you can do this before downloading
  – …or later
        Download Packages
• Can also be used at any time to trigger
  manual update of packages
Configuring Packages
       Configuring Packages
• Subscribed
  – Will be downloaded according to schedule
• Unsubscribed
  – Will not be downloaded
  – Right-click to subscribe
• Published
  – Available to child libraries
  – Right-click to publish
Configuring Central Installations
    Configuring Existing CIDs
• Can alter location of CID (e.g. to a
  different server)
• Can alter credentials to access CID
• Can change updating schedule (default is
  to update immediately after library is
• Can locate CIDs on other servers, so long
  as the location is accessible from
  Windows box (e.g. via Samba)
Configuring Central Installations
• Right-click to configure existing CIDs
        Add additional CIDs
• Packages/subscribed and right-click on
  chosen package
• Configure options as per configuring
  existing CIDs
 CIDs — Additional Information
• Note special requirements for CIDs for the
  following clients (see manuals)
  – Mac OS X
  – Netware
  – Unix
• We will cover some of these points in
  more detail in future seminars
• Manually update a CID via right-
  click/Update CID
                     CID Anatomy
Top Level                               Purpose
            setup.exe                   Main setup file
            cidsync.upd                 Used to check synchronisation status
            sau\                        AutoUpdate files
                          cidsync.upd   Used to check synchronisation status
                          sauconf.xml   Optional file to configure updating policy
            rms\                        Remote Management System files
                          cidsync.upd   Used to check synchronisation status
            savxp\                      Sophos Anti-virus files
                          cidsync.upd   Used to check synchronisation status
                          savconf.xml   Optional file to configure A-V policy
                   CID Anatomy
• cidsync.upd
   – Clients use this to check synchronisation status
   – Includes details of all files (including ides)
   – Binary file, generally updated by EM Library
• rms folder is optional
   – Remote management components used by
     Enterprise Console
   – Need to tell installer not to use it (default is to install
   – More on this in the next seminar…
   EM Library — Tools/Options
• Console Options
   – Display, refresh etc.
• Security
   – Who can run EM Library
   – Effectively adds and removes users or groups from
     the EMLibrary Users group
• Notifications
   – Method (Email, Event Log, Network Messaging)
   – What is notified
       EM Library — Scripts
• \\server\SophosEM\bin\EMLexp.exe
  (C:\Program Files\Sophos Enterprise
  – Export library settings to XML file
  – Import library settings from XML file
  – Trigger manual update of a library
  – NB File may require editing before import to
    different server (see
        EM Library — Scripts
• Manual update of child library via batch file
  – http://www.sophos.com/sophos/docs/eng/man
  – Page 48
Sophos Enterprise Console
           Enterprise Console
• Install using network installers as per EM Library
• Manage clients in a controlled environment, e.g.
  college or department
  – Remote installation and updating of Sophos
  – Status of Sophos on machines
  – Reporting
• Apply Policies for updating and A-V engine
  – Apply via Enterprise Console
  – Or export to files for inclusion in CIDs
Console View
            Viewing Computers
• Actions/Find Computers
  – Relies on Microsoft networking (browse masters etc.)
  – Windows XP firewall likely to cause problems
• File/Import computers from file
  – File format (text file)
  – Netbios or DNS names
  – See help for full information (testing shows that you may need to
    include OS)
 Organising Computers — Groups
• Need at least one group in order to define
• Move PCs from Unassigned into groups
        Configuring Policies
• Updating and Anti-virus policies
• Policies may be different for each group
• Updating policy has different sections for
  each OS
  – At least one section must be configured
• Updating policy must be set before
  protecting PCs via Enterprise Console
• Use Comply with… to enforce policies
            Updating Policy
• Need to specify at least
  – Primary source (for updates)
  – Credentials (if required)
• Can specify other items
  – How often client checks for updates
Updating Policy
          Anti-virus policy
• E.g. scheduled and on-access scanning
Protect Computers — Prerequisites
• Need access to clients via file share
  – XP or other personal firewall
  – May prefer to install from client
• Need account with admin credentials on clients
• Need same account credentials to exist on
  server (does not need to be admin)
  – Don’t have to be logged in as this account
  – Suspect non-domain issue
• Must configure Updating Policy on group before
Protect Computers — Wizard
 Enterprise Console and Firewalls
• 3 services on client (see Appendix B)
• Using TCP 8192-8194
• Connections may be initiated by server or
• Be wary of firewalls at both ends
• Only applies for management of machines
  – Scheduled client updates are always initiated
    from the client end
• Can be applied via Enterprise Console
• Can also be applied using files
  – Sauconf.xml (Updating policy) in sau folder
  – Savconf.xml (A-V policy) in savxp folder
• Useful for clients not managed by
  Enterprise Console
  – Web-based CIDs
• Export group policies from Enterprise
  Console using exportconfig.exe
  – \sec10\tools or \sec10ws\tools
• More detail in next seminar
Sophos Clients
            Client Installation
• Sophos AutoUpdate installed first
  – Configured with source of Sophos files
  – Credentials to access files
• Sophos AutoUpdate
  – Fetches and installs other components using source
    and credentials
• Management Components
  – Optional (default install from CID includes these)
  – Enterprise Console will install them; can be turned off
    using other installation methods
Client Components on Windows XP

Component       Purpose         Services
Sophos          Updating        1. Sophos AutoUpdate Service
AutoUpdate      Sophos
Sophos Anti-    Virus Detection 1. Sophos Anti-Virus
Virus                           2. Sophos Anti-Virus status reporter
Sophos Remote   Enterprise      1. Sophos Agent
Management      Console         2. Sophos AutoUpdate Agent
System          Management      3. Sophos Message Router
        Client Configuration
• Groups created
  – SophosAdministrator
  – SophosPowerUser
  – SophosUser
• Automatically puts members of
  Administrators into SophosAdministrator,
• Restricts access to configuration options
        Group Restrictions
• Member of SophosAdministrator group
        Group Restrictions
• Member of SophosUser group
Client Installation and Configuration
• To be continued…
    Appendix A — EM Library
• Default Shares
  – C:\Program Files\Sophos\Enterprise
    Manager\console\bin\inst (EMLibInstaller)
    • Installation files for EM Library
  – C:\Program Files\Sophos Enterprise
    Manager\Library (SophosEM)
    • Library
  – C:\Program Files\Sophos Sweep for NT
    • Client software Central Installation Directories
    Appendix A — EM Library
• Services created when Library is created
  – Sophos EMLibUpdate Agent
  – Sophos Enterprise Manager Scheduler
    Appendix A — EM Library
• Users created (optional)
  – EMLibUser1 (can specify alternative account)
  – Member of Administrators
• Groups created
  – EMLibrary Users
  – Members of existing Administrators group are
    made members automatically
Appendix B — Enterprise Console
• Shares created
  – None known
• Services created
  – Sophos Agent
  – Sophos AutoUpdate Agent
  – Sophos Certification Manager
  – Sophos Management Service
  – Sophos Message Router
Appendix B — Enterprise Console
• Groups created
  – Sophos Console Administrators
  – Members of existing Administrators group are
    made members automatically
  – Must be a member of this group in order to
    run Enterprise Console
• Sophos enterprise solutions installation advisor
  – http://www.sophos.com/misc/sophos_es_support_pac
• Sophos Anti-Virus Startup Guide
  – http://www.sophos.com/sophos/docs/eng/instguid/esa
• Sophos EM Library Manual
  – http://www.sophos.com/sophos/docs/eng/manuals/em
• Sophos Enterprise Console Manual
  – http://www.sophos.com/sophos/docs/eng/man
• OUCS Guide to Installing and Configuring
  EM Library and Automatic Client Updating
  – http://www.oucs.ox.ac.uk/viruses/sophos/ente
  – Refer to references section for more links

To top