Sophos Active Directory
Active Directory LDAP server: The FQDN of the desired LDAP server, with the port number. If uncertain, use the same hostname as the Domain Controller, with the port number. The port number for a single Active Directory server is usually 389; for an Active Directory server designated as. In Sophos Enterprise Console, you can have both “normal,” unsynchronized groups that you manage yourself and groups synchronized with Active Directory. When setting up synchronization, you select or create a synchronization point: a Sophos Enterprise Console group to be synchronized with an Active Directory container. Active Directory provides LDAP-like directory services for managing identities and permissions of users throughout a network. Active Directory is a hierarchical, object-oriented database in which each object represents a single entity (for example, a user or group). When the UTM is sync with Active Directory, it would be nice for the UTM not to keep old Active Directory accounts within the UTM device, and for the ability for the UTM to keep upto date users from AD when the UTM does a sync, as we are a school and we use the utm for the filtering / authentication - having to go through over 1000, accounts and remove them from the utm device is somewhat time. Active Directory Use the Configuration System Active Directory page to configure access to your Active Directory server, which allows the appliance to use Active Directory user and group information. Important It is essential that the time on your Active Directory server is.
This document will walk you through a basic installation and setup of the Sophos Endpoint Protection - Business Edition with the Sophos Enterprise Console
13 Steps total
Step 1: Prep Your Domain for Endpoint Communication
i. For proper communication between the management server and endpoints TCP port 8194 needs to be open
ii. It is suggested to use Group Policy Objects to deploy the firewall change
a. Open the 'Group Policy Management Editor'
b. Select an existing GPO or create a new one
c. Navigate to 'Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -LDAP://[your domain info]' (Based on Server 2008R2)
e. Select then Right click on 'Inbound Rules' and choose 'New Rule...'
f. Select 'Port' -> Next -> 'TCP' and enter 8194 in the 'Specific local ports:' section -> Next
g. 'Allow the connection' -> Next -> only allow 'Domain' -> Next -> enter 'Sophos Endpoint Management (RMS)' for the 'Name' -> Finish
h. Link the GPO to the OU's containing the computers to be managed
i. The management server will also need TCP 8192 open for incoming connections
Step 2: Create Domain Accounts for Sophos Management
i. Open 'Active Directory Users and Computers'
ii. Right click the OU for the new account to reside
a. Select 'New'
b. Then select 'User'
c. Call the account 'SophosDBuser' or something defining of your choice
d. Set and record the password
e. Deselect 'User must change password at next logon'
f. Select 'User cannot change password' and 'Password never expires'
iii. Repeat for user account 'SophosUpdateMgr
Step 3: Launch the Console Installer
i. Run the executable
ii. Use the defaults for unpacking and install directory (C:Program FilesSophos)
iii. Continue with defaults until you reach the 'Database Details' screen
Step 4: Database Details
i. If you do not have a specific SQL Server instance that needs to be used choose 'Create a new instance called 'SOPHOS'
ii. Click 'Browse' and enter the 'SophosDBuser' account the click 'OK'
iii. Enter the password that was set and click 'Next'
Step 5: Communication Settings
i. Leave 'Port number' set to '80'
ii. Click 'Next'
Step 6: Sophos Update Manager Credentials
i. Click 'Browse' and enter the 'SophosUpdateMgr' account the click 'OK'
ii. Enter the password that was set and click 'Next'
Step 7: Manage Encryption
i. If you do not plan to use Sophos encryption or do not have a license for it select ' Do not manage encryption'
ii. Click 'Next' then choose to opt in or out of providing feedback
Sophos Active Directory Synchronization Setup
Step 8: Ready to Install
i. Click 'Install' (this might require a system reboot when done'
ii. Have a coffee while you wait
Sophos Active Directory Synchronization
Step 9: Log Back On
i. Log back onto the server
ii. The Sophos Enterprise Console should auto launch, if not open it from the start menu
iii. Wait for the download wizard to pop up then click 'Next'
Step 10: Download Security Software Wizard
i. Enter the username and password (case sensitive) supplied on you Sophos License Schedule
ii. Enter proxy server information if required
iii. Click 'Next'
iv. The the Endpoint platforms required in your environment (windows 2000 and above), click 'Next'
v. No go refresh your coffee while the software downloads or you can click 'next and allow the download in the background
Step 11: Connect Sophos Enterprise Console to AD
i. Check 'Set up groups for your computers (if you use Active Directory)
ii. Click 'Next'
Step 12: Policies
i. Now you can create policies that meet your company's needs and link them to the appropriate OU
ii. Policies are located on the left side of the console, bottom frame
iii. It is recommended to create a duplicate of the default policies to edit/customize or create a new one
Step 13: Deploy Endpoint - From the Console
i. There are many way to deploy the endpoint (GPO, Manual, Console)
ii. To deploy with the console right click a computer from the 'Groups' frame (above 'Policies')
iii. Select 'Protect Computers'
iv. Click 'Next' on the wizard
v. Select to add the 'Firewall' and 'Third-Party Security Software Detection' (and removal) if desired
vi. Click 'Next' then 'Next' again
vii. Enter domain account credential with sufficient rights to install software and click 'Next'
vii. Click 'Finish' to start the deployment
Hope you find this how-to helpful
Internal I.T. Ltd. is a Sophos partner
www.internalit.ca
@Internal_IT
1 Comment
Active Directory Synchronization Service
- HabaneroScott Manning May 30, 2014 at 04:46pm
Good write up, very useful information here, thanks for sharing.