18 November 2010

Using Sophos Update Managers and IIS sites for better WAN performance

By far the worst thing about Sophos 8 was the EM Library.  It was niggly and tricky and if it did not work properly it would freeze all the data on your console.

Eversince Sophos 9 they have been using the new and improved version of the EM Library - now called Software Update Managers (SUM).  There are a few advantages but the one we are concerned with is that it is far more robust. See 10 reasons to use SUM

For anyone having to update a distributed environment without having a SUM at each location there is one BIG problem.  By default SUM only offers up a UNC share for the clients to update from.  This is fine for clients updating from a local SUM but clients located at the other end of a slow link is a problem.  Using a UNC share means that the clients will use Server Message Block (SMB) aka Common Internet File System (CIFS) The big problem with CIFS is that it is very chatty and does not like latency, both of which is a problem on a slow WAN link.  For more info check out http://en.wikipedia.org/wiki/Server_Message_Block

Fortunately the Sophos clients support updating from an HTTP source.  This means we can supplement the normal UNC share with an IIS web site.  This will then use HTTP which is a far better option for a slow WAN link.  Also built into IIS we have limit control where we can throttle down the bandwidth and the allowed open sessions.

1. Set up a SUM

  • Decide which machine you would like to use as a SUM / HTTP update server
  • Configure the SUM to be subscribed the the relevant packages
  • Update your SUM and check that the relevant CID's are populated
  • (C:\programdata\Sophos\Update Manager\Update Manager\CIDs)
2. Install the IIS server role

  • Using server manager install the IIS role.  
  • Most role features can be left out as this will be a very basic IIS site

3. Configure your IIS Site

  • From the Actions menu select Basic setting.
  • Change the Physical path to be C:\programdata\Sophos\Update Manager\Update Manager

  • From the Middle pane open MIME Types
  • This control what kind of data can be served through your site.  Since we are sending Malware updates we need to add a wildcard MIME type
  • From the Actions pane Click Add
  • For File Name extention enter .*
  • For MIME Type enter */*

  • You can now also specify IIS limits if you want. From the Actions Pane select Limits
  • Specify the relevant limits you want to apply, they can be done individually or you can apply all

4. Configure an Update Policy

  • From the Sophos Enterprise Console
  • Create a new update policy
  • in the address specify the name or IP of your IIS server
  • Check that the right subscription is selected
  • You will be reminded that "The primary update location may not contain the selected software subscription - Do you want to continue anyway"
  • Apply the policy to your machines

5. Test a client and confirm that the updates succeed

  • From a client machine open the Sophos Endpoint Security and Control
  • By Clicking on Configure Updating you can verify that the update location is what you specified in the policy  (You will see that it has automatically appended the down level directories)

  • Right Click the Sophos shield in the System try and click update now
  • To determine that everything worked the way we want it to open the  View Updating Log

Using SUM will be a big improvement over using the EMlibrary.  By Using IIS you can overcome the limitations and service your distributed environment with fewer  SUMs and that means fewer policies.  By using Multiple IIS sites from one server you can also gain very granular control as that what is enabled or disabled.


Anonymous said...

This was a great help. All info was spot on. Thanks for sharing. Dankie (Province!)

Etienne Liebetrau said...

Glad I could Help

Anonymous said...

Solid article. For info, applied the same principles to our IIS 6 installation and it seems to be working fine. (Enterprise Console 5 / Sophos 10)

Thanks for the info.

Anonymous said...

Ive got to say, this made what I think to be a poor guide from Sophos, very easy! Thanks!

Etienne Liebetrau said...

So glad I could help, and that I was not the only one finding the Sophos documentation lacking.

Post a Comment