10 January 2011

Optimise Sophos software update deployment configuration and schedule Part III

In part I and II of this series we had a look at the infrastructure that provides the update framework from a server perspective.  In this part we will focus on the endpoint and what can be configured here.  All the endpoint are generally configured via a policy from the management server.  We will also look into factors of your network that can guide your deployment.

When configuring the policy there are a few important choices.

Limiting the bandwidth per client
On both the primary and secondary server tabs there is an advanced button that enables you you enable and set the bandwidth throttling.  This is handy to try and prevent WAN network flooding

Specifying the update subscription
On the subscription tab you have the option to specify the subscription to apply to the endpoint.

You can now specify an older subscription here so that the endpoint does not attempt to update itself to the latest version of the software update but it will still pull down the latest definitions.

The client's schedule is fairly basic.  It basically only tells it how often to check for updates, that's it.
Increasing the interval can help to reduce the concurrent connection attempt from clients but not really anything more than that.  Since it is totally randomised this does not give you any real control.

Using the SUMs and subscriptions together
By manually switching either of these per policy you can specifically update that group to which the policy applies to the subscribe to a newer package.  If you have granular grouping this can give you more granular control.

Network and environment considerations
If your environment is all LAN connected user machines, you might never have a problem with updates.  If you have a large number of business critical, resource constrained machines on the other end of a WAN that  is a very different scenario. There are various guidelines about the maximum number of endpoints per CID, but you really need to consider the bigger picture when planning and rolling out your environment, not just for management but also for updating and associated risk appetite.

As the series explored, there is no single configuration or setting that will optimise software updates for your environment.  With additional manual intervention or manual administrative steps you can manage your environment well, as long as the following are setup correctly for your needs:

  • Enterprise Console Subsctiptions
  • SUM subscriptions, CID's and Schedules
  • CID distribution
  • WAN layout and bandwidth
  • Endpoint CID configuration
  • Endpoint Schedules
  • Endpoint Updating policy
  • Endpoint group membership

What I would love to see from Sophos is the ability to control the client to only download and install updates.  I would also want the client to be able download software updates on a schedule with a start and stop time, and finally to be able to schedule when the software update is actually installed.

No comments:

Post a Comment