Deploying clients to remote offices with slow link

Question

Hi ALL,

We are deploying the sophos to the clients that are located in the remote offices and outlet with a slow link to HQ. I created another thread before saying that I change the Initial Install Source to a local server's folder but it's totally failed and I gave up. Next, I use the cmd line method to deploy the clients like this:

\\172.18.10.1\sophosupdate\CIDs\S000\SAVSCFXP\setup.exe -mng yes -crt R -updp \\172.18.20.1\SophosUpdate\CIDs\S000\SAVSCFXP -user 172.18.20.1\SophosUpdateMgr -pwd sophosupdate -G \SOPHOS1\TEMP -s

Local subnet: 172.18.10.0/24

Remote subnet: 172.18.20.0/24 (HQ)

Local PC to install Sophos: 172.18.10.60

Local server sharing the source for installation and first time update: 172.18.10.1

Remote server sharing the source for further updating: 172.18.20.1 (HQ)

With the above cmd line, I found some issues... :smileysad:

[1] Once the client successfully installed the sophos endpoint, the update will pointing to the HQ server... that's good and as expected, but I thought the FIRST TIME update should using the one in the local source? The installation is smoothly and good, but the updating takes 2 hours....... it's no good for a slow link over IPSec VPN.

[2] The "-G" parameter is not function... even I tried to put the different groups... the result is, the new deployed client would just in "unassigned" group

My requirement is quite reasonable: Let the local PCs to install the sophos endpoint from the local shared folder (with all necessary update) and then pointing the update primary server to the remote one for any further updating.... as told by the Sophos guys, the regular update of definiation should be below 100kb... I set the periodically update for every 60 minutes~ I wonder why the first updating need to update so many files from the REMOTE server.... does there any way can do it as expected??

Any advise / suggestions are welcome and appreciated !! Many thanks !!! :smileysurprised:

This thread was automatically locked due to age.

QC · Accepted Answer

Hello Uncle_Ben,

as far as I know it works as follows: After running CRT (if specified) the first (and only) component installed by setup.exe is AutoUpdate. Once this is done AutoUpdate performs a "regular" update from the location configured, detects that "other" components are not yet installed and downloads and installs them. The location defaults to the location of setup.exe but can be specified using the -updp switch or SAUConf.xml in the \sau subdirectory.

In order to perform the install from the local server you should not specify -updp. Using the -G <path> switch the computers should appear in the correct group and receive their Updating Policy which points to the central server. <path> is case sensitive (is the group a top level group named TEMP?) and needs to include the management server (is it SOPHOS1?).

While regular updates are rather small you have to watch out for version changes. Therefore you might want to subscribe to a fixed version (and uncheck the "automatically upgrade" box just in case). You have to check for newer versions periodically (at least every three months) and if a version upgrade is required decide on when and how to upgrade the clients.

If you search this forum for slow link you'll find a very long thread (Distributing over slow links) which discusses problems, pros and cons of alternatives. Personally I'd try setting up a secondary (child) SUM in the remote office. John Reynolds mentioned updates over http with a caching proxy in the remote office in this post.

HTH

Christian