Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 4022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.1 Secondary Update Location Query

blardyblar

Hi,

I'm investigating our failover options for Sophos Endpoint client updates and I have a question that I've been unable to find an answer to.

We have a single SUM configured as Primary update location.  Secondary location is configured as direct to Sophos.

We've tested clients updating direct from Sophos as secondary when the primary location is unavailable.  However, I have a question regarding the SUM being unable to update itself from Sophos and how this affects clients.

I could do with some clarification around what happens if the SUM is unable to contact Sophos to update subscriptions.  As I understand it the endpoint clients will contact the server, check their cache version against what is currently in the CID and report that no update is necessary.  Is this correct?  Also will the client ever reach a point of being out of date and failover to the Secondary update location? 

Thanks.

Gav

:44627


This thread was automatically locked due to age.
  • 0

    Hello Gav,

    good question. There is no mechanism for a client to detect a stale CID or a dead SUM. The monitoring of the SUM is done by SEC which will alert you (optionally by email)  if it hasn't updated for some time (which is configurable).

    SUM is unable to contact Sophos

    then likely your clients are unable as well as they use the same credentials, same location(s) and in principle the same mechanism as your SUM (though an update to SUM itself - or a FP like Shh/Update - might cause it to be subsequently unable to contact the Warehouse, but in an FP case it's probably better when the clients do not attempt to get it as well). If SUM is failing but SEC works you should get an alert. This leaves the cases when your SEC goes belly up (but the server hosting share continues to work) but you don't notice. Given that the default critical level for Time since last update from Sophos is 96 hours a client would likely wait at least that long.

    will the client ever reach a point of being out of date and failover

    No. A successful synchronization with the update location is considered a success. While the idea of taking the last actual update into account is at first glance intriguing such an out-of-date-failover should only come into play in cases of negligence :smileytongue:. If you encounter a problem with your SUM which you can't correct within an acceptable time simply disable the share or the web folder.

    Christian

    :44653
  • 0

    Hi Christian,

    Thanks for your detailed response.

    This confirms what we expected to be the default behaviour for the clients.  We do have monitoring in place for SEC (including email alerts) so this should identify the issue. 

    The point you make about disabling the share seems the best way forward for us to deal with a SUM that is out of action for a long period of time, as this will achieve the desired effect of causing the clients to contact Sophos direct for updates.

    Thanks for your help

    Gav

    :44663