Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 949 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

central management options?

notesguru99
Hi all,
We currently manage 5 sites connected via adsl so we have implemented a management console at each site managing updates and policies. But we are just about to install 10MB fibre linking each office so I'm wondering whether it would be feasible running just one console handling all sites. It would sure make policy updates easier so does anybody here run a similar configuration and is it ok?
Thanks
Stuart

:39377


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    The majority of the traffic will be updating, although RMS traffic might also be worth considering but that might depend on the number of clients you have.

    Also do you use patch agent on the clients as this also downloads a fair chunk of data from the management server.  If this becomes a problem you can install a caching proxy at the local sites.  http://www.sophos.com/en-us/support/knowledgebase/117121.aspx.

    Typically, in such as scenario you would: Install a management server at the main site.  The other sites would install just remote SUMs in order to create local distribution points for local clients to update from.  These child SUMs would perform updates from either the main SUM (could be UNC or HTTP) or could update from Sophos, you can configure the management server as the first source on the list and Sophos as the second entry as a failoever.

    Another benefit of a single management infrastructure is that If clients (probably laptops) move between sites, it would be worth enabling intelligent updating in the updating policy, so that as they move between sites, they discover the local updating path from local clients.  As long as clients use the same subscription this will work without configuration and save cross site bandwidth.

    The other additional option is to also install message relays at each of the remote sites along with SUMs so all local clients send RMS traffic to the main server via the local site.  This doesn't really reduce traffic but reduces connections.  This is really recommended when you have 4K clients in total and to help with scalability.  The only downside is it adds complexity if not required.

    If you switch to this scenario of just child SUMs, be careful of the existing software and shares. You can run into issues if you try and convert a full management server into just a SUM due to the existing shares.   You also probably have 5 different sets of certificates so currently the clients will not just be able to switch to talking to the new server without re-protecting them or re-initialization of RMS.

    I would suggest if this is something you wish to try, just try one site first.  So pick which is to be the main site (keep existing management server) and which is to be the pilot "child site".  Suggest the smallest site is used as the pilot child to minimize possible disruption.

    At the pilot site, remove the management server components but if it's a VM, take a snapshot so you can back out if required.  If not a VM, you can run the DataBackupRestore tool to backup all components, so you can reininstall and revert later if needed. 

    Maybe if possible, you could use a new server at the pilot site to be just a local SUM.  This will offer the benefit of giving you the option to move local clients over to the new infrastructure over time and they will continue to just update as they do today until then.  THis will also avoid any conflict of the existing shares.

    Either way, be it starting with a new server or having removed everything off the existing server including the SophosUpdate share and SumInstalset.  you can run:  \\mainsite\suminstallset\setup.exe to install the child SUM.  Shortly after installing it should appear as a SUM entry in the main SEC server.  Subscribe it to your existing subscriptions, or those required.  Wait for the SUM to update and the \\localsum\sophosupdate\ share.  You can then protect the local server from it's own local share.

    The computer can then be found in SEC and moved to a group.  You might need to re-adjust the groups in SEC?

    Once the new child SUM is installed and SAV is installed on it and you're happy it's fully managed you can start moving a few test clients over to it either by:

    1. Using SEC to protect the clients, having moved them to a group or applied an updating policy that references the new update location. 

    2. running setup.exe from the new CID to re-bootstrap them.  You can pass switches to perform a silent install/update. (http://www.sophos.com/en-us/support/knowledgebase/12570.aspx)

    3. Consider if http://www.sophos.com/en-us/support/knowledgebase/116737.aspx might be of use to get the clients talking to the new management server, once they are, you can send them policies.

    If it goes well on the pilot child site, the same procedure can be followed on the others over time.

    Regards,

    Jak

    :39383
Reply
  • 0

    Hi,

    The majority of the traffic will be updating, although RMS traffic might also be worth considering but that might depend on the number of clients you have.

    Also do you use patch agent on the clients as this also downloads a fair chunk of data from the management server.  If this becomes a problem you can install a caching proxy at the local sites.  http://www.sophos.com/en-us/support/knowledgebase/117121.aspx.

    Typically, in such as scenario you would: Install a management server at the main site.  The other sites would install just remote SUMs in order to create local distribution points for local clients to update from.  These child SUMs would perform updates from either the main SUM (could be UNC or HTTP) or could update from Sophos, you can configure the management server as the first source on the list and Sophos as the second entry as a failoever.

    Another benefit of a single management infrastructure is that If clients (probably laptops) move between sites, it would be worth enabling intelligent updating in the updating policy, so that as they move between sites, they discover the local updating path from local clients.  As long as clients use the same subscription this will work without configuration and save cross site bandwidth.

    The other additional option is to also install message relays at each of the remote sites along with SUMs so all local clients send RMS traffic to the main server via the local site.  This doesn't really reduce traffic but reduces connections.  This is really recommended when you have 4K clients in total and to help with scalability.  The only downside is it adds complexity if not required.

    If you switch to this scenario of just child SUMs, be careful of the existing software and shares. You can run into issues if you try and convert a full management server into just a SUM due to the existing shares.   You also probably have 5 different sets of certificates so currently the clients will not just be able to switch to talking to the new server without re-protecting them or re-initialization of RMS.

    I would suggest if this is something you wish to try, just try one site first.  So pick which is to be the main site (keep existing management server) and which is to be the pilot "child site".  Suggest the smallest site is used as the pilot child to minimize possible disruption.

    At the pilot site, remove the management server components but if it's a VM, take a snapshot so you can back out if required.  If not a VM, you can run the DataBackupRestore tool to backup all components, so you can reininstall and revert later if needed. 

    Maybe if possible, you could use a new server at the pilot site to be just a local SUM.  This will offer the benefit of giving you the option to move local clients over to the new infrastructure over time and they will continue to just update as they do today until then.  THis will also avoid any conflict of the existing shares.

    Either way, be it starting with a new server or having removed everything off the existing server including the SophosUpdate share and SumInstalset.  you can run:  \\mainsite\suminstallset\setup.exe to install the child SUM.  Shortly after installing it should appear as a SUM entry in the main SEC server.  Subscribe it to your existing subscriptions, or those required.  Wait for the SUM to update and the \\localsum\sophosupdate\ share.  You can then protect the local server from it's own local share.

    The computer can then be found in SEC and moved to a group.  You might need to re-adjust the groups in SEC?

    Once the new child SUM is installed and SAV is installed on it and you're happy it's fully managed you can start moving a few test clients over to it either by:

    1. Using SEC to protect the clients, having moved them to a group or applied an updating policy that references the new update location. 

    2. running setup.exe from the new CID to re-bootstrap them.  You can pass switches to perform a silent install/update. (http://www.sophos.com/en-us/support/knowledgebase/12570.aspx)

    3. Consider if http://www.sophos.com/en-us/support/knowledgebase/116737.aspx might be of use to get the clients talking to the new management server, once they are, you can send them policies.

    If it goes well on the pilot child site, the same procedure can be followed on the others over time.

    Regards,

    Jak

    :39383
Children
No Data