Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2888 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Change update location based on subnet

mgomez

Is there a way to tell the client to look for a local update repository for updates?  We have many WAN sites, and most of them have a server we use as "downstream" servers for windows updates.  I'd like to use them for Sophos updates, I've installed Sophos Update Manager on one of the servers but how do I force the local computers on that subnet to use that update repository?  We don't have computers grouped by location in AD or in the system.  Is this something I can script?  If so what files do I need to change?

:38661


This thread was automatically locked due to age.
  • 0

    Hi,

    So you're saying that you can't define an updating policy per site for these machines in SEC?

    So in SEC you can't have:

    |-SiteA
    |-----Servers
           [SUM ServerA]  (I assume this is used by SUS as well?)

    |-----Clients  

          Client1, Client2,  Client3, etc...


    |-SiteB

    |-----Servers

           [SUM ServerB]  (I assume this is used by SUS as well?)

    |-----Clients  

          Client1, Client2,  Client3, etc...

    Have a SUM at SiteA and SiteB pushing a distribution point locally to the server.  Then in SEC have 2 updating polices;  E.g. called SiteA and SiteB where you configure the location?

    Just to confirm really.

    Is DNS hacks at a site level possible?

    So in the policy you define:  \\Server\SophosUpdate.....  Which is what all clients look for.

    The clients at each site then resolve "Server" to the actual local "Server" name?

    If you fiddle with iconn.cfg to set the location you will end up with computers showing differs from policy.

    The other option that might be of use is to use the "Allow location roaming" option in the updating policy but this is really for computers that move between sites where there are a number at each site that are fixed.  In this method as long as the clients use the same subscription it will work so they have to be part of the same SEC infrastructure.  When the client moves to the other site, it will "find out" from other clients where they update from, and as long as they are using the same subscription the "roaming" client will then use the same location which is likely to be local to the site.  This doesn't seem quite what you're after as it does require a number of computers to be updating from the local site already.  It also doesn't guaratee anything as is more of a bonus when it works to save clients that move updating from their original location which could be the other side of the world for example.

    Regards,

    Jak

    :38669
  • 0

    Thanks for the info!  I could group computers by site, the issue is our current Active Directory structure isn't setup that way.  So it would be a manual process of creating each container in SEC and manually moving the computers into the containers?  Is that correct?.  I'm new to Sophos, I didn't set this up unfortunately.  I walked into this configuration.

    I suppose I could do some DNS hacks with a host file on each computer per site (login script), but that doesn't seem like a good idea.

    :38671
  • 0

    Hello mgomez,

    unless you are using AD sync, which only makes sense if your AD structure mirrors the WAN sites on a sufficiently high level, you can design the groups in whatever way you wish. Of course you have to manually move the clients into the desired group (for new installs you can specify the group when running setup.exe provided you have the means to do a site-specific install).

    Having the clients grouped per site in SEC is probably a good idea - you might want to use different policies (other than updating) e.g. to deal with threats, or have different settings for Application Control and so on. A site-specific name-prefix or IP range (you said subnet) would assist you in "manually distributing" the clients. While it's tedious without, even then this shouldn't take longer than a few days (and it's a one-time effort).

    Jak has already mentioned a DNS-hack - if each of the sites has its own DNS you could define a common alias for the SUMs which resolves to the site's server. (Abusing) Location Roaming would be more showing off than a solution as you wouldn't be able to manage the clients per-site. It has a number of drawbacks, especially if you intend to use message relays. As an aside - it could be an interesting experiment if the clients would report their current update location to SEC - which AFAIK they don't.

    HTH
    Christian

    :38689