Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 19912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Air-gapped Network Configuration

garryb73

Hello,

I am trying to configure an air-gapped solution and am getting the following problem.

I currently have a live server configured to download and deploy to my network, but need another solution for my air-gapped network.  I have therefore created a new Windows 2008 server on the air-gapped network and followed the instructions in the sophos article 64899

1. Install Enterprise Console on one of the servers in the air gap to centrally manage and update the endpoint computers in the air gap.

  1. Follow the instructions in the Quick Startup Guide to install the management software and cancel the installer when it reaches the Download Security Software wizard.
  2. Create a new folder on the desktop to be used as your update source. Call this folder Update Source and share the folder as SophosUpdateManager.
  3. Ensure that the update manager is not currently an performing an update, otherwise the files copied in the step below will be incomplete and you will have a folder that appears corrupt to the air-gapped update manager. You can view update activity with the Logviewer.exe program. Note: If an update is in progress when copying the files you will see the error could not create catalogue sdds.local when configuring the air-gapped update manager.
  4. Copy the Warehouse directory from the non-air-gapped network onto a removable storage device or CD and submit this medium to your required verification:- On the non-air-gapped network, the Warehouse directory containing the packages is as follows.
    • Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
    • Windows Server 2008: C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
  5. Paste the Warehouse directory to the folder Update Source (i.e., the one you created in step 2 above), which is on the desktop in the air-gapped network.
  6. On the air-gapped Update Manager, on the 'Sources' tab, set the primary source to be the UNC path to the 'SophosUpdateManager' share, e.g., \\servername\SophosUpdateManager
  7. Configure your software subscriptions to use the appropriate packages.
  8. Once your update manager has downloaded the packages, deploy them to the air-gapped network.

I have done as above, however when I recheck my subscriptions I get no available software.  Thus I am unable to deploy the software to the clients on this network.

The update manager was disable on both servers during the transfer of the warehouse, I have also included the CIFS in the transfer. 

I have checked the logviewer and cannot see any errors.

Can anyone point me to what is going wrong.

Thanks

Garry

:36645


This thread was automatically locked due to age.
  • 0

    Hello Garry,

    what does the Log Viewer show (apart from the fact that there are no obvious errors? Also on the new server - what are the contents of the columns in the Update Managers view?

    Christian

    :36647
  • 0

    Hi Christian,

    The update manager is showing the following:

    Servername

    Last update: 09/01/0213 14:54

    Last checked: 09/01/2013 15:19

    Configuration: Matches

    Version: 1.3.1.168

    Number of shares: 1

    Logviewer

    09/01/2013 15:29:20 Success The decode operation was successful, but no new files were decoded.
    09/01/2013 15:29:20 Success The decoding of product release 'Sophos Update Manager' version RECOMMENDED was successful, but no new files were decoded.
    09/01/2013 15:29:19 Success The decode operation was successful, but no new files were decoded.
    09/01/2013 15:29:19 Success Deployment to share 'C:\ProgramData\Sophos\Sophos Endpoint Management\5.1\Updates\Secure\SDFs\SophosPA' was successful, but no changes were needed.
    09/01/2013 15:29:19 Success The decode operation was successful, but no new files were decoded.
    09/01/2013 15:29:19 Success Deployment to share 'C:\ProgramData\Sophos\Sophos Endpoint Management\5.1\Updates\Secure\SDFs\SophosMA' was successful, but no changes were needed.
    09/01/2013 15:29:18 Information Synchronization of protection data was successful.
    09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Patch Server' was successful, but no new data was found. Product release version: RECOMMENDED
    09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Enterprise Console' was successful, but no new data was found. Product release version: 0.0.0
    09/01/2013 15:29:18 Information The synchronization of protection data for product release 'Sophos Update Manager' was successful, but no new data was found. Product release version: RECOMMENDED

    :36651
  • 0

    Thanks, Gary - so basically it does work.

    You say when you open the Recommended subscription there is no data? Could you perhpas provide a screenshot? BTW: I assume the server you copied from is also SEC 5.1?

    Christian

    :36653
  • 0

    The screen shot is a bit difficult but when you check the subscriptions I get the following

    Software Subscription: Recommended

    License: Endpoint Protection - Advanced

    Software: Nothing listed

    On my live server I get the following

    Software Subscription: Recommended

    License: Endpoint Protection - Advanced

    Software

    Windows NT, Version 4 Recommeded, Status Retired

    Windows 2000 and above, Version 9.7 Recommended

    Yes i'm running 5.1

    :36655
  • 0

    These are the checked products on the live server?

    As the license information is there it looks like something's missing from the Warehouse. Please make sure the copy is complete.

    Christian

    :36659
  • 0

    Yes these are the checked products on the live server.

    I have tried copying he warehouse over twice, but can give it another go.

    The only difference between the two servers are as follow

    Live Shares

    SophosUpdate: D:\Sophos_Updates\Update Manager

    SUMInstallset: D:\Sophos\Enterprise Console\SUMInstaller

    UpdateManager: D:\Sophos_Updates\Update Manager

    Air-Gapped Shares

    SophosUpdate: C:\PrograData\Sophos\Update Manager\Update Manager

    SUMInstallset: C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller

    UpdateManager: \\"RemoteServer"\UpdateManager

    I have copied the containt of the live server (Warehouse & CIDs) and loaded them onto \\"RemoteServer"\UpdateManager  The Enterprise server update manager is conigured to search this source location for updates.

    :36675
  • 0

    Hello Garry,

    before copying another time (you don't need the CIDs BTW, I'd rather not copy them) please check the current contents of the Warehouse on the air.gapped server. What's the path on disk for \\"RemoteServer"\UpdateManager?

    Christian

    :36679
  • 0

    The warehouse looks the same as the one on the live server.

    The path on the remote server is E:\Update Manager, Shared out as SophosUpdateManager.

    It was located on my Domain controller, but I have now relocated it to the file server on the domain.  However when I try to add the new source I get the following error

    The operation failed. Details: Failed to create a warehouse check action! SDDM returned 0xffffffff

    Would you like to use these source details anyway ?

    :36683
  • 0

    Re-starting the SUM has cleared this error, however when I run the update nothing changes.

    :36685
  • 0

    Hm, the air-gapped server should have written something to C:\ProgramData\Sophos\Update Manager\Update Manager and started to create the local Warehouse, did it?

    Might be necessary to engage Support. It doesn't do any harm to delete everything below the second \Update Manager and then force an update. Can't say if this will help, if it doesn't you should collect the logs using SDU as Support would need them. Sorry that I have no better idea at the moment.

    Christian 

    :36687