Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question on SEC structure

nduda78

So I've been managing a SEC 4.7 and SEPP 9.7 setup for sometime now. I'm starting to question if I can build it out better.

- Currently, we have one server with the SEC and SUM on it. Its the "only" SEC server in the org.

- We have about 10 remote sites globally. Each site can range from 50 to 600 users. The total environment is about 2,000 systems.

- Each of these 10 sites have a local file server, with a shared folder called "SophosRepository"

- In SEC, there are 10 Update policies. Each policy is assigned to an office, and points to the local file share for the primary update. The secondary update is Sophos directly.

How is this for effectivness? My understanding is that the primary SUM server, being configured to get its updates every 60 minutes, will then connect to each remote file share and update the files in the CID folder (if any updates are available).

Should I be running more than one SUM server? 

- one in each site?

What is a typical structure for a 2,000 endpoint SEPP/SEC setup? 

:15867


This thread was automatically locked due to age.
Parents
  • 0

    HI Nduda78

    I agree with jak, and there are a few other things which could help you.

    1. Use SUM servers at the branches (the server at the branches have to be Windows)

        Set the updating to push the software updates after hours (esp if the lines between the branches are slow)

       ** You can as well setup Message relays for the larger 600 user sites.

    2. If you use active directory, and it is kept clean. Use it to automatically deploy sophos - or to ensure the installation on machines is done. configure notifications if deployment to unmanaged machines fail - stay ontop of unmanaged machines.

    3. Use separate accounts for everything. eg: SophosUPD for the desktops updating, SophosCID for the branch updating, SophosAD for ad sync. This way you can assign the correct privileges. Additionally - If one account locks out, it wont bring down the entire updating.(it can be painful trying to track down where or who is locking the account out)

    4. if the company is running an intranet, you can publish the updates on the internal website. (it will also help ease congestion if each local branch has a local webserver.)

    From my experience, prevention is better than cure in a large corporation where you might not have immediate access to all machines (esp. if they are in remote sites) proactive notifications, sub-estates with helpdesk for the remote sites, keeping it simple are the best options.

    Additionally and most important - BACKUPS, you dont want to sit having to recreate everything and redeploy sophos if you dont have the right backed up stuff.

    Hope this helps. :)

    :15989
Reply
  • 0

    HI Nduda78

    I agree with jak, and there are a few other things which could help you.

    1. Use SUM servers at the branches (the server at the branches have to be Windows)

        Set the updating to push the software updates after hours (esp if the lines between the branches are slow)

       ** You can as well setup Message relays for the larger 600 user sites.

    2. If you use active directory, and it is kept clean. Use it to automatically deploy sophos - or to ensure the installation on machines is done. configure notifications if deployment to unmanaged machines fail - stay ontop of unmanaged machines.

    3. Use separate accounts for everything. eg: SophosUPD for the desktops updating, SophosCID for the branch updating, SophosAD for ad sync. This way you can assign the correct privileges. Additionally - If one account locks out, it wont bring down the entire updating.(it can be painful trying to track down where or who is locking the account out)

    4. if the company is running an intranet, you can publish the updates on the internal website. (it will also help ease congestion if each local branch has a local webserver.)

    From my experience, prevention is better than cure in a large corporation where you might not have immediate access to all machines (esp. if they are in remote sites) proactive notifications, sub-estates with helpdesk for the remote sites, keeping it simple are the best options.

    Additionally and most important - BACKUPS, you dont want to sit having to recreate everything and redeploy sophos if you dont have the right backed up stuff.

    Hope this helps. :)

    :15989
Children
No Data