Child Library updating from DMZ

Hello,

you publish the folder which is shared as SophosUpdate (client updates and SUM use the same share now). I have a similar setup so if you have more questions just ask.

Christian

Hi, Thanks for the advice, I have added that directory into IIS and my LAN server does download some files as I can now see the "Warehouse" folder on it.

Despite this it doesn't seem to be quite right as under errors I have "Software delivery failed" and last updated shows as "never".  In the update manager configuration it shows the available subscriptions so it is seeing what is available.

Looking in the SophosUpdate folder on the LAN it has the Warehouse but no CIDs, I think this is the problem.

Any ideas?

Thanks

Look at the update manager details which should tell you more about why the "Software delivery failed". What's the Download Status saying?

Christian

The download status is "Last Checked at .... 16.33.42"

The details show...(sorry for mess)

    
  Time of last binary update              Never
   Time of last protection data update     Never

   Software subscriptions status                                                        Software subscriptionMaintained in Last successful downloadError codeError description  
                                             Recommended   \\CHOMP\SophosUpdateNever         00000002  Could not read from the update source location

   Outstanding alerts and errors          

   Update manager status                                                                Date/time            Code      Description                            
                                             18/02/2010 16:33:42  80040401  Software update failed.                
                                             18/02/2010 16:33:42  80040406  Delivery failed for software subscription 'Recommended'. Access to the source update location is denied or the location is otherwise unavailable.
                                             18/02/2010 16:25:57  80040404  Threat detection data update failed.   

Access denied I think is a red herring as I have tested browsing to the web site via IE on the server using the same credentials and all looks fine.  I presume it doesn't need write access to the share?              

Have made some progress, remembered that you have to add a MIME type to IIS to allow it to share all the different files types via the website.  I now have some CIDs on my LAN server!

So you're saying it's working now? Didn't mention the IIS settings (thought they were obvious) - BTW:  there are also applications extension mappings which can get into your way. Synchronization is all or nothing and if one file fails the whole cycle might be skipped. Occasionally I too get 80040406 - last time it occurred SUMTrace said "Cannot locate server ..." which is a little bit strange bit since it's a rare and transient error I didn't dig deeper.

Something else came to mind: you said you have the console in the DMZ and a child SUM on your LAN. I don't think you manage your clients from the DMZ, do you? Just asking because Child SUM is somewhat ambiguous. It could be a SUM updating from a source other than Sophos (installed along with SEC so it's on it's own management server) or an additional SUM (installed from SUMInstallSet and managed from the master).

Christian 

Hi,

Yes it is now working. 

The SUM in the DMZ downloads from Sophos and the Enterprise Manager in the DMZ only manages the servers placed in the DMZ.

The SUM on the LAN downloads the updates and packages from the DMZ and then the LAN based EntMan manages all the machines on the LAN. 

Cheers

Hi Alex/Christian

this is exactly what i want to do in my environment. Can you please give me a quick high level overview of how you implemented this setup please?

thanks

Hasslehogg

Hello Hasslehogg,

in short:

• Do a complete SEC install in the DMZ
• Configure this SUM to update from Sophos and subscribe to the desired packages [1]
• Verify that it is updating
• Publish the \\DMZ-SEC\SophosUpdate\ share with IIS (or another web server) [2]
• Install SEC (again a full install) on the internal server [3]
• Set the Address in the Source Details to http://DMZ-SEC/SophosUpdate using whatever credentials you have configured in IIS [4]

Notes:

1. The DMZ SUM has to subscribe to all packages you need on the internal network
2. You can use this location for client updates as well (e.g. for users on the road or home use). Please see Configuring Microsoft Internet Information Services for endpoint updating and How to configure specific MIME types for a Web CID in IIS 7.0/8.0. If you use it solely as source for SUM only the \Warehouse folder is accessed and no extensions other than .xml and .dat are used
3. If you have endpoints which will potentially be moved to/from the DMZ you might want to use the same certificates on both servers. In this case export/import the applicable registry key before installing the internal SEC
4. The only connection you have to open is port 80 (INT-SEC out to DMZ-SEC:80)

As said, it should also be possible to install just the SUM in the DMZ and manage it from the internal network.

Christian

Christian

as always thanks a lot, really appreciate it