Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 16147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding AD OU from Sophos + mass re-configuration of Sophos client Server location

khey

hi guys,

Is there a way to exclude a specific AD OU from being detected as unmanaged computers? the reason for this is we have about 800 linux vms on the network and we want to exclude them.

Also, what is the best way to re-configure Sophos Clients' primary and secondary update servers on all computers and servers? Group policy with changing the registry files or re-deploy sophos with SCCM. Is it possible to set secondary server to point to the internet instead of the update server?

Thank you for any assistance.

:53307


This thread was automatically locked due to age.
  • 0

    Hi,

    You can create multiple AD sync points to work around it but that is potentially quite ugly.

    By default the AD piece of the management service connects to AD using the machine account of the management service as the management service runs as local system.

    The account the management service uses to connect to AD can be configured via the registry but you have to create the values.  These live under the key:

    32-bit: 'HKEY_LOCAL_MACHINE\Software\Sophos\EE\Management Tools'

    64-bit  'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\EE\Management Tools'

    2 string values:

    AlternativeLogonUsername

    AlternativeLogonPassword

    Note:

    AlternativeLogonUsername can take the format: domain\user.

    AlternativeLogonPassword needs to be an obfuscated form of the password you choose.  To generate. you can use obfuscationutil.exe.

    1.  Locate ObfuscationUtil.exe in C:\sec_[version]\Tools (default), or the location where you extracted the installation files of Sophos Enterprise Console. 

    2. Copy this file to your Enterprise Console directory, e.g.:
    •   32-bit: 'C:\Program Files\Sophos\Enterprise Console\'
    •   64-bit: 'C:\Program Files (x86)\Sophos\Enterprise Console\'
    1. Open a Command Prompt (click Start | Run... type cmd and press Enter), then change to the Enterprise Console directory, e.g.:
      cd "C:\Program Files\Sophos\Enterprise Console"

    2. Obfuscate the password with a command like:
      ObfuscationUtil --obfuscate password -w
      replacing password with the correct account password.

    3. Copy this password to the clipboard; if it spans multiple lines, join it into one line using Notepad.

    If you have a certain OU you wish to exclude, you could deny the above account to have access.  This way the management service will not be able to find the objects.  It will fail gracefully.

    I assume you have management (Remote Management System (RMS)) of the computers you wish to change the update locations, so you can just change the updating policies in SEC?  How many updating policies do you have? 

    You can point the primary location to either a HTTP or UNC path. You can point the secondary location to either a HTTP, UNC or "Sophos".  If you choose Sophos you will need to configure the credentials to be the same as those configured in the SUM that contacts Sophos.

    Regards,

    Jak

    :53311
  • 0

    hi Jak,

    thank you for your response. Can you please confirm if it is possible to point the secondary server to download definitions directly from sophos (internet)?

    thank you.

    :53325
  • 0

    Hello khey,

    Sounds like you have a lot of endpoints.

    the best way to re-configure Sophos

    is, as Jak has stated, via policies from SEC (registry won't work anyway as the policies aren't kept in/backed with the registry). 

    if it is possible to point the secondary [to] Sophos

    Sure - Sophos is available in the Address drop-down menu of the Updating Policy editor.  While it's not impossible to configure updating by other means it's, frankly, pretty retro.

    Christian

    :53327
  • 0

    hi Jak,

    that is exactly what I am looking for, but unfortunately it doesn't work for me.

    I've followed exactly your description,

    - created the 2 regkeys

    - obfuscated the password

    - set the security on the OU

    but the specific OU I'd like to exclude is still synchronizing.

    I restarted the Sophos services, rebooted the Sophos server and of course waited till AD replication was done, but still the same.

    The Sophos Management Host service runs under the user <domain>\sophosmanagement,

    the Sophos Management Service under LocalSystem.

    Is there anything I am missing or I can check why this OU is still synchronizing?

    Thanks

    :53335
  • 0

    UPDATE:

    It looks like the alternative login credentials aren't used.

    Browsing the Actice Directory with the specified alternative user doesn't show me the unwanted computer objects.

    So AD permissions are correct.

    Is there are a way to check if the alternative login credentials are used?

    Any other ideas?

    :53357
  • 0

    Actually I thing those keys are just used for role based administration feature, I.e. the account the management service uses to look up account informaiton from AD can be influenced using those keys but not for AD sync AD lookups.

    How about just denying access to the machine account of the manahgement service in the permissions to the OU?  As the services run as a local system, the machine$ account will be used.  So you should be able to deny this.

    Sorry for the confusion  

    Regards,

    Jak

    :53367
  • 0

    thanks for your answer.

    I had this idea, too. But unfortunately this doesn't work.

    The unwanted computer objects are still synchronized !?!

    :53371
Cookie Information Banner