Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 16148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding AD OU from Sophos + mass re-configuration of Sophos client Server location

khey

hi guys,

Is there a way to exclude a specific AD OU from being detected as unmanaged computers? the reason for this is we have about 800 linux vms on the network and we want to exclude them.

Also, what is the best way to re-configure Sophos Clients' primary and secondary update servers on all computers and servers? Group policy with changing the registry files or re-deploy sophos with SCCM. Is it possible to set secondary server to point to the internet instead of the update server?

Thank you for any assistance.

:53307


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    You can create multiple AD sync points to work around it but that is potentially quite ugly.

    By default the AD piece of the management service connects to AD using the machine account of the management service as the management service runs as local system.

    The account the management service uses to connect to AD can be configured via the registry but you have to create the values.  These live under the key:

    32-bit: 'HKEY_LOCAL_MACHINE\Software\Sophos\EE\Management Tools'

    64-bit  'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\EE\Management Tools'

    2 string values:

    AlternativeLogonUsername

    AlternativeLogonPassword

    Note:

    AlternativeLogonUsername can take the format: domain\user.

    AlternativeLogonPassword needs to be an obfuscated form of the password you choose.  To generate. you can use obfuscationutil.exe.

    1.  Locate ObfuscationUtil.exe in C:\sec_[version]\Tools (default), or the location where you extracted the installation files of Sophos Enterprise Console. 

    2. Copy this file to your Enterprise Console directory, e.g.:
    •   32-bit: 'C:\Program Files\Sophos\Enterprise Console\'
    •   64-bit: 'C:\Program Files (x86)\Sophos\Enterprise Console\'
    1. Open a Command Prompt (click Start | Run... type cmd and press Enter), then change to the Enterprise Console directory, e.g.:
      cd "C:\Program Files\Sophos\Enterprise Console"

    2. Obfuscate the password with a command like:
      ObfuscationUtil --obfuscate password -w
      replacing password with the correct account password.

    3. Copy this password to the clipboard; if it spans multiple lines, join it into one line using Notepad.

    If you have a certain OU you wish to exclude, you could deny the above account to have access.  This way the management service will not be able to find the objects.  It will fail gracefully.

    I assume you have management (Remote Management System (RMS)) of the computers you wish to change the update locations, so you can just change the updating policies in SEC?  How many updating policies do you have? 

    You can point the primary location to either a HTTP or UNC path. You can point the secondary location to either a HTTP, UNC or "Sophos".  If you choose Sophos you will need to configure the credentials to be the same as those configured in the SUM that contacts Sophos.

    Regards,

    Jak

    :53311
Reply
  • 0

    Hi,

    You can create multiple AD sync points to work around it but that is potentially quite ugly.

    By default the AD piece of the management service connects to AD using the machine account of the management service as the management service runs as local system.

    The account the management service uses to connect to AD can be configured via the registry but you have to create the values.  These live under the key:

    32-bit: 'HKEY_LOCAL_MACHINE\Software\Sophos\EE\Management Tools'

    64-bit  'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\EE\Management Tools'

    2 string values:

    AlternativeLogonUsername

    AlternativeLogonPassword

    Note:

    AlternativeLogonUsername can take the format: domain\user.

    AlternativeLogonPassword needs to be an obfuscated form of the password you choose.  To generate. you can use obfuscationutil.exe.

    1.  Locate ObfuscationUtil.exe in C:\sec_[version]\Tools (default), or the location where you extracted the installation files of Sophos Enterprise Console. 

    2. Copy this file to your Enterprise Console directory, e.g.:
    •   32-bit: 'C:\Program Files\Sophos\Enterprise Console\'
    •   64-bit: 'C:\Program Files (x86)\Sophos\Enterprise Console\'
    1. Open a Command Prompt (click Start | Run... type cmd and press Enter), then change to the Enterprise Console directory, e.g.:
      cd "C:\Program Files\Sophos\Enterprise Console"

    2. Obfuscate the password with a command like:
      ObfuscationUtil --obfuscate password -w
      replacing password with the correct account password.

    3. Copy this password to the clipboard; if it spans multiple lines, join it into one line using Notepad.

    If you have a certain OU you wish to exclude, you could deny the above account to have access.  This way the management service will not be able to find the objects.  It will fail gracefully.

    I assume you have management (Remote Management System (RMS)) of the computers you wish to change the update locations, so you can just change the updating policies in SEC?  How many updating policies do you have? 

    You can point the primary location to either a HTTP or UNC path. You can point the secondary location to either a HTTP, UNC or "Sophos".  If you choose Sophos you will need to configure the credentials to be the same as those configured in the SUM that contacts Sophos.

    Regards,

    Jak

    :53311
Children
No Data
Cookie Information Banner