Error
  • JLIB_APPLICATION_ERROR_COMPONENT_NOT_LOADING
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1
  • Error loading component: com_rokcandy, 1

Follow Us: Add us on Skype Visit our Google Plus +1 Page Find APACMS On Twitter Find APACMS On Facebook Find APACMS On LinkedIn

Creating a GPO to deploy Sophos endpoint software

 

Instructions for Windows Server 2008 domain

  • Open the Group Policy Management window and edit the appropriate Domain Group Policy
    • Start | All Programs | Administrative Tools | Group Policy Management
      or
    • Start | Run | Type: gpmc.msc | Press return.

 

Create a new Group Policy object

Disable User Account Control

User Account Control (UAC) only needs to be disabled during deployment. Once the endpoint software has been installed you can re-enable the functionality.

  • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options
  • In the right-hand panel select each of the following items and define as suggested:
    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Elevate without prompting
    • User Account Control: Detect application installations and prompt for elevation | Disable
    • User Account Control: Only elevate UIAccess applications that are installed in secure locations | Disable
    • User Account Control: Run all administrators in Admin Approval Mode | Disable

Configure the required Windows services

  • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services
  • In the right-hand panel select each of the following items and define as suggested:
    • Computer Browser | Automatic
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Automatic
    • Workstation | Automatic

Create rules for the Windows Firewall

  • To create the inbound firewall rules for Sophos Remote Management System (RMS):
    • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rule
    • Right-click 'Inbound Rule' and select 'New Rule...'
    • Select 'Port' and click Next
    • Select 'TCP'
    • Select 'Specified local ports:' and enter: 8192, 8194
    • Click Next
    • Select 'Allow the connection' and click Next
    • Check only the 'Domain' Applies when a computer is connected to its corporate domain option and click Next
    • Name the rule 'Sophos RMS Rule'. Optionally enter a useful description.
    • Click Finish.

 

  • To create the outbound firewall rules for Sophos Remote Management System (RMS):
    • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Outbound Rule
    • Right-click 'Outbound Rule' and select 'New Rule...'
    • Select 'Port' and click Next
    • Select 'TCP'
    • Select 'Specified local ports:' and enter: 8192, 8194
    • Click Next
    • Select 'Allow the connection' and click Next
    • Check only the 'Domain' Applies when a computer is connected to its corporate domain option and click Next
    • Name the rule 'Sophos RMS Rule'. Optionally enter a useful description.
    • Click Finish.

 

  • To create the inbound firewall rules to allow File and Printer Sharing:
    • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rule
    • Right-click 'Inbound Rule' and select 'New Rule...'
    • Select 'Predefined:' and from the dropdown list 'File and Printer Sharing'
    • Click Next
    • Ensure all items under 'Rules' are checked and click Next
    • Select 'Allow the connection'
    • Click Finish
    • Right-click the first 'File and Printer Sharing(...' rule from list of rules in the right-hand panel
    • Select 'Properties' | 'Advanced' tab
    • Under 'Profiles' uncheck the 'Private' and 'Public' options leaving only the 'Domain' option checked
    • Click OK
    • Repeat steps eight to eleven for each 'File and Printer Sharing(...' rule in the list

 

  • To create the outbound firewall rules to allow File and Printer Sharing:
    • From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Outbound Rule
    • Right-click 'Outbound Rule' and select 'New Rule...'
    • Select 'Predefined:' and from the dropdown list 'File and Printer Sharing'
    • Click Next
    • Ensure all items under 'Rules' are checked and click Next
    • Select 'Allow the connection'
    • Click Finish
    • Right-click the first 'File and Printer Sharing(...' rule from list of rules in the right-hand panel
    • Select 'Properties' | 'Advanced' tab
    • Under 'Profiles' uncheck the 'Private' and 'Public' options leaving only the 'Domain' option checked
    • Click OK
    • Repeat steps eight to eleven for each 'File and Printer Sharing(...' rule in the list


Instructions for Windows Server 2003 domain

  • Open Active Directory Users and Computer
    • Start | All Programs | Administrative Tools | Active Directory Users and Computer
      or
    • Start | Run | Type: dsa.msc | Press return.
  • Select the domain name from the left-hand treeRight-click the domain name and select 'Properties'Select the 'Group Policy' tabSelect 'New'Enter a name for the new Group Policy object (GPO). Example: GPO to deploy Sophos endpoint softwareSelect the new GPO and click 'Edit'The Group Policy Object Editor window will open
    Disable User Account Control (UAC)

    If you have Windows Vista or Windows 7 clients on your network but only have a Windows 2003 domain controller you cannot control UAC settings from the Windows 2003 domain controller. You can either:
  • Disable UAC locally at each client computer.
  • On a Vista/ Windows 7/ 2008 computer that is joined to the domain, create a GPO using its updated set of Group Policies.


Configure the required services

  • From the left-hand panel navigate to Computer Configuration | Windows Settings | Security Settings | System Services
  • In the right-hand panel select each of the following items and define as suggested:
    • Computer Browser | Automatic
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Automatic
    • Workstation | Automatic


Create rules for the Windows Firewall

  • From the left-hand panel navigate to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile
  • Right-click 'Windows Firewall: Define port exception and select 'Properties'
  • On the 'Settings' tab select 'Enable'
  • Select the 'Show' button
  • In the 'Show Contents' window select 'Add'
  • Add the item: 8192:TCP:*:enabled:SophosRMS8192
  • Click OK
  • Add the item: 8194:TCP:*:enabled:SophosRMS8194
  • Click OK
  • Click OK
  • Click OK
  • Right-click 'Windows Firewall: Allow file and printer sharing exception' and select 'Properties'
  • On the 'Settings' tab select 'Enable'
  • In the field beneath 'Allow unsolicited incoming messages from:' enter: *
    NOTE: If you wish to define a narrower range of IP addresses please see the 'Syntax' explanation section shown on screen
  • Click OK.

 

It is important to note that you are better off using LDAP for Active Directory

You cannot access additional attributes with the “Active Directory/Windows NT” method and you cannot do password expiry and reset passwords with the that method either.

If you have AD you should use the LDAP method and not the one listed in this blog.

LIKE us on Facebook