If you haven't gone through the check list to get start with your planning and implementation of Sophos cloud migration, here it is : Sophos Cloud Migration - Quick check list
Sophos enterprise console migration to
cloud (Sophos central)
This article detailed about the
pre-requisites, implementation plan, post implementation checks and roll back
plan for the Sophos enterprise console migration to cloud.
Note: Sophos Cloud Console configurations are not covered here.
Cloud Vs On-prem
Cloud – Ease of
management, User based policies (Multiple device can be registered under a
user), dedicated protection for servers
On-prem – Regular
updates and monitoring of h/w & s/w,
Sophos Cloud
migration can be perform using Migration tool, OS imaging, Scripting and manual
installations.
By using Sophos Migration
tool, we will be able to conduct an assessment and readiness check of the machines
that are ready for cloud migration.
Brief about Migration Tool
Evaluation:
Assessing the machines that are ready for
cloud migration.
Evaluation / Assessment
Basic computer assessment –
- Is running
an operating system supported in Cloud.
- Has only
those features enabled or installed that are supported in Cloud.
- Has no
unsupported server software or component installed.
- Has an
Endpoint Security and Control version that can be migrated.
- Downloads
updates from a supported update location.
- If
synchronized with Active Directory, does not have automatic protection
enabled in synchronization properties.
Advanced – Along with above the tool will also compare all features
active on the computers against your Cloud license.
Migration
Migrate the machines by uninstalling the
existing Sophos agent and installing cloud agent.
Computer is on the migration list
Prerequisites are met
Uninstall RMS
Install the cloud agent software
Migrated workstations applied with default
policy and added under devices list in cloud.
Migrated Servers applied with default policy
and added under server list in cloud
Implementation Pre-requisite checks
Policy
settings are not migrated to cloud
-
Review the on-prem policies and make
necessary changes in the cloud policy.
During the
migration computers remains unprotected until it completes
-
Advised don’t do migration when
computers are in use
-
Perform a full system scan after
migration
Reboot required
for old operating systems (xp& w2kr3)
-
Reboot can be automated by clicking
File -> Options -> Select Automatically restart Windows Server 2003 computers and/or Automatically
restart Windows XP computers” on the Migration tool
-
Reboot
type - Force reboot – Inform the users
in prior to save their work before migration
- Machined which needed
reboot will notified by cloud console - In Sophos Cloud, the following
event for the computer: “Failed to install savxp: a reboot is
required before the installation can succeed.”
Update
cache server - On-prem
Sophos Cloud's Update Cache feature lets you set up update caches.
This enables you to store endpoint updates on a server on your network from
which computers can download them.
Sophos
cloud license
-
Need a valid cloud account with admin
privilege
-
Run Advanced assessment and find out
the license compatibility issues using migration tool
Operating
system
- OS migration
using tool - Windows XP, Windows 2003, Windows Vista, Windows 7, Windows
2008 Server, Windows 2008 Server R2 , Windows 8, Windows 8.1, Windows
Server 2012, Windows Server 2012 R2, Windows Small Business Server 2011
- Machines
with MAC OS can’t be migrated using Migration tool – MAC endpoint
migration need to be performed manually.
- Supported
MAC OS versions - Mac
OS X 10.10, 10.11, 10.12
Supported
Features
-
Unsupported features needs to be disabled or uninstall before
migration or the migration of that device fails.
-
Run the migration tool assessment and find out the feature
compatibility issues
-
Features that are not supported by Sophos cloud as for now
-Sophos Client Firewall, Network Access Control, Patch, Full disk encryption
-
Disable the Tamper protection during migration even though
this feature is supported by cloud
Endpoint software
-
To be
migrated, computers must be running Sophos Endpoint
Security and Control 10.0 or later
Server
components
-
Machine installed with Sophos
Enterprise console management server, Sophos update manager, Pure Message for
MS Exchange, Sophos for MS sharepoint or Pure Message for lotus domino cannot
be migrated using migration tool.
-
Migrate the on-premise management
server after migrating all endpoints to cloud.
Active
Directory synchronization
-
If a
computer is part of a group tree that is automatically synchronized with an
Active Directory container, and for which automatic protection is enabled, you
should disable automatic protection in the Active Directory synchronization
settings before migrating the computer.
Update
Locations
A primary update
location that is not the default update location is not supported by migration
tool. The default update location is a UNC share \\<ComputerName>\SophosUpdate.
Install Sophos Migration Tool
Assessment and Migration readiness
-
Run the migration tool and check for
migration readiness of the machines.
-
Must be run as administrator
-
Run on the server where SEC (Management and database server) is installed
-
Only one instance of the tool can
run on the same computer at the same time.
-
Fix the issues with migration status
shows as “Not ready” and “Error”
Migration exclusion
Computers
that are already managed by Cloud cannot be excluded from migration
Add machines to exclusion list – Staged migration, Machines not ready for migration.
Migrate Machines and Servers
1) Check the readiness list on migration tool and check the machines needs to be migrated in first stage
2) Enter the cloud console credentials in migration tool by clicking the Login button
3) Perform remediation actions required for machines that cannot be migrated to cloud in their present state.
4) Disable Tamper protection if it is enabled
5) Click on migrate after the selecting the machine that are ready for the migration
6) Check the status of migration in console (Pending – Await their next schedule update to begin the migration, Migrating – Machines started migrating)
7) Migration status can also be monitored using Sophos enterprise console – Migrated machine displayed as “Computer description – {SC:InCloud:2}
8) Sometimes computers that have been migrated may need to be restarted. The tool doesn’t display this information for migrated computers, so check in Sophos Cloud to see if any of the migrated computers need to be restarted.
9) If an error has occurred during migration and a computer hasn’t been migrated, it’s moved to the Error view of the tool, where you can find out about the error.
10) Verify the migrated machines status in cloud console and apply necessary policies
11) Check the machines failed to migrate in Error tab of migration tool and find out the reason and fix it
12) In cloud console migrated machine can be found under
Computers - All machines
Servers - All Servers
13) Perform a full system scan after the migration to ensure that the machines are not compromised
Migration – Manual installation, Scripted and OS imaging.
Deployment via email setup link
a) Email deployment from Sophos Central
From Sophos Central, under People you
can add a Sophos Central user and email an installer by clicking Add User >
expand Email Setup Link > check the installer you want to deploy > Save.
The installers linked from the Sophos
Central emails are specific to the emailed user and should only be run on
devices that particular user needs to protect. This ensures that all logins on
each device they protect are attributed to same Sophos Cloud user.
Protecting mobile devices requires you
to use the email deployment method. For more information on protecting mobile
devices see Sophos Central Mobile Frequently Asked Questions (FAQ).
b) Custom email deployment
To customize a deployment email for
users or distribution group, you can use the non-user specific install links.
These can be found under Protect Devices.
After the user installs the software
using these links/installers, a new Sophos Central user is automatically
created in Sophos Central based on their logon name. This username can be
edited to better reflect the user.
Scripted installation
For deployment within an organization
or as part of a custom package, the installers can be scripted. A typical use
case would be installing via third-party deployment tools such as Microsoft
SCCM or Active Directory. It is also possible to create a full installer for
Windows to minimize the initial download if bandwidth is a concern.
Inclusion in an image
Migrate the on-premise management server
- Ensure that all the end points are migrated to cloud and none of them are managed by on-prem management console.
- Turn off UAC
- Restart the server if prompted
- Uninstall the Sophos cloud migration tool
- Uninstall the on-prem management software in the below order
c) Sophos management console
d) Sophos management database
e) Sophos management Server
f) Sophos update manager
- Run the Sophos cloud agent installer to migrate the server
-Note: Uninstalling the Sophos Management Database component will not remove the databases attached to the SQL Server instance. For a list of databases associated with each console, see knowledgebase article 17323. If you are planning to leave the SQL Server instance, the databases will remain attached.
Sophos cloud update cache installation
Follow the Sophos Kb
Post Implementation checks
Login to cloud console and verify that the
migrated machines are listed under computers/Serversin the Sophos cloud console.
Rollback Plan
Current version of migration tool doesn’t
support automatic rollback
This can be automated using a VB script
The script willI dentify installed Sophos
Central productsand Uninstalling these products.
Thenit
will call the on-premisebootstrapper from a specified CID which will re-protect
the endpoint via Sophos Enterprise Console
Disable Tamper protection & Server
lockdown and Run the script as administrator
Script can be called either cscirpt or wscript
wscript will output errors and details to the console
cscript will output errors and details to the following default
log file:
%temp%\SophosCloudRollback.log
Note:
On Windows Server Core the script
should be run using cscript as no UI is available.
The script should only be executed on
computers managed by Sophos Central. These will appear in the Sophos Central
Migration Tool with the status 'In Cloud', 'In Cloud (error)' or 'In Cloud
(critical error)'.
Script
Example (For parameters ref :https://community.sophos.com/kb/en-us/12570)
cscript C:\RollbackScript\rollback.vbs
\\myServer\SophosUpdate\CIDs\S000\SAVSCFXP\setup.exe -user administrator -pwd
admin -s -mng yes
Post roll back checks
- Once rollback completed the computers appears as managed in Enterprise console
- Delete the device from Sophos Central:
o In the Sophos Central Admin dashboard select 'Users & Devices | Devices'
o Place a tick in the check box next to the computer(s) being rolled back
o Click 'Delete' and 'OK' to confirm
- Access Sophos Enterprise Console
o Find the computer in the Computer View
o Right click the computer and select 'Update Computers Now'
- If Tamper Protection is not disabled in Sophos Central the rollback script will return the error:
Error: Failed to uninstall Sophos Malicious Traffic Detection (1603)
-If Server Lockdown is still enabled the script will fail to run and the following Desktop error will appear.
Thanks for reading.
Cheers
Sijo John
