Startup guide for users with Sophos Central

This guide tells you how to set up Sophos for Virtual Environments and manage it with Sophos Central.

If you are migrating to Sophos for Virtual Environments, see Appendix: Migrate to Sophos for Virtual Environments.

About Sophos for Virtual Environments

Sophos for Virtual Environments is a security system that protects VMs. It works like this:

  • Run Sophos Security VM on a hypervisor host. This can detect and block threats on connected guest VMs.
  • Run Sophos Guest VM Agent on each guest VM. This lets the VM communicate with the Security VM.
  • Use Sophos Central to manage Security VMs and keep them up to date.

Key steps in setup

Setup involves these key steps, which are described in the sections that follow:

  • Check system requirements.
  • Uninstall other anti-virus products.
  • Install Sophos Security VM.
  • Install Sophos Guest VM Agent on guest VMs.
  • Use Sophos Central to apply security policies.

Check system requirements

The system requirements are as follows.

For more information on general system requirements, see knowledgebase article 125679.

VMware requirements

  • VMware ESXi host 5.5 (limited support), 6.0, 6.5 or 6.7.
  • VMware vCenter 5.5 (limited support), 6.0, 6.5 or 6.7.
  • VMware Tools.
Note Installations on to ESXi hosts must be completed within a VMware vCenter environment. Installation directly on to a standalone ESXi host is not currently supported.

Hardware requirements for each Security VM:

  • 2 CPUs.
  • 40 GB disk space.
  • 4 GB RAM.

Don't place a CPU resource limit on the Sophos Security VM.

By default, 2 CPUs are allocated. If you have many guest VMs to protect, configure more CPUs after installation. See the appropriate Sophos for Virtual Environments configuration guide.

The Security VM reserves memory. High-availability and load-balancing systems make automatic choices based on resource reservations for the VMs in your VMware environment. Don't remove the Security VM memory reservation.

Microsoft Hyper-V requirements

The Microsoft Hyper-V system should be one of the following:

  • Hyper-V in Windows Server 2012 (Core, full)
  • Hyper-V in Windows Server 2012 R2 (Core, full)
  • Hyper-V in Windows Server 2016 (Core, Server with Desktop Experience)
  • Hyper-V in Windows Server 2019 (Core, Server with Desktop Experience)

The Microsoft Hyper-V integration components will install automatically if Windows updating is enabled and works successfully. Without these tools your VM performance maybe degraded.

Microsoft publish guidelines for how to secure your Hyper-V server most effectively. See Microsoft KBA 3105657.

Guest VM requirements

The Sophos Guest VM Agent supports the following operating systems:

  • Windows 10
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

If you are installing on a Windows Server that is hosting Microsoft Exchange Server 2016 you must make the changes shown in knowledge base article 126188.

Network requirements

The Security VM and guest VMs need to share a network connection. Ideally this should be a highspeed LAN with no network traffic throttling.

The network traffic between Security VM and guest VMs should not be blocked by firewalls or network access controllers.

NAT networks requirements

If you have guest VMs inside a NAT (Network Address Translation) network, you can protect them with a Security VM inside or outside of that network.

During installation, configure the Security VM with the following:

A primary IP address outside of the NAT (this address must be able to communicate with the management console).

A secondary IP address that is within the NAT.

Subnet requirements

You can configure the Security VM with multiple IP addresses. Each IP address must be on a different subnet.

Microsoft Hyper-V supports 3 subnets. VMware ESXi supports 5 subnets.

Uninstall other anti-virus products

You can’t use Sophos for Virtual Environments to protect guest VMs that run other anti-virus products.

  • Uninstall any anti-virus products, including Sophos products, that are already installed on your guest VMs.

    Don’t forget that Sophos gateway or server products might include or require anti-virus components.

  • Disable Windows Defender on server platforms where the security center is not present. We recommend that you do this using a group policy.

For more information, see knowledgebase article 125679.

Install the Sophos Security VM

You can install one or more Security VMs on each host where you want to protect guest VMs.

Check the installation requirements

Check that the computer and user account you're going to use meet the requirements.

  • You must run the installer on a Windows computer that has access to your VMware vCenter or Microsoft Hyper-V server over the network.
  • You must install the Security VM over the local network. The installer doesn't currently support the use of an authenticated proxy.
  • You can't use the installer on Windows XP or Windows Server 2003.
  • You require NTLMv2 authentication. The installer uses this to access the share where it gets the certificates and product bundles it needs.
  • Ensure the required ports are open on your firewall. See knowledgebase article 126313.
  • Ensure you have access to the Sophos management console.
  • If you set a proxy for access to your Sophos Central account, ensure you include the http:// or https:// prefix in the proxy address.

Also make sure you meet these hypervisor requirements:

  • VMware ESXI users: Ensure that you are an administrator for the VMware vCenter and ESXi host.
  • Microsoft Hyper-V users: You must run the installer as a user with rights to create and control VMs on the Hyper-V server. This can be a local user account on the Hyper-V server or a domain user.
  • Disable Distributed Resource Scheduler (VMware) and High Availability during installation.

The computer where you run the installer is used only for installation. It is not used for management or protection of your Security VM or guest VMs afterwards.

Check that you have the passwords you need

You need the passwords for the following accounts:

  • The Sophos Central account.
  • If you're in a VMware environment, the vCenter Administrator account.

Check that systems are synchronized

You must ensure that the time is synchronized on the host where you install the Security VM, and on the guest VMs.

You can use NTP (Network Time Protocol) synchronization for each host.

Warning If the time is not synchronized, you can install a Security VM but you cannot manage it from Sophos Central.

Install the Security VM

Now you download an installer and run it to install the Security VM.

You can download the installer at any computer and then transfer it to the computer from which you want to install the Security VM.

  1. Sign in to Sophos Central.
  2. Go to Protect Devices. Under Virtual Environment Protection, click the link to download the installer for your environment (Hyper-V or ESXi).
  3. Find the download and double-click it.
  4. A wizard guides you through installation of a Security VM. See the "Tips for installation" below.
  5. If installation fails, try the following:
    • Check the log for details.
    • Click Start Over to try again.
  6. When installation is complete, check that you can see the Security VM. In Sophos Central, go to Server Protection > Servers and select Virtual Servers in the list filter.

Tips for installation:

  • VMware vCenter credentials: Enter the administrator username in exactly the form you use to log in to vCenter using vSphere Client.
  • Datastore for the Security VM: The Security VM protects guest VMs even if their templates are stored in different datastores.
  • In IP settings for the Security VM, enter the IP settings for all the networks where you want to protect guest VMs. Use the "+" and "-" buttons above the fields to add or remove a network. Use the "<" and ">" buttons to move between your settings for different networks.
  • Guest VM migration: If you set up guest VM migration, use Security VMs with the same security policies to ensure consistent cleanup and reporting.

Now install the Sophos Guest VM Agent.

Install the Sophos Guest VM Agent

You must run Sophos Guest VM Agent on each guest VM that you want to protect.

Check which operating systems you can install the Sophos Guest VM Agent on, see Check system requirements.

  • To install:
    1. On the guest VM, browse to the host where the Security VM is installed. You must use the IP address.
    2. In the Public share, find the installer file, SVE-Guest-Installer.exe.
    3. Double-click on the installer to run it or transfer the installer to the guest VM and run it. Follow the on-screen instructions.

Alternatively you can use the command line.

  • You can choose to install with or without a progress bar being displayed to indicate the progress of the installation. The commands are case sensitive.
    • Limited UI (progress bar): SVE-Guest-Installer.exe SVMIPAddress=<IP Address of SVM> /install /passive.
    • No UI (no progress bar): SVE-Guest-Installer.exe SVMIPAddress=<IP Address of SVM> /install /quiet.

Alternatively use Group Policy deployment.

We recommend that you snapshot the guest VM after installing the agent. This will allow you to revert the guest VM safely later if you need to.

Use Sophos Central to apply policies

Sophos Central automatically applies our recommended policies for threat detection and cleanup to your Security VMs. Those policies are then used for the guest VMs.

You can modify these policies or create new ones if you want to.

For details, see the Sophos for Virtual Environments configuration guide for users with Sophos Central.

Maintain the Security VM

This section gives advice on post-deployment and maintenance tasks.

  • You must power on the Security VM manually whenever the host is taken out of maintenance or standby mode. Do this before you power on the guest VMs, so that the guest VMs are protected immediately.
  • We recommend that you don't "suspend" the Security VM. Your VMs will be unprotected while it's suspended and it can take a long time to recover.
  • Verify that the Security VM is receiving security updates from Sophos. You can do this by checking its update status in Sophos Central.
  • Backups. We recommend that the Security VM is excluded from regular backup tasks, as this can degrade its performance. If the Security VM needs to be recovered due to infrastructure failures, we recommend you redeploy the Security VM.

Appendix: Migrate to Sophos for Virtual Environments

You can migrate to Sophos for Virtual Environments from these products.

Which products can I migrate from?

  • Sophos Anti-Virus for vShield in a VMWare ESXi environment
  • Sophos Anti-Virus running locally on each guest VM in either a VMware ESXi environment or a Microsoft Hyper-V environment
  • Sophos for Virtual Environments running in VMware ESXi or Microsoft Hyper-V environments that are managed by Sophos Enterprise Console
  • Other vendors' anti-virus products in either a VMware ESXi environment or a Microsoft Hyper-V environment
Note Sophos for Virtual Environments protects guest VMs on a VMware ESXi host, including when running in a NSX environment. However,Sophos for Virtual Environments does not integrate with the NSX manager.
Note Sophos for Virtual Environments uses a Security VM to provide central threat scanning. Once you install this, guest VMs no longer need threat data updates.

How do I migrate?

Follow the steps below. You can find more details on each step in this guide.

If you’re migrating from third-party anti-virus software, be aware that:

  • Sophos for Virtual Environments requires network connectivity between the Security VM and guest VMs.
  • Sophos for Virtual Environments supports dynamic VM load balancing technologies like vMotion and Live migration, but performance is best if high speed network connectivity between the Security VM and guest VMs is maintained.

For details of how to see a list of all the protected guest VMs, see the appropriate Sophos for Virtual Environments configuration guide.

Migrate to Sophos for Virtual Environments

To migrate:

  1. Install a Security VM as described in this guide. See Install the Sophos Security VM.
    Note This new Security VM can be on the same host as an existing SAV vShield Security VM.
  2. Go to Sophos Central and check that the Security VM is updating.
  3. Shut down the old Security VM or uninstall your old anti-virus software.
    CAUTION Your guest VMs will become unprotected so please ensure their security.
  4. Install the new lightweight Sophos Guest VM Agent on guest VMs. See Install the Sophos Guest VM Agent.
  5. Check that guest VMs are now protected.
    1. Go to a guest VM and search for Security and Maintenance from the start menu. If this option is not found search for Action Center.
    2. Click the drop-down arrow beside Security. You should see that Sophos for Virtual Environments is enabled.

Legal notices

Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Third-party licenses

For third-party licenses that apply to your use of this product, please refer to the following folder on the Sophos Security VM: /usr/share/doc.

Some software programs are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or similar Free Software licenses which, among other rights, permit the user to copy, modify, and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires for any software licensed under the GPL, which is distributed to a user in an executable binary format, that the source code also be made available to those users. For any such software which is distributed along with this Sophos product, the source code is available by following the instructions in knowledge base article 124427.