Startup guide for users with Sophos Enterprise Console

This guide tells you how to set up Sophos for Virtual Environments and manage it with Sophos Enterprise Console.

If you are migrating to Sophos for Virtual Environments, see Appendix: Migrate to Sophos for Virtual Environments.

About Sophos for Virtual Environments

Sophos for Virtual Environments is a security system that protects VMs. It works like this:

  • Run Sophos Security VM on a hypervisor host. This can detect and block threats on connected guest VMs.
  • Run Sophos Guest VM Agent on each guest VM. This lets the VM communicate with the Security VM.
  • Use Sophos Enterprise Console to manage Security VMs and keep them up to date.


Key steps in setup

Setup involves these key steps, which are described in the sections that follow:

  • Check system requirements.
  • Uninstall other anti-virus products.
  • Set up Sophos Enterprise Console (the Sophos management software).
  • Install Sophos Security VM.
  • Install Sophos Guest VM Agent on guest VMs.
  • Use Sophos Enterprise Console to apply policies.

Check system requirements

The system requirements are as follows.

For more information on general system requirements, see knowledgebase article 125679.

VMware requirements

  • VMware ESXi host 5.5 (limited support), 6.0, 6.5 or 6.7.
  • VMware vCenter 5.5 (limited support), 6.0, 6.5 or 6.7.
  • VMware Tools.
Note Installations on to ESXi hosts must be completed within a VMware vCenter environment. Installation directly on to a standalone ESXi host is not currently supported.

Hardware requirements for each Security VM:

  • 2 CPUs.
  • 20 Gb disk space.
  • 4 Gb RAM.

Don't place a CPU resource limit on the Sophos Security VM.

By default, 2 CPUs are allocated. If you have many guest VMs to protect, configure more CPUs after installation. See the appropriate Sophos for Virtual Environments configuration guide.

The Security VM reserves memory. High-availability and load-balancing systems make automatic choices based on resource reservations for the VMs in your VMware environment. Don't remove the Security VM memory reservation.

Microsoft Hyper-V requirements

The Microsoft Hyper-V system should be one of the following:

  • Hyper-V in Windows Server 2012 (Core, full)
  • Hyper-V in Windows Server 2012 R2 (Core, full)
  • Hyper-V in Windows Server 2016 (Core, Server with Desktop Experience)

The Microsoft Hyper-V integration components will install automatically if Windows updating is enabled and works successfully. Without these tools your VM performance maybe degraded.

Microsoft publish guidelines for how to secure your Hyper-V server most effectively. See Microsoft KBA 3105657.

Guest VM requirements

The Sophos Guest VM Agent supports the following operating systems:

  • Windows 7 SP1
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

For further information on the minimum support level for Windows 7 and Windows Server 2008 R2 , see knowledge base article 125679.

If you are installing on a Windows Server that is hosting Microsoft Exchange Server 2016 you must make the changes shown in knowledge base article 126188.

Network requirements

The Security VM and guest VMs need to share a network connection. Ideally this should be a highspeed LAN with no network traffic throttling.

The network traffic between Security VM and guest VMs should not be blocked by firewalls or network access controllers.

NAT networks requirements

If you have guest VMs inside a NAT (Network Address Translation) network, you can protect them with a Security VM inside or outside of that network.

During installation, configure the Security VM with the following:

A primary IP address outside of the NAT (this address must be able to communicate with the management console).

A secondary IP address that is within the NAT.

Subnet requirements

You can configure the Security VM with multiple IP addresses. Each IP address must be on a different subnet.

Microsoft Hyper-V supports 3 subnets. VMware ESXi supports 5 subnets.

Uninstall other anti-virus products

You can’t use Sophos for Virtual Environments to protect guest VMs that run other anti-virus products.

  • Uninstall any anti-virus products, including Sophos products, that are already installed on your guest VMs.

    Don’t forget that Sophos gateway or server products might include or require anti-virus components.

  • Disable Windows Defender on server platforms where the security center is not present. We recommend that you do this using a group policy.

For more information, see knowledgebase article 125679.

Set up Sophos management software

Before you install Security VMs, you should:

  • Install Sophos Enterprise Console (if you do not already have it). You use this to download protection software updates and to manage the VMs you protect.
  • Create a Sophos for Virtual Environments network share. The share is used to keep Security VMs up to date.

The following sections describe how to do this.

Already using Sophos Enterprise Console?

If you already use Sophos Enterprise Console to manage other Sophos products and now want to add Sophos for Virtual Environments, your customer credentials might not let you set up the Sophos network share. If this happens, check that your license includes this product. You can send license queries to customercare@sophos.com

Install Sophos Enterprise Console

If you already have Sophos Enterprise Console installed, go to Create a Sophos update share.

You should install Sophos Enterprise Console on a Windows computer that will be on the same network as the Security VMs.

Follow the instructions in the Sophos Enterprise Console quick startup guide. When you are prompted to select the platforms you want to protect, include Sophos for Virtual Environments. This creates the Sophos for Virtual Environments network share.

Note This gives you the Recommended version. If you want the Preview version, which gives you early access to new features, see Create a Sophos update share.

After installation, see Check access to the Sophos update share.

Create a Sophos update share

If you have just made a new installation of Sophos Enterprise Console and subscribed to Sophos for Virtual Environments, you can skip this section.

  1. In Sophos Enterprise Console, on the View menu, click Update Managers.
  2. Set up a "subscription" to Sophos for Virtual Environments:
    1. In the Software Subscriptions pane, click Add at the top of the pane.
    2. In the Software Subscription dialog box, type a name in the Subscription name text box.
    3. In the platform list, select Sophos for Virtual Environments.
      Note If you cannot see this in the list, your customer credentials need updating. Contact Sophos Technical Support.
    4. In the version box, select Recommended or Preview. Preview gives you early access to new features.
      Note You must use the same version when you install the Security VMs later.
  3. Configure the update manager to use this subscription:
    1. In the Update Managers pane, select the update manager that is installed on this server. Right-click it and click View/Edit configuration.
    2. In the Configure update manager dialog box, on the Subscriptions tab, ensure that the new subscription is in the Subscribed to list.
    3. Click OK.

Now continue to the next section.

Check access to the Sophos update share

You need to locate the Sophos update share and ensure that it can be accessed using either valid credentials or a guest account.

Note Unless you specified otherwise, the Sophos update share is accessed by the user account set up during installation of Sophos Enterprise Console. It is described there as the "Update Manager" account and most customers give it the username SophosUpdateMgr.
  1. In Sophos Enterprise Console, on the View menu, click Bootstrap Locations.
    A list of locations is displayed.
  2. Find the location for Sophos for Virtual Environments and make a note of it. You will need this when you install the Security VMs.

    You will need the Fully Qualified Domain Name for this location.

  3. If the share is on Windows Server 2008 or 2012, you might need to change Windows Firewall settings on the server temporarily to enable the Sophos security VM installer to access it.

    The following Inbound rules must be set to On (which is the default):

    • File and Printer Sharing (NB-Datagram-In)
    • File and Printer Sharing (NB-Name-In)
    • File and Printer Sharing (NB-Session-In)

    You can set these rules to Off again after you have installed your security VMs.

If you have a customized installation of Sophos Enterprise Console or you created an additional network share for updating Security VMs, note that:

  • If credentials are required, they will need to be stored on Security VMs after they are installed, so we recommend that you use read-only credentials.
  • If the network share is on a different computer to Sophos Enterprise Console (or the Update Manager component of Sophos Enterprise Console), ensure that it can also be accessed using an account that has write access.

Install the Sophos Security VM

You can install one or more Security VMs on each host where you want to protect guest VMs.

Follow the steps described in the sections that follow.

  • Check that you have the passwords you need.
  • Check that systems are synchronized.
  • Check the installation requirements.
  • Install the Security VM.

Check that you have the passwords you need

You need the passwords for the following accounts:

  • The account used to access the Sophos for Virtual Environments network share (or "Sophos Update folder").
  • If you're in a VMware environment, the vCenter Administrator account.

Check that systems are synchronized

You must ensure that the time is synchronized on the Sophos Enterprise Console server, on the host where you install the Security VM, and on the guest VMs.

You can use NTP (Network Time Protocol) synchronization for each host.

Warning If the time is not synchronized, you can install a Security VM but you can't manage it from Sophos Enterprise Console.

Check the installation requirements

Check that the computer and user account you're going to use meet the requirements.

  • You must run the installer on a Windows computer that has access to your VMware vCenter or Microsoft Hyper-V server over the network.
  • You must install the Security VM over the local network. The installer doesn't currently support the use of an authenticated proxy.
  • You can't use the installer on Windows XP or Windows Server 2003.
  • You require NTLMv2 authentication. The installer uses this to access the share where it gets the certificates and product bundles it needs.
  • Ensure the required ports are open on your firewall. See knowledgebase article 126313.
  • Ensure you have access to the Sophos management console.

Also make sure you meet these hypervisor requirements:

  • VMware ESXI users: Ensure that you are an administrator for the VMware vCenter and ESXi host.
  • Microsoft Hyper-V users: You must run the installer as a user with rights to create and control VMs on the Hyper-V server. This can be a local user account on the Hyper-V server or a domain user.
  • Disable Distributed Resource Scheduler (VMware) and High Availability during installation.

The computer where you run the installer is used only for installation. It is not used for management or protection of your Security VM or guest VMs afterwards.

Install the Security VM

Now you download an installer and run it to install the Security VM.

You can download the installer at any computer and then transfer it to the computer from which you want to install the Security VM.

  1. Go to www.sophos.com/en-us/support/downloads and sign in with your Sophos ID.
  2. Select your license (if prompted). Under Standalone installers, click Sophos for Virtual Environments.
  3. Download the installer.

    Get the same version (Recommended or Preview) that you subscribed to in Sophos Enterprise Console.

  4. Double-click the download.
  5. A wizard guides you through installation of a Security VM. We strongly recommend you read Tips for installation.
  6. If installation fails, try the following:
    • Check the log for details.
    • Click Start Over to try again.
  7. When installation is complete, check that you can see the Security VM. Go to Sophos Enterprise Console and look for the Security VM in the Unassigned group of computers.

    If you change the name of a Security VM later, it is still shown in Sophos Enterprise Console with the original name.

Tips for installation

Here's some information you'll find useful when you're completing the Security VM installation wizard.

VMware vCenter credentials

Enter the administrator username in exactly the form you use to log in to vCenter using vSphere Client.

Sophos update folder details

Enter details of the Sophos for Virtual Environments network share you created earlier.

  • Use a UNC path including the fully qualified domain name, or a web address. To check the share's location, go to Sophos Enterprise Console. On the View menu, click Bootstrap Locations.
  • The username and password you need are for the "Update Manager" account. Most customers give it the username SophosUpdateMgr.

Datastore for the Security VM

The Security VM protects guest VMs even if their templates are stored in different datastores.

IP settings for the Security VM

Enter the IP settings for all the networks where you want to protect guest VMs. Use the "+" and "-" buttons above the fields to add or remove a network. Use the "<" and ">" buttons to move between your settings for different networks.

Guest VM migration

Install the Sophos Guest VM Agent

You must run Sophos Guest VM Agent on each guest VM that you want to protect.

Check which operating systems you can install the Sophos Guest VM Agent on, see Check system requirements.

  • To install:
    1. On the guest VM, browse to the host where the Security VM is installed. You must use the IP address.
    2. In the Public share, find the installer file, SVE-Guest-Installer.exe.
    3. Double-click on the installer to run it or transfer the installer to the guest VM and run it. Follow the on-screen instructions.

Alternatively you can use the command line.

  • You can choose to install with or without a progress bar being displayed to indicate the progress of the installation. The commands are case sensitive.
    • Limited UI (progress bar): SVE-Guest-Installer.exe SVMIPAddress=<IP Address of SVM> /install /passive.
    • No UI (no progress bar): SVE-Guest-Installer.exe SVMIPAddress=<IP Address of SVM> /install /quiet.

Alternatively use Group Policy deployment.

We recommend that you snapshot the guest VM after installing the agent. This will allow you to revert the guest VM safely later if you need to.

Use Sophos Enterprise Console to apply policies

  1. In Sophos Enterprise Console, create an updating policy and an anti-virus and HIPS policy.
  2. Right-click each policy and select Reset Policy to Factory Defaults.
  3. Double-click the new updating policy to open it.
  4. In the Updating policy dialog box:
    1. Click the Subscription tab and select the subscription for Sophos for Virtual Environments.
    2. Click the Primary Server tab and ensure that the location of the update folder includes the fully qualified domain name. Save the policy.
  5. Create a new computer group to contain the Security VM.
  6. Apply the new policies to the new group.
  7. Drag the Security VM from the Unassigned group to the new group.

Maintain the Security VM

This section gives advice on post-installation and maintenance tasks.

  • You must power on the Security VM manually whenever the host is taken out of maintenance or standby mode. Do this before you power on the guest VMs, so that the guest VMs are protected immediately.
  • We recommend that you don't "suspend" the Security VM. Your VMs will be unprotected while it's suspended and it can take a long time to recover.
  • Verify that the Security VM is receiving security updates from Sophos. You can do this by checking its update status in Enterprise Console.
  • Backups. We recommend that the Security VM is excluded from regular backup tasks, as this can degrade its performance. If the Security VM needs to be recovered due to infrastructure failures, we recommend you redeploy the Security VM.

Appendix: Migrate to Sophos for Virtual Environments

You can migrate to Sophos for Virtual Environments from these products.

Which products can I migrate from?

  • Sophos Anti-Virus for vShield in a VMWare ESXi environment
  • Sophos Anti-Virus running locally on each guest VM in either a VMware ESXi environment or a Microsoft Hyper-V environment
  • Sophos for Virtual Environments running in VMware ESXi or Microsoft Hyper-V environments that are managed by Sophos Enterprise Console
  • Other vendors' anti-virus products in either a VMware ESXi environment or a Microsoft Hyper-V environment
Note Sophos for Virtual Environments protects guest VMs on a VMware ESXi host, including when running in a NSX environment. However, Sophos for Virtual Environments does not integrate with the NSX manager.
Note Sophos for Virtual Environments uses a Security VM to provide central threat scanning. Once you install this, guest VMs no longer need threat data updates.

How do I migrate?

Follow the steps below. You can find more details on each step in this guide.

If you’re migrating from third-party anti-virus software, be aware that:

  • Sophos for Virtual Environments requires network connectivity between the Security VM and guest VMs.
  • Sophos for Virtual Environments supports dynamic VM load balancing technologies like vMotion and Live migration, but performance is best if high speed network connectivity between the Security VM and guest VMs is maintained.

For details of how to see a list of all the protected guest VMs, see the Sophos for Virtual Environments configuration guide.

Migrate to Sophos for Virtual Environments

To migrate:

  1. Set up Sophos Enterprise Console to download software and manage the VMs you will protect. See Set up Sophos management software
  2. Install a Security VM as described in this guide. See Install the Sophos Security VM.
    Note Sophos Anti-Virus for VMware vShield is now retired and unsupported.
  3. Go to Sophos Enterprise Console and check that the Security VM is updating.
  4. Shut down the old Security VM or uninstall your old anti-virus software.
    CAUTION Your guest VMs will become unprotected so please ensure their security.
  5. Install the new lightweight Sophos Guest VM Agent on guest VMs. See Install the Sophos Guest VM Agent.
  6. Check that guest VMs are now protected.
    1. Go to a guest VM and search for Security and Maintenance from the start menu. If this option is not found search for Action Center.
    2. Click the drop-down arrow beside Security. You should see thatSophos for Virtual Environments is enabled.

Legal notices

Copyright © 2019 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Third-party licenses

For third-party licenses that apply to your use of this product, please refer to the following folder on the Sophos Security VM: /usr/share/doc.

Some software programs are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or similar Free Software licenses which, among other rights, permit the user to copy, modify, and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires for any software licensed under the GPL, which is distributed to a user in an executable binary format, that the source code also be made available to those users. For any such software which is distributed along with this Sophos product, the source code is available by following the instructions in knowledge base article 124427.