Planning the installation of Sophos Enterprise Console

Sophos Enterprise Console enables you to install and manage security software on your computers.

Sophos Enterprise Console includes the following components:

Management console

Enables you to protect and manage computers.

Management server

Handles updates and communications.

Databases

Store data about computers on the network.

Update manager

Downloads Sophos software and updates from Sophos automatically to a central location.

Sophos Credential Store

Used to securely encrypt and store the credentials used by Sophos Enterprise Console for the services and database account, along with the SUM account.

Management console

You might want to install another instance of the management console on another server, so that you can manage networked computers conveniently. This is related to how you want to configure role-based administration for the management console and how you want to split your IT estate into sub-estates:

  • Role-based administration for the management console involves setting up roles, adding rights to the roles, and then assigning Windows users and groups to the roles. For example, a Help Desk engineer can update or clean up computers, but cannot configure policies, which is the responsibility of an Administrator.
  • Sub-estates can be used to restrict the computers and groups that users can perform operations on. You can split your IT estate into sub-estates and assign management console groups of computers to the sub-estates. You can then control access to the sub-estates by assigning Windows users and groups to them. The Default sub-estate contains all management console groups and the Unassigned group.

Sophos Enterprise Console can support up to 25,000 client computers. As a general rule, you should install an additional management console wherever there is a large population of client computers. We also recommend that you use sub-estates, see knowledge base article 63172.

We also recommend no more than 5,000 endpoints per Message Relay, knowledge base article 14635.

This guide explains how to install an additional management console. For advice about setting up role-based administration and creating sub-estates, see knowledge base article 63556.

Databases

You might want to install the databases on another server, perhaps because:

  • You need more space for the databases.
  • You have a dedicated SQL Server server.
  • You want to spread processing load across a number of servers.

This guide explains how to install the databases either on the same server as the other Sophos Enterprise Console components or on a separate, dedicated database server.

Note If you need to install the databases on a secure server with a script, or in a clustered SQL Server environment, see knowledge base article 33980.
Note The Sophos Auditing database, SophosSecurity, must be present and running side by side with the other Sophos Enterprise Console databases, even if you don't intend to use the Sophos Auditing feature. This is because the database is used for enhanced access control as well as for logging audit events.

Update manager

An update manager enables you to create shares that contain the endpoint software that you want to deploy. The computers that you want to protect update themselves from these shares. An update manager is always installed as part of Sophos Enterprise Console. By default, it places endpoint software and updates in a UNC share SophosUpdate. You can install additional update managers on other servers and create additional shares to download and deploy software on larger networks.

Sophos Enterprise Console can support up to 25,000 client computers. As a general rule, you should install update managers wherever there is a large population of client computers, especially in remote locations. This will help you to save bandwidth when updating update shares in that location.

If you use a UNC path for your update share, it should be used by a maximum of 1,000 computers, but this doesn't apply if it is on a dedicated file server. If you set up a web location for updating, it can handle up to about 10,000 computers updating from it.

Sophos Credential Store

Sophos Credential Store is used to securely encrypt and store the credentials used by Sophos Enterprise Console for the services and database account, along with the Sophos Update Manager account.

On installation, the following service is created for this component:

Display name: Sophos Credential Store

Service name: Sophos.Credential.Store.Service.

Startup type: Automatic.

Sophos Credential Store Service uses a virtual service account 'NT Service\Sophos.Credential.Store.Service'. This is created when the service is installed and ensures that the service has limited access to machine resources.

Sophos Credential Store Service is installed in:

C:\Program Files (x86)\Sophos\Credential Store\.

Log location and name:

C:\ProgramData\Sophos\Credential Store\store.log.

On installation the following Group is created and populated with the account who performed the installation: Sophos Console Power Users.

Membership of this Group is required to perform certain operations that access the Sophos credentials, such as using the DatabackupRestore tool and modifying the Sophos Enterprise Console installation.

For more information see, knowledge base article 134488.