How does location roaming work?

Location roaming is a method of intelligent updating for roaming laptops where updates are performed from a ''best'' update location and updating does not rely solely on the primary and secondary update locations specified in the laptops' updating policy.

When location roaming is enabled, the following happens:

  1. When a laptop changes its location, the Sophos AutoUpdate component of Endpoint Security and Control installed on the laptop determines that the MAC address of the default gateway on the connected network has changed since the last update. It then sends an ICMP broadcast over the local subnet to neighboring AutoUpdate installations, using UDP port 51235 by default.
  2. The neighboring AutoUpdate installations reply with their updating policy, using the same port. Only the primary update location is sent in the response.

    All Endpoint Security and Control installations listen for broadcasts regardless of whether location roaming is enabled or not.

    Sensitive information in replies is obfuscated and fields are hashed for integrity.

    Reply messages have a randomized reply time, to avoid message storms. The replies are also ICMP broadcasts, so any other machine that would have replied with the same details will also receive the broadcast and know not to respond.

  3. AutoUpdate chooses the "best" location from the locations received and checks whether the sender is managed by the same Enterprise Console and the subscription ID matches the one used by AutoUpdate on the laptop.

    The "best" update location is determined based on the amount of hops required to access the update location.

  4. An update is then attempted and, if successful, the location is cached.

    A maximum of four accessible update locations with the same subscription ID and the lowest hop count are stored on the laptop (in the file iustatus.xml in the following location: C:\Program Files\Sophos\AutoUpdate\data\status\iustatus.xml).

    These update locations are checked every time AutoUpdate performs an update.

    Note: If you need to revert back to using the primary and secondary update locations specified in the updating policy (for example, if you wish to roll out customizations from the update location specified in the policy), you will need to disable location roaming.