Installing and configuring an air gap using Enterprise Console 4's Update Manager

Installation

Installing on the non-air-gapped network

Follow the instructions in the Quick Startup Guide for installing Enterprise Console on your non-air-gapped network. Ensure that you subscribe to the software packages that you require on both the air-gapped and non-air-gapped networks.

Installing on the air-gapped network

To install Endpoint Security and Control on your air-gapped network, you have two options:

1. Install Enterprise Console on one of the servers in the air gap to centrally manage and update the endpoint computers in the air gap.

1. Follow the instructions in the Quick Startup Guide to install the management software and cancel the installer when it reaches the 'Download software subscriptions' wizard.
2. Create a new folder on the desktop to be used as your update source. Call this folder Update Source.
3. Copy the Warehouse directory from the non-air-gapped network onto a removable storage device or CD and submit this medium to your required verification:-
   On the non-air-gapped network, the Warehouse directory containing the packages for Endpoint Security and Control version 9 will be found on the server running Enterprise Console 4 as follows:
   • Windows Server 2000/2003
     C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
   • Windows Server 2008
     C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
4. Paste the Warehouse directory to the folder Update Source (i.e. the one you created in step 2 above), which is on the desktop in the air-gapped network and share Update Source as 'SophosUpdateManager'.
5. On the air-gapped Update Manager, on the Sources tab, set the primary source to be the UNC path to the 'SophosUpdateManager' share, i.e.  \\servername\SophosUpdateManager
6. Configure your software subscriptions to use the appropriate packages.
7. Once your update manager has downloaded the packages, deploy them to the air-gapped network.

2. Install the standalone version of Endpoint Security and Control 9 on each of the computers in the air gap.

Note: if you choose this option, you won’t be able to ensure compliance with policies on the endpoint computers in the air gap, nor will you be able to take advantage of all the features of Endpoint Security and Control, because Application Control, Device Control and Data Control policies are all configured using Enterprise Console.

Installing Endpoint Security and Control is described in the Endpoint Security and Control standalone startup guide.

Once you have followed this guide and the standalone version is installed on each of the computers in the air gap, you will have to configure them to update from a shared folder in the air gap, as follows:

1. Create a new folder on the desktop of one of the air-gapped endpoints to be used as your update source.
2. Copy the appropriate packages from the non-air-gapped network onto a removable storage device or CD and submit this medium to your required verification.
   
   For example, the default location of the Endpoint Security and Control 9 package is:
   
   Windows Server 2000/2003
   C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
   
   
   Windows Server 2008
   C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
   
   
3. Paste the copied files to the folder on the desktop in the air-gapped network.
4. Share this folder to the network.
5. Set each of the endpoint computers to update from this shared location.

Updating

To update the air-gapped network, you will have to manually copy the update files from the non-air-gapped network using a removable device or CD. After you have subjected this medium to your necessary checks, copy the contents to the shared folder on the air-gapped network. We recommend that you update your air-gapped network once a day.