Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors.

For information on installing Sophos NAC for the first time, see the Sophos Endpoint Security and Control quick start guide.

This guide is available from the Sophos website.

• SQL Server 2005 support
• SQL Server 2005 Express support
• NAC installation drive specification and space indication improvements
• Authenticated proxy support for the NAC server
• Authenticated proxy support for the NAC Agent
• NAC Agent downgrade support for all future NAC Agent releases
• Updated support for the latest versions of security software

• (DEF 13468) The NAC installation progress window displays progress very slowly and the time remaining value may not change for a period of time.
• (DEF 15250) The NAC Manager is displaying some of the detection rules for the Sophos applications. All detection rules should be hidden regardless of the application and vendor.
• (QUE 19055) The NAC installation is slow because the size of the NAC databases is configured for large companies rather than medium-sized companies.
• (SUG 19421) The NAC installation does not install to any other drive except C.
• (DEF 20340) The NAC installation does not check for database disk space.
• (DEF 20408) If you add an executable network resource to an Agent Enforcer access template and click Save As New, you receive an error.
• (SUG 20582) The vertical axis scale on the Current Compliance and Compliance Trend charts that appear on the NAC Manager home page do not display information using whole numbers.
• (DEF 23529) The NAC Agent is unable to enforce NAC policy if it encounters an unkown adaptor type.
• (DEF 30356) The NAC Agent will deny Sophos Auto Update (SAU) requests if SAU has an invalid certificate.
• (DEF 30743) Sophos coding signing certificate is set to expire in March 2009.

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

• The NAC Agent installation may require you to restart the endpoint after installation for the following reasons. During installation, you were prompted to shut down applications that were using shared resources, such as the XMLDOM, and you chose not to shut down these applications. You are upgrading the Quarantine Agent and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.

• (DEF 23404) When NAC remediates Symantec AntiVirus 11.x to enable real-time protection, NAC may not detect that real-time protection has been enabled until Symantec AntiVirus completes an initial scan.
• (DEF 23386) The Symantec 11.x application has been added to this version of NAC. However, there is no pre-defined profile for Symantec 11.x. The workaround is for customers to create their own profile for Symantec 11.x.
• (SUG 21670) Sophos NAC will not install on the same server as Microsoft Sharepoint server.
• (TT 19250) On endpoints running the Windows Vista operating system, the NAC Web Agent cannot be installed automatically if the NAC Agent was previously installed and uninstalled. If the NAC Agent was previously installed and then uninstalled on an endpoint running the Windows Vista operating system, and then a Web Agent installation is attempted on that same endpoint, the Web Agent installation will fail. The issue is a result of how the Vista operating system uses XMLDOM, which is included as part of the Web Agent installation CAB file. For the installation to work correctly, you must first manually install XMLDOM, and then attempt to install the Web Agent again.
• (TT 18848) The NAC Web Agent doesn’t run in IE 7 with Protected Mode on. This is the default setting for every zone except the Trusted Sites zone. The workaround is to add the Web Agent URL to the Trusted Sites zone, which has Protected Mode set to Off by default.
• (TT 18853) The Update remediation action for McAfee AntiSpyware 2.0 requires user interaction. If the Agent launches an Update remediation action for McAfee AntiSpyware 2.0, a dialog box displays and the update does not start until the user clicks Update.
• (DEF 11485) For Symantec Client Security 10.x Firewall, if the Enabled capability check is run on the endpoint less than 60 seconds after the firewall is enabled, the NAC software returns inconsistent results when detecting the Enabled capability. The workaround is to ensure that more than 60 seconds has passed after the firewall was enabled before attempting to detect the Enabled capability.
• (DEF11506) The NAC Agent and Web Agent do not detect Proventia Desktop Firewall 8.x.
• (DEF 11438) The Last Scan Grace Period or Last Scan Date capability for McAfee Anti-Virus 4.5.1 on Windows XP SP2 always returns a non-compliant result.
• (DEF 11396) The Last Scan Grace Period or Last Scan Date capability for Sophos Anti-Virus 7.x on the French operating system always returns a non-compliant result.

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible, including the following:

• Sophos software version number(s)
• Operating system(s) and patch level(s)
• The exact text of any error messages

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. For installations that are 1,001 to 25,000 endpoints, the Sophos NAC application, the Sophos NAC databases, and Sophos Enterprise Console each requires a separate server, for a total of three servers.

Copyright © 2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.