Sophos NAC for Endpoint Security and Control release notes 3.1.2

About Sophos NAC

Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors.

For information on installing Sophos NAC for the first time, see the Sophos Endpoint Security and Control quick start guide.

This guide is available from the Sophos website.

New in this version

  • SQL Server 2005 support
  • SQL Server 2005 Express support
  • NAC installation drive specification and space indication improvements
  • Authenticated proxy support for the NAC server
  • Authenticated proxy support for the NAC Agent
  • NAC Agent downgrade support for all future NAC Agent releases
  • Updated support for the latest versions of security software

Problems fixed in this version

  • (DEF 13468) The NAC installation progress window displays progress very slowly and the time remaining value may not change for a period of time.
  • (DEF 15250) The NAC Manager is displaying some of the detection rules for the Sophos applications. All detection rules should be hidden regardless of the application and vendor.
  • (QUE 19055) The NAC installation is slow because the size of the NAC databases is configured for large companies rather than medium-sized companies.
  • (SUG 19421) The NAC installation does not install to any other drive except C.
  • (DEF 20340) The NAC installation does not check for database disk space.
  • (DEF 20408) If you add an executable network resource to an Agent Enforcer access template and click Save As New, you receive an error.
  • (SUG 20582) The vertical axis scale on the Current Compliance and Compliance Trend charts that appear on the NAC Manager home page do not display information using whole numbers.
  • (DEF 23529) The NAC Agent is unable to enforce NAC policy if it encounters an unkown adaptor type.
  • (DEF 30356) The NAC Agent will deny Sophos Auto Update (SAU) requests if SAU has an invalid certificate.
  • (DEF 30743) Sophos coding signing certificate is set to expire in March 2009.

Known problems

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

  • The NAC Agent installation may require you to restart the endpoint after installation for the following reasons. During installation, you were prompted to shut down applications that were using shared resources, such as the XMLDOM, and you chose not to shut down these applications. You are upgrading the Quarantine Agent and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.

  • (DEF 23404) When NAC remediates Symantec AntiVirus 11.x to enable real-time protection, NAC may not detect that real-time protection has been enabled until Symantec AntiVirus completes an initial scan.
  • (DEF 23386) The Symantec 11.x application has been added to this version of NAC. However, there is no pre-defined profile for Symantec 11.x. The workaround is for customers to create their own profile for Symantec 11.x.
  • (SUG 21670) Sophos NAC will not install on the same server as Microsoft Sharepoint server.
  • (TT 19250) On endpoints running the Windows Vista operating system, the NAC Web Agent cannot be installed automatically if the NAC Agent was previously installed and uninstalled. If the NAC Agent was previously installed and then uninstalled on an endpoint running the Windows Vista operating system, and then a Web Agent installation is attempted on that same endpoint, the Web Agent installation will fail. The issue is a result of how the Vista operating system uses XMLDOM, which is included as part of the Web Agent installation CAB file. For the installation to work correctly, you must first manually install XMLDOM, and then attempt to install the Web Agent again.
  • (TT 18848) The NAC Web Agent doesn’t run in IE 7 with Protected Mode on. This is the default setting for every zone except the Trusted Sites zone. The workaround is to add the Web Agent URL to the Trusted Sites zone, which has Protected Mode set to Off by default.
  • (TT 18853) The Update remediation action for McAfee AntiSpyware 2.0 requires user interaction. If the Agent launches an Update remediation action for McAfee AntiSpyware 2.0, a dialog box displays and the update does not start until the user clicks Update.
  • (DEF 11485) For Symantec Client Security 10.x Firewall, if the Enabled capability check is run on the endpoint less than 60 seconds after the firewall is enabled, the NAC software returns inconsistent results when detecting the Enabled capability. The workaround is to ensure that more than 60 seconds has passed after the firewall was enabled before attempting to detect the Enabled capability.
  • (DEF11506) The NAC Agent and Web Agent do not detect Proventia Desktop Firewall 8.x.
  • (DEF 11438) The Last Scan Grace Period or Last Scan Date capability for McAfee Anti-Virus 4.5.1 on Windows XP SP2 always returns a non-compliant result.
  • (DEF 11396) The Last Scan Grace Period or Last Scan Date capability for Sophos Anti-Virus 7.x on the French operating system always returns a non-compliant result.

DHCP enforcement known problems

  • (TT 19073)The NAC Manager DHCP reports return entries outside of the specified date/time criteria. In the DHCP Enforcer and DHCP Exemption reports, the results include report entries that are outside of the defined date/time range that is specified when the report is run.

Additional information

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

Technical support

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible, including the following:

  • Sophos software version number(s)
  • Operating system(s) and patch level(s)
  • The exact text of any error messages

System requirements

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. For installations that are 1,001 to 25,000 endpoints, the Sophos NAC application, the Sophos NAC databases, and Sophos Enterprise Console each requires a separate server, for a total of three servers.

NAC server

  • 2 GHz Pentium 4 or equivalent
  • 1 GB RAM
  • Windows 2003 server base or higher or Windows 2003 R2 base or higher
  • Internet Access
  • 3 GB of free hard disk space on the C drive
  • TCP/IP Protocol
  • Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor for wireless broadband connection
  • Web Certificate if you are using HTTPS

NAC databases

The computer where you place the NAC databases (which may be the same computer or a different one) also needs:

  • Windows Server 2003 base or higher or Windows Server 2003 R2 base or higher if installing on the same server. If installing on a different server, Windows Server 2000 with SP3 and higher is supported.
  • SQL Server (The following SQL Server versions are supported.)
    • SQL Server 2000 or SQL Server 2000 MSDE with SP3a or higher

      If you use MSDE, the maximum size that a database can reach is 2 GB. If you use Microsoft SQL Server 2000, there is no limit apart from the one set by the administrator.

    • SQL Server 2005 or SQL Server 2005 Express

      If you use SQL Server 2005 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2005, there is no limit apart from the one set by the administrator.

Copyright

Copyright © 2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.