Sophos NAC for Endpoint Security and Control release notes 3.3

About Sophos NAC

Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors.

For information on installing Sophos NAC for the first time, see the Sophos Endpoint Security and Control quick startup guide.

This guide is available from the Sophos website.

New in this version

  • DHCP enforcement simplified: Simplified DHCP enforcement provides an easy way to configure network access control for guest users. The NAC Manager has an added DHCP Configuration Wizard that walks you through the DHCP configuration process.
  • Dissolvable Agent: The Dissolvable Agent is a Java-based Agent that replaces the ActiveX-based Web Agent. The Dissolvable Agent provides assessment and enforcement capabilities for a guest or unmanaged user. The Dissolvable Agent supports users that have restricted user access.
  • Encryption software support: NAC has added profiles and assessment capabilities for Utimaco's SafeGuard Easy, SafeGuard Enterprise software and Sophos SafeGuard Disk Encryption. The Sophos SafeGuard Disk Encryption profile has been added to the Managed policy.
  • Multi-language messaging: To add additional support for non-English speaking users, NAC enables customer to create messages in eight languages. The Agent will display messages to users in all Sophos-supported languages (English, French, Spanish, German, Italian, Japanese, Simplified Chinese, and Traditional Chinese).
  • Security application and profile support: NAC has added updated support for the latest releases of third-party security software.
  • Sophos software support: NAC has added two new remediation actions for Sophos Anti-Virus. The two new remediation actions are Enable Real-Time Protection and Apply SEC Policy.
  • Windows Server 2008 support: NAC will install and run on Windows Server 2008.
  • SQL Server 2008 and SQL Server 2008 Express support: The NAC Databases will install and run on SQL Server 2008 and SQL Server 2008 Express.
  • Compliance Agent activity in Sophos Enterprise Console: The Agent reports that it is installed and working. This activity can be viewed in Enterprise Console.
  • Sophos software components renamed: NAC has renamed a few of its software components. The following names are now used:
Previous Name New Name
NAC Agent Agent or Compliance Agent
NAC Dissolvable Agent Dissolvable Agent or Compliance Dissolvable Agent

Problems fixed in this version

  • (TT 19073)The NAC Manager DHCP reports return entries outside of the specified date/time criteria. In the DHCP Enforcer and DHCP Exemption reports, the results include report entries that are outside of the defined date/time range that is specified when the report is run.

Sophos NAC 3.3 no longer supports the ActiveX-based Web Agent because it has been replaced with the Java-based Dissolvable Agent. The following issues are resolved for this reason:

  • (TT 19250) On endpoints running the Windows Vista operating system, the NAC Web Agent cannot be installed automatically if the NAC Agent was previously installed and uninstalled. If the NAC Agent was previously installed and then uninstalled on an endpoint running the Windows Vista operating system, and then a Web Agent installation is attempted on that same endpoint, the Web Agent installation will fail.
  • (TT 18848) The NAC Web Agent doesn’t run in IE 7 with Protected Mode on. This is the default setting for every zone except the Trusted Sites zone. The workaround is to add the Web Agent URL to the Trusted Sites zone, which has Protected Mode set to Off by default.

Known problems

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

  • (DEF40238) If you selected Use SEC Proxy Settings during the NAC installation, the proxy configuration will not work. The workaround is to select Use Proxy rather than Use SEC Proxy Settings during the NAC installation. You can then specify the same proxy information as SEC. If you have installed NAC and selected Use SEC Proxy Settings, access the NAC Manager > Configure System > Server Settings page. Select the NAC server to update its proxy setting. Select Use Proxy from the Proxy Settings list. Then specify the same proxy information as SEC.
  • The NAC Agent installation may require you to restart the endpoint after installation for the following reasons. During installation, you were prompted to shut down applications that were using shared resources, such as the XMLDOM, and you chose not to shut down these applications. You are upgrading the Quarantine Agent and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.
  • (DEF 23404) When NAC remediates Symantec AntiVirus 11.x to enable real-time protection, NAC may not detect that real-time protection has been enabled until Symantec AntiVirus completes an initial scan.
  • (DEF 23386) The Symantec 11.x application has been added to this version of NAC. However, there is no pre-defined profile for Symantec 11.x. The workaround is for customers to create their own profile for Symantec 11.x.
  • (SUG 21670) Sophos NAC will not install on the same server as Microsoft Sharepoint server.
  • (TT 18853) The Update remediation action for McAfee AntiSpyware 2.0 requires user interaction. If the Agent launches an Update remediation action for McAfee AntiSpyware 2.0, a dialog box displays and the update does not start until the user clicks Update.
  • (DEF 11485) For Symantec Client Security 10.x Firewall, if the Enabled capability check is run on the endpoint less than 60 seconds after the firewall is enabled, the NAC software returns inconsistent results when detecting the Enabled capability. The workaround is to ensure that more than 60 seconds has passed after the firewall was enabled before attempting to detect the Enabled capability.
  • (DEF11506) The Compliance Agent and the Dissolvable Agent do not detect Proventia Desktop Firewall 8.x.
  • (DEF 11438) The Last Scan Grace Period or Last Scan Date capability for McAfee Anti-Virus 4.5.1 on Windows XP SP2 always returns a non-compliant result.
  • (DEF 11396) The Last Scan Grace Period or Last Scan Date capability for Sophos Anti-Virus 7.x on the French operating system always returns a non-compliant result.

Additional information

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

Technical support

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible, including the following:

  • Sophos software version number(s)
  • Operating system(s) and patch level(s)
  • The exact text of any error messages

System requirements

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. For installations that are 1,001 to 25,000 endpoints, the Sophos NAC application, the Sophos NAC databases, and Sophos Enterprise Console each requires a separate server, for a total of three servers.

NAC server

  • 2 GHz Pentium 4 or equivalent
  • 1 GB RAM
  • Windows Server (The following Windows Server versions are supported.)
    • Windows 2003 Server base or higher
    • Windows 2003 R2 Server base or higher
    • Windows 2008 Server base or higher
  • Internet Access
  • 3 GB of free hard disk space on the C drive
  • TCP/IP Protocol
  • Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor for wireless broadband connection
  • Web Certificate if you are using HTTPS

NAC databases

The computer where you place the NAC databases (which may be the same computer or a different one) also needs:

  • Windows Server (The following Windows Server versions are supported.)
    • Windows 2000 SP3 or higher if installing the NAC databases on a separate server
    • Windows 2003 base or higher
    • Windows Server 2003 R2 base or higher
    • Windows Server 2008 base or higher
  • SQL Server (The following SQL Server versions are supported.)
    • SQL Server 2000 or SQL Server 2000 MSDE with SP3a or higher

      If you use MSDE, the maximum size that a database can reach is 2 GB. If you use Microsoft SQL Server 2000, there is no limit apart from the one set by the administrator.

    • SQL Server 2005 or SQL Server 2005 Express

      If you use SQL Server 2005 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2005, there is no limit apart from the one set by the administrator.

    • SQL Server 2008 or SQL Server 2008 Express

      If you use SQL Server 2008 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2008, there is no limit apart from the one set by the administrator.

Copyright

Copyright © 2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.