Sophos NAC for Endpoint Security and Control version 3.5

About Sophos NAC

Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors.

For information on installing Sophos NAC for the first time, see the Sophos Endpoint Security and Control quick startup guide.

This guide is available from the Sophos website.

New in this version

  • Improved NAC installation and upgrade: The NAC installation and upgrade times have been improved. The NAC upgrade takes much less time than previously.
  • Security application and profile support: NAC has added updated support for the latest releases of Sophos and third-party security software.
  • NAC adds support for 64-bit operating systems: The NAC Server, DHCP Enforcer, Dissolvable Agent, and Dissolvable Agent web server component support the following 64-bit server operating systems:
    • Windows Server 2003 SP2 and higher
    • Windows Server 2003 R2 base and higher
    • Windows Server 2008 base and higher
    • Windows Server 2008 R2 base and higher
  • NAC Databases adds support for 64-bit SQL Server: The NAC Databases support the following 64-bit SQL Servers:
    • SQL Server and SQL Server Express 2005 SP1 and higher
    • SQL Server and SQL Server Express 2008 base and higher
  • Compliance Agent and Dissolvable Agent add support for 64-bit operating systems: The Compliance and Dissolvable Agents support the following 64-bit operating systems:
    • Windows XP Professional SP2 and higher
    • Windows Vista Business, Enterprise, Ultimate, Home Premium, and Home Basic, base and higher
    • Windows 7 Home Premium, Professional, Enterprise, and Ultimate, base and higher
  • NAC Manager adds support for additional browsers: The NAC Manager now supports IE 7 and 8 and Firefox 3 and 3.5.
  • Dissolvable Agent adds support for additional browsers: The Dissolvable Agent now supports IE 7 and 8 and Firefox 3 and 3.5.
  • DHCP Enforcer no longer supports Windows Server 2000: The DHCP Enforcer can no longer be installed on a Microsoft DHCP server running Windows Server 2000.
  • NAC Manager no longer supports IE 6 browser
  • Dissolvable Agent no longer supports IE 6 browser
  • NAC Databases no longer support SQL Server 2000: The NAC Databases no longer support SQL Server 2000 or SQL Server 2000 MSDE.

Problems fixed in this version

There are no customer-facing problems that required fixes in this NAC release.

Known problems

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

  • The Compliance Agent installation may require you to restart the endpoint after installation for the following reasons. During installation, you were prompted to shut down applications that were using shared resources, such as the XMLDOM, and you chose not to shut down these applications. You are upgrading the Quarantine Agent and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.
  • (SUG 21670) Sophos NAC will not install on the same server as Microsoft Sharepoint server.
  • (DEF 56259/56336) - After installing or upgrading the Compliance Agent, Sophos Enterprise Console displays an "Awaiting policy from console" policy compliance status. This status indicates that the endpoint is waiting for a NAC policy from the NAC Server to determine policy compliance. Therefore, the Compliance Agent on the endpoint has not sent an updated policy compliance status to Sophos Enterprise Console. The workaround is to retrieve the NAC policy through a user-initiated compliance check. To do this, right-click the Quarantine Agent system tray icon on the endpoint, and select Check Compliance. This issue will also resolve itself automatically when the Compliance Agent retrieves the policy according to the Policy Refresh Interval, which is set to 4 hours by default.

Additional information

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

Technical support

You can find technical support for Sophos products in any of these ways:

System requirements

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. For installations that are 1,001 to 25,000 endpoints, the Sophos NAC Manager, the Sophos NAC Databases, and Sophos Enterprise Console each requires a separate server, for a total of three servers.

NAC Server

  • 2 GHz Pentium 4 or equivalent
  • 1 GB RAM
  • Microsoft Windows Server (The following server versions are supported.)
    • Windows Server 2003 base and higher (32-bit)
    • Windows Server 2003 SP2 and higher (64-bit)
    • Windows Server 2003 R2 base and higher (32-bit and 64-bit)
    • Windows Server 2008 base and higher (32 and 64-bit)
    • Windows Server 2008 R2 base and higher (32 and 64-bit)
  • Internet Access
  • 3 GB of free hard disk space on the C drive
  • TCP/IP Protocol
  • Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor for wireless broadband connection
  • Web Certificate if you are using HTTPS
  • .NET 3.5 must be installed manually if the NAC Server is on a different server than Enterprise Console

NAC Databases

The computer where you place the NAC Databases (which may be the same computer or a different one) also needs:

  • Microsoft Windows Server (The following server versions are supported.)
    • Windows Server 2003 base and higher (32-bit)
    • Windows Server 2003 SP2 and higher (64-bit)
    • Windows Server 2003 R2 base and higher (32-bit and 64-bit)
    • Windows Server 2008 base and higher (32-bit and 64-bit)
    • Windows Server 2008 R2 base and higher (32 and 64-bit)
  • SQL Server (The following SQL Server versions are supported.)
    • SQL Server 2005 or SQL Server 2005 Express SP1 and higher (32 and 64-bit)

      If you use SQL Server 2005 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2005, there is no limit apart from the one set by the administrator.

    • SQL Server 2008 or SQL Server 2008 Express base and higher (32 and 64-bit)

      If you use SQL Server 2008 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2008, there is no limit apart from the one set by the administrator.

Web server hosting the Dissolvable Agent

  • Internet Information Services (IIS).
  • 10 MB of free hard disk space.

Endpoint running the Dissolvable Agent

  • Microsoft Windows operating system
    • Windows 2000 SP4 and higher (32-bit)
    • Windows XP SP1 (32-bit)
    • Windows XP SP2 and higher (32-bit and 64-bit)
    • Windows Vista (32-bit and 64-bit)
    • Windows 7 Home Premium, Professional, Enterprise, and Ultimate, base and higher (32-bit and 64-bit)
  • Microsoft Windows Server operating system (The following server versions are supported.)
    • Windows Server 2003 base and higher (32-bit)
    • Windows Server 2003 SP2 and higher (64-bit)
    • Windows Server 2003 R2 base and higher (32-bit and 64-bit)
    • Windows Server 2008 base and higher (32-bit and 64-bit)
    • Windows Server 2008 R2 base and higher (32 and 64-bit)
  • Microsoft Windows supported platforms (English, French, Spanish, German, Italian, Japanese, Simplified Chinese, and Traditional Chinese).
  • Microsoft Internet Explorer 7 or 8 or FireFox 3 or 3.5
  • Microsoft XMLDOM 3 or higher
  • Sun Java Runtime Environment (JRE) version 6 update 10 or higher

For the Agent endpoint requirements, refer to the Agent readme file that is installed on the endpoint.

Legal notices

Copyright © 2010 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

ConvertUTF

Copyright 2001–2004 Unicode, Inc.

This source code is provided as is by Unicode, Inc. No claims are made as to fitness for any particular purpose. No warranties of any kind are expressed or implied. The recipient agrees to determine applicability of information provided. If this file has been purchased on magnetic or optical media from Unicode, Inc., the sole remedy for any claim will be exchange of defective media within 90 days of receipt.

Unicode, Inc. hereby grants the right to freely use the information supplied in this file in the creation of products supporting the Unicode Standard, and to make copies of this file in any form for internal or external distribution as long as this notice remains attached.