Sophos NAC Advanced release notes 3.04

About Sophos NAC Advanced

Sophos NAC Advanced provides network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors.

For information on installing Sophos NAC for the first time, see the Sophos NAC Advanced Installation Guide. This guide is available from the Sophos website.

New in this version

  • SQL Server 2005 support
  • SQL Server 2005 Express support
  • NAC server support on foreign operating systems
  • Updated support for latest versions of security software.

Known problems

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

  • The NAC Agent installation may require you to restart the endpoint after installation for the following reasons. During installation, you were prompted to shut down applications that were using shared resources, such as XMLDOM 4, and you chose not to shut down these applications. You are upgrading the Quarantine Agent and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.
  • (DEF 24787) The NAC Advanced 3.04 upgrade provides updates to security applications and patches. If you have created profiles for security applications or patches, after the upgrade, these profiles may produce errors when you add them to policy. The workaround is to re-create the profiles. The new profiles will contain the new updates and no errors will occur. This issue applies only to profiles that you have created. It does not apply to the pre-configured profiles that come with Sophos NAC.
  • (DEF 22798) The NAC Advanced 3.04 upgrade may result in two operating system profiles with slightly different names. This scenario occurs if two operating system profiles exist with the same name. During the NAC Advanced upgrade, the upgrade will update the operating system profile that was originally installed with NAC Advanced. The upgrade will rename the other profile of the same name so it includes a "UD" for user defined. This is not an issue with new installations because all profile names are unique.
  • (DEF 24324) The NAC Advanced 3.04 upgrade removes support for all versions of BPS Spyware Remover. Prior to the NAC Advanced 3.04 upgrade, you should remove BPS Spyware Remover from all policies. If you need support for BPS Spyware Remover, you can create a custom application using the NAC Manager.
  • (DEF 18447) NAC Agent registration will fail during a Sophos NAC upgrade if the NAC Agent is registering for the first time. The NAC Agent registration failure occurs even if the NAC application server is in maintenance mode. There are two workarounds. Prior to placing the NAC application server in maintenance mode, access the Sophos NAC web interface, select Configure System > Agent Registration, and select the Once option button. Complete the NAC upgrade. Once the upgrade completes, change the Agent Configuration setting back to its original setting. If you have begun the upgrade and the end user is receiving an error, have the end user click Check Compliance on the dialog box containing the registration error. This resolves the error.
  • (DEF 23404) When NAC remediates Symantec AntiVirus 11.x to enable real-time protection, NAC may not detect that real-time protection has been enabled until Symantec AntVirus completes an initial scan.
  • (DEF 23386) The Symantec 11.x application has been added to this version of NAC. However, there is no pre-defined profile for Symantec 11.x. The workaround is for customers to create their own profile for Symantec 11.x.
  • (DEF 13468) The NAC installation progress window displays progress very slowly and the time remaining value may not change for a period of time.
  • (TT 18506) If the Agent was previously installed with a particular setting set, and then is uninstalled and reinstalled with another Agent where that setting is not set, the setting from the first installation is used. The workaround is to specify default values for all settings that you have used in previous installations.
  • (TT 18853) The Update remediation action for McAfee AntiSpyware 2.0 requires user interaction. If the Agent launches an Update remediation action for McAfee AntiSpyware 2.0, a dialog box is displayed and the update is not started until the user clicks Update.
  • (DEF 11485) For Symantec Client Security 10.x Firewall, if the Enabled capability check is run on the endpoint less than 60 seconds after the firewall is enabled, the NAC software returns inconsistent results when detecting the Enabled capability. The workaround is to ensure that more than 60 seconds has passed after the firewall was enabled before attempting to detect the Enabled capability.
  • (DEF 11438) The Last Scan Grace Period or Last Scan Date capability for McAfee Anti-Virus 4.5.1 on Windows XP SP2 always returns a non-compliant result.
  • (DEF 11396) The Last Scan Grace Period or Last Scan Date capability for Sophos Anti-Virus 7.x on the French operating system always returns a non-compliant result.
  • (TT 18969) In the NAC Manager, the Help Desk security role account cannot delete an active Agent registration. The workaround is to use an account with Administrator privileges to delete an Active Agent registration.

DHCP enforcement known problems

  • The NAC Manager DHCP reports return entries outside of the specified date/time criteria.

    (TT 19073) In the DHCP Enforcer and DHCP Exemption reports, the results include report entries that are outside of the defined date/time range that is specified when the report is run.

  • In the NAC Manager, an error displays after being prompted for a unique name for the DHCP scope exemption.

    (TT 19300) In the Enforce > Exemptions area of the NAC Manager, if you create a DHCP scope exemption, assign an existing name to the exemption, and then attempt to save the exemption, you are prompted for a unique name. However, once you type a unique name and attempt to save the exemption, an error displays.

Additional information

Some descriptions include the relevant identifier in brackets. You can use this if you need to contact Sophos technical support.

Technical support

For technical support, visit

If you contact technical support, provide as much information as possible, including the following:

  • Sophos software version number(s)
  • Operating system(s) and patch level(s)
  • The exact text of any error messages

System requirements

Sophos NAC Advanced may be installed on one server for evaluations and small installations. For larger installations, Sophos requires that you install the SQL server databases and the application on separate servers.

NAC server

  • 2 GHz Pentium 4 or equivalent
  • 1 GB RAM
  • Windows 2003 server base or higher or Windows 2003 R2 base or higher
  • Internet Access
  • 3 GB of free hard disk space on the C drive
  • TCP/IP Protocol

    Ethernet adaptor for a wired broadband connection or 802.11 wireless adaptor for wireless broadband connection

    Web Certificate if you are using HTTPS

NAC databases

The computer where you place the NAC databases (which may be the same computer or a different one) also needs:

  • Windows Server 2003 base or higher or Windows Server 2003 R2 base or higher if installing on the same server. If installing on a different server, Windows Server 2000 with SP3 and higher is supported.
  • SQL Server 2000 or SQL Server 2000 Desktop Engine Edition (MSDE) with SP3a or higher

    If you use MSDE, the maximum size that a database can reach is 2 GB. If you use Microsoft SQL Server 2000, there is no limit apart from that set by the administrator.

  • SQL Server 2005 or SQL Server 2005 Express

    If you use SQL Server 2005 Express, the maximum size that a database can reach is 4 GB. If you use Microsoft SQL Server 2005, there is no limit apart from that set by the administrator.


Copyright © 2008 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.