Sophos for vShield deployment and its challenges
Updated: May 5, 2020
Recently, I've been trying to get a Sophos for vShield deployment installed and running. Sophos for vShield delivers an agentless antimalware solution managed either from the Enterprise Management console on premise, or from their Cloud management platform, leveraging the VMware vShield solution to make this possible. This customer has a VDI environment consisting of a couple of hosts and while this is nothing special, the rollout of the Sophos for vShield solution was.
When you first get your licenses, you need to create an account on the sophos website, to which you can add these licenses. You then get access to the specific downloads you need for the deployment which consist of the Enterprise Management Console installer version 5.4.1 (note the version, we'll be getting back to that later on) and the SSVM installer tool version 2.1.4. This is based on the VMware vShield Appliance, this setup was already installed and functionally available in this environment.
The installation of the management console itself is really straightforward, for this instance I used the onboard SQL Server Express 2012 on the same management server, since it's a temporary small deployment. Once I got to installing the actual virtual appliances everything seemed to install without any problems, the appliance found my vCenter, the concerning hosts, IP information and 2 vCenter users were already in place and the installer reported that installation finished succesfully.
In the user manual supplied by Sophos, there was a mention of the fact that the Sophos Security Virtual Machine, or SSVM for short would report itself to my Enterprise Management Console. As it turns out, it didn't for some reason. I retried the installation for another host in the cluster, just to make sure there was no error in communication, ip addressing or DNS, but this second one also failed. Again, installation of the appliance itself was succesful, but it simply never showed up in my console.
After logging a call with Sophos, it turns out that the problem is in the version of the management console you are supplied with. From 5.4.1 onwards, a number of security features have been put in place, effectively hampering communication with a number of other Sophos components. This has to do with the fact that SSL protocols and cipher suites have come under scrutiny of late, resulting in weak ciphers and protocols being disabled in new releases of all kinds of software. Results of this can also be seen when using your internet browsers to connect to all sorts of older management interfaces. You often wind up having to use older (often portable) versions of browsers to be able to gain access to them.
But back to Sophos, the normal software and update structure are referred to as Recommended. This not only has to do with the installer versions you download, but also with your Update Manager configuration. The Enterprise Console version 5.4.1 has these nice new security features implemented and is downloadable as the Recommended version, but the recommended version of the SSVM installation tool is version 2.1.4, which is incompatible with the new version of the console, as stated in this KB article referred to by Sophos support:
The problem is described as being due to the implementation of SHA-2 certificates and TLS 1.2 as the default protocols for all communication from and to the Enterprise Management Console.
Once I downloaded the Preview version 2.1.8 of the SSVM installer, and set my update subscription to Preview instead of Recommended, the installation went off without a hitch. After changing the update manager to the Preview version, it is important to point the SSVM installer wizard to the newly created CID folder for the installation to work. If you had a \\CIDs\S000 folder, a new one called S001 will be created inthe same folder when you add the Preview subscription. The SSVM installation tool needs to be pointed exactly at this folder. If you only point it to \\%servername%\SophosUpdate like you would the normal security endpoint, the installation does not continue and reports that there are no installers found. The correct entry for use during the installation is: \\%servername%\SophosUpdate\CIDs\S001\savvshield
In conclusion, it would have been nice to have the installers you get when using the Recommended versions and the current Enterprise Console to be able to communicate with eachother. Sophos has noted that this will be fixed in the future releases, so this should (luckily) be a temporary problem.