Sophos is a great anti-virus, anti-spam etc product but installing the Small Business Edition on a workgroup can be something of a challenge . The Sophos Knowledgebase is deafeningly quiet on the issue too.

I had to install Sophos SBE on a client's network this week where they don't have a domain and I decided to write a batch file to do all the stuff that I believe is necessary to get it to work.

For this batch file to give the Sophos Update user the correct rights on the local system you need the program NTRIGHTS from the Windows 2003 Resource Kit. I copied this into the same folder as the batch file for ease.

This is the batch file:

rem Create Sophos User for workgroup computers

c:
cd\
md temp
cd temp
net use x: \\<servername>\data\admin\batch

copy x:\ntrights.exe

rem Change the bits in <> below to your choice of username and password

net user <Sophos Update User> <password> /ADD /COMMENT:"Sophos update user" /EXPIRES:NEVER

net localgroup administrators <Sophos Update User> /ADD

ntrights -u <Sophos Update User> +r SeBatchLogonRight
ntrights -u <Sophos Update User> +r SeServiceLogonRight

del c:\temp\ntrights.exe

rem Add various exceptions to the firewall to allow Sophos Control Centre to work.

netsh firewall set service type = FILEANDPRINT mode = ENABLE

netsh firewall add allowedprogram "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" "Sophos Remote Agent" ENABLE

netsh firewall add portopening TCP 8192 Sophos
netsh firewall add portopening TCP 8193 Sophos
netsh firewall add portopening TCP 8194 Sophos

net use x: /del

Run this batch file after you have installed Sophos. I had to visit each machine anyhow to uninstall Symantec AV. I then ran \\<server>\sophos\boot\setup.exe and then waited until Sophos had installed. If you don't do this then the:

netsh firewall add allowedprogram "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" "Sophos Remote Agent" ENABLE

line will fail as the program isn't there.......

A few comments:

• These are the steps I believe you have to take to get Sophos to work in a workgroup. If I've added too many exceptions or missed something out, please let me know.
• I wouldn't leave this batch file lying around if your client is concerned about security. Mind you, if they were, they'd have a domain......
• You might want to add some extra bits to the netsh firewall add commands to limit the port openings etc to the machine where the Sophos Control Centre resides. Again this increases the security. However if your client was concerned about.... you know the rest
• Even if you have a domain you will have to add the 8192-8194 ports to the Windows Firewall GPO in your domain. Thanks to the M&Ms for documenting which ports need opening. It wasn't anywhere on the Sophos site I could find.....

The good news is..... you won't need to do any of this when v2 of the Sophos Small Business Suite comes out later this year as it will be the client polling the server rather than the server looking for the clients. I was at the Sophos Partner conference in London yesterday and that was annnounced and given some fancy name which I've forgotten.......

Roll on v2 is all I can say......