Citrix App Layering recipe for Sophos Endpoint Protection

In this guide I discuss the steps involved for a successful deployment of Sophos Endpoint Protection in a Citrix App Layer.

There are two layers you need to work on to successfully layer Sophos. An Application Layer of course and also the OS Layer.

As you may or may not know, the SAM Database is only writeable in the OS Layer and any user or group created in Application Layers are not captured. To layer Sophos we need to create a local user and couple of local groups and for this reason the OS Layer is used for user/group creations and the Application Layer is used to store the Endpoint Protection software, all configurations and definition updates.

To begin, open a new version of your OS Layer and create the following local Groups:

  • SophosAdministrator
    • Add Domain Admins or other groups who should be Sophos administrators to this local group.
  • SophosOnAccess
  • SophosPowerUser
    • Add groups that should be designated as Sophos Power Users to this local group.
  • SophosUser
    • Add your Domain Users group here.

Next create a user account. Keep a secure note of the password and make sure the password is long. Check Password never expires and click Create.

Add this local account to the SophosUser group. Click OK. At this stage you should finalise the OS layer.

Create a new Application Layer for Sophos and install Endpoint Protection using your normal methods. Configure Sophos settings and any exclusions as desired. Next browse to %ProgramData%\Sophos\AutoUpdate\Config and open iconn.cfg in notepad.

Next to AllowLocalConfig = change the value from 0 to 1. Save and close the configuration file.

Open Sophos and browse to the Secondary location tab. Enter any value next to fields Address and User name. Click Change next to Password.

Enter the password value you used when creating the local Sophos user account in the OS Layer. Click OK.

Click OK.

A new file is created in the %ProgramData%\Sophos\AutoUpdate\Config directory named iconnlocal.cfg. Open this file in a text editor.

Copy the value beside UserPassword=

Open Sophos again, navigate to the Secondary location tab and remove any values in Address/User name/Password fields and click OK.

Open iconn.cfg again, this time changing the value of AllowLocalConfig back to 0. Save and close the file.

You should make sure to delete the iconnlocal.cfg file as it is no longer needed.

Open RegEdit and navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service. Now double click REG_SZ Download Password.

Replace the existing value with the value you copied from iconnlocal.cfg. Next click Download User and replace the existing value with the name of the local Sophos account you created in the OS Layer.

Open services.msc and manually stop the Sophos AgentSophos AutoUpdate Service and Sophos Message Router.

Navigate to %ProgramData\Sophos\AutoUpdate\data and delete machine_ID.txt.

Within RegEdit, navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Messaging System\Router\Private and delete both pkc and pkp REG_BINARY objects.

Navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Remote Management\ManagementAgent\Private and again delete both pkc and pkp REG_BINARY objects.

Finish off the layer by running preparation jobs such as NGEN.

Finally run Shutdown For Finalize. You are now ready to publish Sophos as a layer.



    July 31, 2017

    Will try this as had found installing in the OS layer worked but means any future changes to Sophos meant making changes in the OS layer

  • sharif

    August 14, 2017

    Most OS layer’s are created on a system that is not a domain joined machine, that is part of the sysprep process when machines are created. So how would you add a domain account to the local Sophos Groups on a OS Layer machine??

    • George Spiers

      August 14, 2017

      You temporarily join the OS Layer to the domain, add the groups, remove machine from domain and then finalise the image.

  • Sharif

    August 14, 2017

    Gotcha! I will give that a go.

  • dalip

    August 23, 2017

    SophosupdateACC is missing in the application layer.
    Also the secondary address location is greyed out

    • George Spiers

      August 23, 2017

      The secondary address location will be greyed out by default until you edit file iconn.cfg and change AllowLocalConfig = from 0 to 1. You also create the SophosUpdateAcc account in the OS Layer, so complete this step first before creating a Sophos layer.

      • dalip

        August 23, 2017

        HI George

        I had picked wrong OS layer.
        I have been able to install Sophos. However when I publish I am getting error could not contact the server.
        All the services are up
        error there was a problem establishing connection to the server windows API call returned error 1326

  • George Spiers

    August 23, 2017

    Hi Dalip. Not seen that error before but it is best you recreate the Sophos layer and follow the steps carefully. Also review the OS Layer version and make sure the correct groups/user is created and membership is correct.


Leave a Reply