Update Cache Selection
I work for a Sophos Partner, and have encountered some issues with the Update Cache functionality for a number of customers due to the Cache Selection algorithm only comparing the BITS of the address, and using this to find the nearest cache.
For one customer, this results in all WAN users using the lowest bandwidth site, and effectively shutting this site down with 1200 clients updating from this site.
One of the customers has had the EA access enabled for Message Routing, and this also enables them to assign computers to use a specific update cache. This is on a per-machine basis, not based on groups.
While I am in favour of minimising configuration, and automating things as much as possible, ideally, the cache selection algorithm should allow customers to specify some criteria for cache use. The following are potential options:
Allow customers to specify a "Scope" for each cache. If the scope is blank (default), then anyone can use the cache/relay. If you populate it with one or more networks, only those networks can use the cache/relay.
Allow groups of clients to be assigned to a cache, rather than individual machines. This could be achieved either through Update Policies, and a priority list of caches could be set. If left at default (auto), this would use existing behaviour.
Implement some sort of cache/relay priority weighting where caches with a higher priority are used in preference to a cache with a lower priority.
Use actual performance metrics to determine which cache is the fastest.
Any one or a combination of the above would go a long way to addressing the Update Cache selection issues we have seen in our customer networks.
+2000 - We have the same issues. 1500 Clients scattered over 40 MPLS subnets, with no ability to assign the 'Lowest Cost' connections. Endpoints are updating across WAN links willy-nilly!!
+1 We experiencing the same issue. All clients get updates through WAN from another site... I can't figure out why its designed that way.
Vinny Stipo commented
+1 Just submitted a request, unacceptable that you have to manually assign endpoints to avoid this issue, no option to group endpoints to cache/relay.
Agreed. There needs to be a better way to determine the best cache server for endpoints. i.e. which is closest geographically or by ping response.
Thanks for this idea!
Chiraag Patel commented
I have devices going across the WAN to get the updates. That is absurd.
I should not have to assign endpoints manually one by one.
There should be a way to assign IP subnets to certain UCs.
The logic for determining proximity to Update Cache for downloads should be determined based on speed and not IP address class as it is currently.
Link the existing “--messagerelays=” installer flag to utilize not only the Message Relay feature of the Update Cache but also the actual Update Cache
OR Add “--updatecaches=”
Allow the use of Sophos Computer Groups for Update Cache assignments (there’s already a flag to assign the computer to a specific group)