Sophos Enduser Protection Architect (ENDA)

This course provides an in-depth study of Sophos Enduser Protection, designed for experienced technical professionals who will be planning, installing, configuring and supporting deployments in production environments. The course will be delivered in a classroom setting, and consists of presentations and practical lab exercises to reinforce the taught content. Printed copies of the supporting documents for the course will be provided to each trainee. Due to the nature of delivery, and the varying experiences of the trainees, open discussion is encouraged during the training.

Target audience

This course is designed for technical professionals who will be planning, installing, configuring and supporting deployments in production environments. And for individuals wishing to obtain the Enduser Protection Certified Architect certification.


Prior to attending this course, trainees should:

  • Complete the Sophos Certified Engineer Enduser Protection course and should have passed the Certified Engineer exam
  • Have a strong working knowledge of network configuration and troubleshooting before attending this course.
  • Have a good understanding of IT security


On completion of this course, trainees will be able to:

  • Design a complex installation considering all variables
  • Undertake a multi-server installation appropriate for a customer environment
  • Understand the function of core components, and how they are configured
  • Gain understanding of how core components work, and how to troubleshoot
  • Trainees should complete the course being confident in the design, implementation and basic support of customer environments.


Module 0 : Introduction

Module 1 : Enduser Protection deployment scenarios

  • Review of Enduser Protection features and components
  • Factors to consider when designing solutions
  • Single site deployments
  • Multi site deployments
  • Air-gapped network
  • Roaming users
  • Selecting the right solution for a customer’s requirements
  • Lab
    • Obtain a username and password for a trial installation

Module 2 : Sophos Enterprise Console deployment

  • Factors to consider when designing SEC deployments
  • Management server requirements
  • Database design considerations
  • Remote console requirements
  • Firewall configuration
  • High availability
  • Selecting the right solution for a customer’s requirements
  • The installation process
  • Troubleshooting installation
  • Lab
    • Configure Active Directory Organizational Units
    • Configure firewall rules using an Active Directory Group Policy
    • Install the Sophos Enterprise Console database role on a SQL Server
    • Verify connectivity from SEC to the database on the SQL Server
    • Perform an installation of the Management Server and Management Console
    • Perform an installation of the Management Console on a workstation
    • Use RDP to connect to the Management Console on another host
    • View setup logs
    • Backup the Management Server and master certificates

Module 3 : Deploying Enduser Protection

  • Determining the information required to plan endpoint deployment
  • Supported platforms
  • Deployment strategy
  • Removing other endpoint products
  • Setup.exe command line parameters
  • Protecting computers automatically
  • Deployment packager
  • Installation log files
  • Mac deployment
  • Linux deployment
  • Selecting the right solution for a customer’s requirements
  • Endpoint Defense – Advanced Tamper Protection
  • Lab
    • Use the Competitive Removal Tool (CRT)
    • Import and synchronize computers on the network using Active Directory
    • Deploy via Enterprise Console
    • Perform connection tests between SEC and enduser clients
    • Modify the Sophos Default Firewall and Patch Policies
    • Create and test a deployment package for Windows
    • Deploy Enduser Protection using Active Directory Group Policy
    • Deploy and manage Enduser Protection on a Linux client

Module 4 : Update Managers and Autoupdate

  • Factors to consider when designing an updating infrastructure
  • Introduction to AutoUpdate
  • SUM updating overview
  • Software subscriptions
  • HTTP Updating
  • Deploying multiple CIDs and Update Managers
  • Selecting the right solution for a customer’s requirements
  • Installing additional SUMs
  • AutoUpdate components
  • Troubleshooting SUM
  • Troubleshooting AutoUpdate
  • Lab
    • Configure a preview subscription for use by a test group
    • Install and configure an additional Update Manager
    • Configure IIS to support a Web CID
    • Create a subscription and updating policy for Linux endpoints

Module 5 : Remote Management System

  • Factors to consider when designing an updating infrastructure
  • Management architecture
  • Remote Management System (RMS)
  • RMS component communication
  • RMS registration
  • RMS troubleshooting
  • Message relays
  • WCF-based management
  • Selecting the right solution for a customer’s requirements
  • Lab
    • Configure a message relay
    • Create and test a deployment package for a remote endpoint
    • Verify and troubleshoot remote management system configuration

Module 6 - Threat Protection

  • Endpoint Protection Advanced and Exploit Prevention components
  • Preventing a threat before it reaches the device
    • Browser Exploit Prevention
    • Web Protection and Control
    • Sophos Extensible List (SXL)
    • Download Reputation
  • Preventing a threat before it runs on the device
    • Exploit Prevention
      • Configuring exclusions
    • Host Intrusion Prevention (HIPS)
    • On-access scanning
      • Configuring exclusions
  • Detecting threats
    • Malicious Traffic Detection (MTD)
    • CryptoGuard
    • WipeGuard
  • Respond
    • On-demand scanning
    • Clean up
    • Sophos Clean
  • Tamper Protection and Endpoint Defense
  • Lab
    • Configure exclusions and test Endpoint Defense

Module 7 : Advanced device and data control policies

  • Review of device control
  • Device control event viewer
  • Unique device instance IDs
  • Device exemptions
  • Review of data control
  • Content Control List (CCL)
  • Latest SophosLabs Content Control Lists
  • How to create a custom CCL
  • Data control exclusions
  • Lab
    • Configure a device control policy and add an exemption
    • Configure a data control policy with a rule based on a custom CCL

Module 8 : Patch assessment

  • Patch assessment components and architecture
  • Patch assessment using a proxy
  • Patch assessment troubleshooting
  • Labs
    • Configured a reverse proxy to cache patch data and proxy the assessment reporting
    • Configure the firewall policy with a secondary location

Module 9 : Auditing and reporting

  • Auditing configuration
  • Granting access to audit data
  • Using external applications for audit reporting
  • Email alerting
  • Sophos Reporting Interface
  • Sophos Log Writer
  • Enhanced reporting with 3rd party tools
  • Lab
    • Enable auditing and use the database view to review logged actions
    • Configure email alerting from endpoints for Anti-virus and HIPS
    • Install and configure the Sophos Reporting Interface

Module 10: Sophos for Virtual Environments (SVE)

  • Supported Platforms
  • SVE Architecture
  • Guest virtual machine (VM) migration
  • Updating architecture
  • Guest VM deployment methods
  • Viewing Guest VMs
  • Upgrading to SVE version 1.2 with Guest VM migration

Module 11 : Server management and upgrades

  • Backup and restore data and configuration
  • PurgeDB
  • Database and server migration
  • Upgrading servers
  • Lab
    • Backup and restore configuration and the database
    • Create a scheduled task to run PurgeDB
    • Perform a database migration


To achieve the Sophos Certified Architect certification in Enduser Protection trainees must take and pass an online assessment. The assessment tests their knowledge of both the taught and practical content. The pass mark for the assessment is 80%, and it may be taken a maximum of three times.

Duration: 3 days