Thu 13-Dec-2012 15:48
A while back, our network admin changed the IP address of our Sophos Management server. Not long after, we unsurprisingly had zero connectivity between the endpoints and the server. After realizing that new installations were still looking for the old IP, I updated the configuration so they'd see the new IP and started trying to devise a way to update the old clients (registry change, e.g.).
Updating the old clients is a bit out of my hands, since our infrastructure is a total mess and we have too many PCs and too few techs. I recently devised a way to proxy the traffic destined to the old IP through a CentOS box running iptables, but I'd like a more permanent solution.
Would it be possible to configure two interfaces on our Sophos Management server Virtual Machine? I'm sure there's a config file or something somewhere that will allow the service to listen on the new interface in addition to the old one. We're running Sophos Enerprise Console 126.96.36.199.
Thanks in advance for any help and please let me know if additional information is needed.
Solved! Go to Solution.
Thu 13-Dec-2012 16:25
When you install the Sophos management server, if the server had a static IP at the time of install, the clients will address the server by:
[IP], [FQDN], [NetBIOS]
The client tries each address in order. If the management server had a dynamic IP address at install time, then the clients will address the server by just:
So even if the IP changes, the clients should be able to establish a connection to the server by name (as long as that is the same), it may just take a bit longer for the client to make the connection to the server while it times out attempting to connect to the wrong IP first before trying the next address in the list. I've seen it take 5 minutes to attempt to connect to the next address. You may want to check that the clients have the correct DNS suffix or can resolve the server by the FQDN, NetBIOS address as communication should not have been vut off entirely by a change to the IP, unless it is now totally unroutable.
On the server side, the Message Router (RouterNT.exe) listens on all interfaces, so any address added, the router will pick up on it.
The clients are passed this 'ParentAddress' configuration at install time in the file mrinit.conf (there are a number on the management server computer). The ones in the root of the distribution points are the ones the client pulls down before importing the values into the registry from where they are used from then on. HKLM\Software\Sophos\messaging system\router\parentaddress.
So to fix this, there are a few options but I would start with ensuring that all the mrinit.conf files on the management server are updated first, this is probably the most important. This way new clients will get the correct address.
To fix existing clients, what needs to happen in realtity, if you're just changing the parent address is:
1. Update the ParentAddress registry key on the clients
2. Drop the correct mrinit.conf file into the remote management system directory under program files.
Note: Although the client doesn't use this file, it will be used if RMS is reinstalled at any point in the future.
3. Restart the Sophos Message Router service.
This can be done in a few ways:
1. Put those steps together in a script.
Note: This KBA would work for these machines: http://www.sophos.com/en-us/support/knowledgebase/
2. Having fixed the server, re-protect the clients from SEC or re-run setup.exe (http://www.sophos.com/en-us/support/knowledgebase/
3. Could use the custom mrinit.conf in the CID approach, similar to the technique to setup message relays. This will force the client to bring down a custom mrinit.conf and use that. iI would avoid this unless it is the only way you can do it, as it adds complexity and configuration to the CID.
Thu 13-Dec-2012 20:56
Thanks for the quick reply on this, Jak!
I actually discovered the relevant registry key and mrinit.conf files on my own, somehow. So I was able to fix the new outgoing installations of the software, and if I had remote management capability on our endpoints I could registry hack the key in a jiffy. Alas, our infrastructure is a mess!
I shut down my CentOS box and configured the new interface on our Sophos server, restarted the Message Router service, and Wireshark'd for a bit. The server appears to be successfully establishing TCP connections to endpoints using both IP addresses, so I have to say that it looks like its working!
Thanks again very much for prompt and excellent help! I think you guys are awesome!