This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard

Hi,

 

I have a number of Desktop PC's and Laptops that are at remote locations that don't require to be on our Domain as they are running Citrix.

 

We have been told to get them to work with Sophos Safeguard, we will need to import the certificate in the 'Personal' section of 'Certificates'.

 

The above has been tried with no success, can anyone help or suggest anything I am missing?

 

Kind regards, Dan Petford



This thread was automatically locked due to age.
  • Well it's progress! :)

    Can you confirm you have BOTH primary and secondary p7b certs within c:\programdata\Ultimaco\SafeGuard Enterprise\LocalCache\transout\config.

    You can view them in Notepad and you should see your DNS resolved name in plain text in there (scroll to the right, it's about halfway in)

    Can you also check that this is the correct publically addressable name of the SSL cert too. 

    These are the locations of the certs placed there by the configuration tool MSI.

  • I can confirm both Primary and Secondary certificates are present in the above location.

     

    For some reason the Secondary only shows the internal hostname, not sure if this is correct or not?

  • No it's not correct and would explain why the client can't resolve the secondary DMZ server (Your primary is the internal server right?)

    I would check the configuration MSI again - it's possible to unzip it using 7Zip or similar and view the contents 

     

    The secondary cert must be in the publically resolvable external hostname, as that's how the client will resolve the server address.  It would explain too why the domain bound client would resolve this address/DFS too.

     

    Can you use the configuration tool again to produce a "new" client MSI, extract and read the contents and then check the secondary cert address again?

    If it's the internal address still this will need to be corrected. I would suspect that applying the server configuration again to the secondary server should resolve this?

  • How do the domain clients sync, as they have the same secondary cert.

    It's very strange how a domain client that's not on our LAN or VPN is syncing?

  • Hi Michael,

    Still having issues with the non-domain PC's, however also having the same issue with domain PC's.

    The PC in question is not appearing in the console, if I import I get the attached message.

  • That's a nasty looking error! So are other PC's importing fine and it's just this PC, or none importing?

    It is possible to have clumsy duplicates in the console too - Have you verified this exact host doesn't exist already (or hasn't been renamed and the "old" version of it still exists?

    Are you logged in as MAINMSO when this is seen, or another user? If you haven't tried MAINMSO it may be worth trying that account to rule out perms?

  • Hi Michael,

    Just thought I'd update you on our progress with the 'Workgroup' machines, we have managed to successfully get it sorted, the reason was we had a batch file that we used to install Sophos SafeGuard, if we run the installation files manually it works fine.

    On a side note we do however get the attached screenshot, is there any way of stopping this?

  • Well done, good work! I had assumed that you'd used the standard install, I should have asked you that sorry!

     

    This window will come up if you didn't log in via the "Sophos Cog/Credential provider" OR if you did - it didn't pass through authentication.

     

    I can see this user is called "User". I would recommend against this - use something at least unique for each machine. User1, User2 sort of thing. 

     

    It's worth making sure you've confirmed the users too. As they're not in the directory (as they're bound to an independent workgroup) SSG won't know who they are. 

     

    So confirm each user - This will be easier if they're all not just called "User" as I've said.  On the console - Scroll right down past your directory. Your WorkGroup will be at the bottom.

     

      

    Open the .Unconfirmed Users - right click each user and confirm (Or RClick confirm ALL users). This will then allow them to be known users and should avoid the Window you're seeing (assuming you ARE using the Sophos Cred Provider to log in!