Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Agent doesn't use Message Relay and fails Update

Hello Community,

i recently started deploying the Sophos Endpoint(/Server?) Agent to our Servers. These servers don't have internet access and i have set up a Update Cache Server with Message Relay.

I perform the installation with a customized script, see here:

The installation itself continues on as expected, but on some of my Servers the Agent doesn't seem to want to use either the Message Relay or the Update Cache and can't install the modules or skips the installation

This behaviour only occurs on some Windows 2012R2 Servers, while other 2012R2`s run the install and the Updates without problems.

Is the a way to maybe push a message relay Server/Update Cache manually after the installation?



This thread was automatically locked due to age.
Parents
  • Hello Thorbin,

    Thank you for reaching the community Forum.

    Yes, it's possible to manually assign your device to a specific Update cache and message relay after the endpoint installation. You may to this KB Article under." How do I manually assign devices to an Update Cache or Message Relay?.  The steps will guide you to accomplish your requirements 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you for the link.

    Does this also work in the case the endpoint agent tries to reach Sophos Central directly? Or would i have to temporarily enable internet access to let the server grab the "use Cache/relay policy" to work correctly with the local Cache/relay server?

    Is there maybe a way to replace the entries in the local config, so i wouldn't have to do that?

    Cheers

    Thorben

  • If you are performing the initial installation on new devices, you may need to download a new installer, as the installer package will contain certificates and additional information on how to reach the existing update caches and message relays deployed. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • To be clear, I am using the same installer with the same script as per my screenshots above, including the --messagerelays and --localinstallsource attributes. This installation has worked on 20+ windows servers of various versions and other windows clients without internet access.

    But for some reason, on two 2012R2 Servers, the installed Agent doesn't use the message relay, which causes a failure to "update"/install the MDR product components and leaves the machine unprotected, presumably by failing to load product information/license.

    Thats why i asked if there is a way to manually update the Sophos Endpoint Agent to use the local message relay post install, as it evidently can't access the sophos Servers.

    Or is there something wrong with my script? Does the Endpoint Agent choose to ignore the custom attributes and use the Sophos Servers by itself, because it can ping the Sophos server due to some oversight in our firewall?

  • Thank you for clarifying. 

    I'd suggest first checking if communication over port 8190 can reach your Message Relay server. One way you can test this is by using telnet or putty. You will want to test this bi-directionally.

    Upon installation, the local Windows Firewall will be updated to open these ports for communication. 

    Try checking the file "C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\Config.xml" for what message relays the system is aware of. 

    The device will always try to connect with the Message Relays first, before reaching out to Sophos Central directly.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Thank you for clarifying. 

    I'd suggest first checking if communication over port 8190 can reach your Message Relay server. One way you can test this is by using telnet or putty. You will want to test this bi-directionally.

    Upon installation, the local Windows Firewall will be updated to open these ports for communication. 

    Try checking the file "C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\Config.xml" for what message relays the system is aware of. 

    The device will always try to connect with the Message Relays first, before reaching out to Sophos Central directly.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Thanks for pointing me to the right file.

    I can verify that the impacted server only has a Sohos server (mc2-cloudstation-eu-central-1...) registered in the config-xml.

    The same file on a server that successfully installed the Sophos products has the desired message relays registered alongside the Sophos server. On that server the Config folder also includes a MessageRelayConfig.xml file, where the nearest Message Relay is noted.

    Telnet to the Relay/Update Server via ports 8190 and 8191 from the afflicted server is also successful.

    Can i just swap the config and MessageRelayconfig xmls in from the working server to the not working server and have the configs be applied by restarting the Sophos service (or the Server itself)?

    Thank you for your help so far.

    Kind regards

    Thorben Paulik

  • I suggest copying both the Config.xml and MessageRelayConfig.xml from the working device to the non-working device. 

    You will need to disable Tamper Protection and restart the following services as well to do this.
    - Sophos MCS Agent
    - Sophos MCS Client

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi, i tried to exchange the config files as you suggested, but that didn't solve the issue.

    I also tried the same procedure with a clean reinstall using the same script. I can confirm that even after a clean reinstall the Message Relays don't get added to the config-xml on that server.

    Now, checking the Endpoint Self Help Tool, the update "succedes", using the correct server:

    The Management Communication service also seems to use the correct message relay, but i get the following warning:

    The log file exists and is accessible by the Sophos MCS Client user (?) with full access rights.

    Checking the referenced log file reveals this:

    Is it right that the GET action still uses the mcs2-cloudstation... Sophos server to connect to, even though it says "trying message relay"?

    I already tried to reatart the Server to remedy this, which made no difference.

  • Do you know if Microsoft KB3172614 is installed on these devices?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • This seems to be the root of my problem.

    I can confirm that KB3172614 was installed on the 2012 servers on which the Sophos products get installed correctly.

    Likewise, the update was missing on the servers that failed to load the Sophos products.

    Installing KB3172614 and subsequently restarting the server enables the Endpoint Agent to update the correct modules, succeed all tests in the Self Help tool using the local Relay/Cache server and create the MessageRelayConfig.xml correctly.

    Thank you very much for helping me out