The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
When managing large numbers of workstations (endpoints) from a single management server, you may need to increase the number of ephemeral ports that Windows can assign. This will improve scalability and performance on large networks (those with thousands of computers).
Symptoms suggesting that more ephemeral ports are needed include:
By default, Windows limits the number of ephemeral ports that can be used by a computer. To indicate when this limit is likely to be reached, a message is written to the Application event log by the Sophos Message Router:
Sophos Enterprise Console has detected that the number of ephemeral ports being used on this computer is approaching the maximum permitted. You may need to make changes to the computer's TCP/IP configuration to prevent network problems.
There are xxx ephemeral ports in use. The maximum number of ephemeral ports available on this machine is yyy.
See Sophos KnowledgeBase Article 4243 at http://www.sophos.com/en-us/support/knowledgebase.aspx
This message is logged when the number of ports used reaches 85% of the total number permitted by the system. This happens regardless of whether those ports are taken up by the Sophos Message Router, or by something else.
Ephemeral ports are temporary ports assigned by a computer's IP stack. Their number is controlled by the value MaxUserPort. This value limits the number of outgoing connections from one computer to a specific service on a remote computer.
These changes involve the use of the Windows registry editor. Please read the warning about editing the registry.
Using the Windows registry editor, navigate to:
Add the following registry value
Three factors should be taken into account when calculating this value:
Thus, for 10000 endpoints, a suitable value would be 13000 (1024 + 10000 + c. 2000).
If a value for MaxUserPort is already present, take this into account when setting the new value. The default is 5000 and the maximum value is 65535. Any value in this range is valid. However using a very high value may not allow for inbound connections.
On Windows 2000 servers, and on Windows 2003 servers not running Service Pack 1 (SP1) or higher, you can also improve scalability and performance by reducing the length of time that a connection stays in the TIME-WAIT state.
If the TcpTimedWaitDelay value already exists, take this into account when setting the new value. The default is 240; a value in the range 50 to 250 is acceptable.
The computer will need to be restarted for the above new values to be used by Windows.
For more information on the use of these values, search for 'MaxUserPort' and 'TcpTimedWaitDelay' on the Microsoft website.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.