This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue updating Sophos Endpoint Client

Hello,

 

I've found a few posts with this same exact issue, however none of the fix actions have worked for me.

 

I'm attempting to get Endpoint protection working from my UTM (SG430's in HA), I successfully downloaded and installed the client, however at the end of the install it mentions it's not able to communicate with the registration server first red flag there.

 

After installation, if I try to force a manual update, it will give me an error that says "Could not contact server". Within the not so very descriptive log, this is the error I get.

 

Time: 4/4/2018 12:31:53
Message: ERROR:   Download of Endpoint Security and Control failed from server Sophos
Module: Update
Process ID: 16792
Thread ID: 16512

I've seen on the forums that you need to test to see if the website is accessible, so I checked and I can browse directly to the site, I'm prompted with "Connection successful"

 

When I ran a wireshark, I noticed this.

Transmission Control Protocol, Src Port: 51976, Dst Port: 80, Seq: 1446, Ack: 2081, Len: 0
Source Port: 51976
Destination Port: 80
[Stream index: 146]
[TCP Segment Len: 0]
Sequence number: 1446 (relative sequence number)
Acknowledgment number: 2081 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Warning/Sequence): Connection reset (RST)]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A·R··]
Window size value: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x5ee0 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0

It's a connection reset. So I went to look at what the request was for the server.

Hypertext Transfer Protocol
GET /cloudupdate/0/2d/02d3d1ce06efdb1ef6e967ba31eafe71.dat HTTP/1.1\r\n

I tried to browse directly to the server, with that update in the URL dci.sophosupd.com/cloudupdate/0/2d/02d3d1ce06efdb1ef6e967ba31eafe71.dat

And I'm hit with a not found.

I don't know where to go to download this .dat file, but these are default settings that I've applied here. Nothing is out of the ordinary on my network. How can this program be requesting updates from a server that doesn't even have the right updates, by default?


If there's some quick turnkey thing I'm missing please let me know, any help is greatly appreciated.

 

 



This thread was automatically locked due to age.
  • Authentication to the Sophos CDN servers to obtain update files is based on being able to access a customer file while tells the client what it can download.

    The username and clear text password (with a colon) between are MD5'd and out of that comes your customer file.  E.g. 02d3d1ce06efdb1ef6e967ba31eafe71.dat

    If you can't get the customer file, it's game over and AutoUpdate is not going to download anything more.

    I can only assume the client isn't getting the right username and password.  The username and (obfuscated password) would be stored in iconn.cfg (\programdata\sophos\autoupdate\config\) when delivered by policy, so you won't be able to derive the filename with that pair but it will at least show if you have a username and password which I assume you do.

    If you're after free AV, I would suggest using home.sophos.com rather than UTM managed.

    Regards

    Jak

  • Thanks for the response.

     

    I'm really confused by the whole username and password thing. What login does it require? There's only one location within endpoint management where I can put in any form of password, and it's for tamper protection. What login credentials would it even be? A login to a sophos website? A domain login? A login to the UTM? If these credentials are quintessential to the functionality of the autoupdate service, then shouldn't it have a section within endpoint management on the UTM?

     

    Sorry for all the questions. I've watched guides on setting this up, and no one has this issue. People just turn on the service, install the client and it's updating.

     

    Thank you again

  • Hi,

    With UTM/Central/Home managed endpoint, the client registers with the "Cloud" and becomes managed.  As part of this process it is sent an updating policy.  The username and password sent to the clients is related to the account such that the customer file references the software the user is entitled to use etc.  So you never enter these creds but you can see where it's stored at the client, not that it helps much other than to prove the client was sent them and what it's using.

    I assume in the UTM web interface, under "Management" - "Licensing", you have a section for "Endpoint AntiVirus" with details such as:

    Endpoint AntiVirus
    Status: enabled (will expire in 17 Days.)
    Exp. Date: 23 April 2018
    Max. Users: 27 ( 25 licensed Users + 2 free Users )
    Description: This subscription enables Endpoint Protection incl. Antivirus, HIPS and Device Control.

    As long as your licenced for "Endpoint AntiVirus", then the endpoints should be being sent a valid updating username and password.

    To be honest, I wouldn't bother with the UTM managed endpoint software.  It's very out of date in terms of features when compared with either the free "Sophos Home" or the paid for "Sophos Central" managed client.  Plus, if you want real integration between the endpoint and the gateway, you really need an XG firewall and Sophos Central Management clients so the two can communicate for "Synchronized security".

    Hope it helps.

    Regards,

    Jak