This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ based Messae Relay to collect status from rogue computers

Dear All,

 

Would there be a way (or even a good idea) for travelling users to setup a message relay in a DMZ, that would be available for machines that are taken off the network for extended amount of time (say for a remote project) and still be able to report on their status back to the management server?

 

I am guessing that 8193 and 8194 would be the two ports, and that only authenticated (proper certificates) would need to be present (e.g. a client would have already connected to the console while on the network prior to leaving the network).

 

Other question is, how would I swap out machines in this pool, e.g. 5 machines 'came home' they are back on the network, while other 7 users will be away from next week. Is that a constant reconfiguration of the client's messaging setup back to the management server every time?

 

Many thanks,

DanZi



This thread was automatically locked due to age.
Parents
  • Dan.

     

    It's fairly easy to set up a RMS MR in a DMX. there's a nice sophos KBA for it. There are a couple of issues though.

     

    1. You need the existing clients to know the location of the Message Relay, that can be as simple of modifying the mrinit.conf file to have the ParentRouterAdress to have the FQDN of the message relay in the list of addresses.

     

    2. There may be an issue with "Downstream Messages". consider the example that you have a machine with full connectivity from Server to Client via the MR. The Client then performs an "Ungraceful" shutdown (hibernation or just disconnected from the network), the management server will still see this as a managed/connecte machine for 24 hours. any message (policy Change or Do-Action) will be sent to the MR to be forwarded onto the client.

     

    If the client returns to the LAN, this message will be stalled at the MR for the TTL time (4 days or 4 hours)

     

    The Article for setting up an MR in the DMZ is...https://community.sophos.com/kb/en-us/50832

     

    Stephen H

    Stephen Higgins

    w: www.sjh-consulting.co.uk

    f: www.facebook.com/sjhconsultinguk

    t: 07740195926

    e: stephen@sjh-consulting.co.uk

    m: 22 Hamble Drive, Abingdon, Oxfordshire, OX14 3TE.

     

Reply
  • Dan.

     

    It's fairly easy to set up a RMS MR in a DMX. there's a nice sophos KBA for it. There are a couple of issues though.

     

    1. You need the existing clients to know the location of the Message Relay, that can be as simple of modifying the mrinit.conf file to have the ParentRouterAdress to have the FQDN of the message relay in the list of addresses.

     

    2. There may be an issue with "Downstream Messages". consider the example that you have a machine with full connectivity from Server to Client via the MR. The Client then performs an "Ungraceful" shutdown (hibernation or just disconnected from the network), the management server will still see this as a managed/connecte machine for 24 hours. any message (policy Change or Do-Action) will be sent to the MR to be forwarded onto the client.

     

    If the client returns to the LAN, this message will be stalled at the MR for the TTL time (4 days or 4 hours)

     

    The Article for setting up an MR in the DMZ is...https://community.sophos.com/kb/en-us/50832

     

    Stephen H

    Stephen Higgins

    w: www.sjh-consulting.co.uk

    f: www.facebook.com/sjhconsultinguk

    t: 07740195926

    e: stephen@sjh-consulting.co.uk

    m: 22 Hamble Drive, Abingdon, Oxfordshire, OX14 3TE.

     

Children
No Data