This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Server 2019 with Sophos Enterprise Console client status not shown

We have a new installation of server 2019 standard (which is a fileserver and domain controller) with Sophos Enterprise Console.

As a starting point we have created a GPO to make sure all client computers have the required services turned on and ports open in the firewall. The clients already had Sophos installed (the old Sophos Enterprise Console server has been retired). All clients were migrated to the new domain. Using the Enterprise Console on the new server we re-deployed Sophos to all clients. This is succesfull and I checked that the clients are getting their updates from the new server. For some of these clients I also tried installing Sophos manually (from \\SERVERNAME\SophosUpdate\CIDs\S000\SAVSCFXP) , this works without issues.

However the only client that is reporting it's status back to the Enterprise Console is the local Sophos agent installed on the server itself. Even after turning off the firewall, server reboots etc.

When looking at the client the router shows the following errors in the log (trace logging is enabled);

C:\ProgramData\Sophos\Remote Management System\3\Router\Logs

30.06.2019 12:34:25 1B00 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20190630-103425.log
30.06.2019 12:34:25 1B00 I Sophos Messaging Router 4.1.1.127 starting...
30.06.2019 12:34:25 1B00 I Setting ACE_FD_SETSIZE to 138
30.06.2019 12:34:25 1B00 I Initializing CORBA...
30.06.2019 12:34:25 1B00 I Connection cache limit is 10
30.06.2019 12:34:26 1B00 D New context options = 1000004
30.06.2019 12:34:26 1B00 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
30.06.2019 12:34:26 1B00 T IPAddressSet::InitialiseWithHost() called
30.06.2019 12:34:26 1B00 T Added host network address:192.168.178.57:0
30.06.2019 12:34:26 1B00 T Added host network address:127.0.0.1:0
30.06.2019 12:34:26 1B00 T IPAddressSet::InitialiseWithHost() returns
30.06.2019 12:34:26 1B00 D Creating ORB...
30.06.2019 12:34:26 1B00 I Creating ORB runner with 4 threads
30.06.2019 12:34:26 2040 D RunORB thread started
30.06.2019 12:34:26 1B00 W No public key certificate found in the store. Requesting a new certificate.
30.06.2019 12:34:26 1B00 I Getting parent router IOR from 192.168.178.10:8192
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 T DNS            : problem 0, changed 1, already reported 0
30.06.2019 12:34:26 1B00 T Certification  : problem 0, changed 1, already reported 0
30.06.2019 12:34:26 1B00 T Incoming       : problem 0, changed 1, already reported 0
30.06.2019 12:34:26 1B00 T Outgoing       : problem 0, changed 1, already reported 0
30.06.2019 12:34:26 1B00 D class StatusReporting::DNSSection changed
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::WriteReport
30.06.2019 12:34:26 216C D RunORB thread started
30.06.2019 12:34:26 1AEC D RunORB thread started
30.06.2019 12:34:26 097C D RunORB thread started
30.06.2019 12:34:26 1B00 I This computer is part of the domain OFFICE
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::WriteAsXML
30.06.2019 12:34:26 1B00 T >>> StatusReporting::DNSSection::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::DNSSection::WriteAsXML
30.06.2019 12:34:26 1B00 T >>> StatusReporting::CertificationSection::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::CertificationSection::WriteAsXML
30.06.2019 12:34:26 1B00 T >>> StatusReporting::IncomingSection::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::IncomingSection::WriteAsXML
30.06.2019 12:34:26 1B00 T >>> StatusReporting::OutgoingSection::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::OutgoingSection::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::WriteAsXML
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::WriteReport
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::SetActualParent
30.06.2019 12:34:26 1B00 D Actual parent is `192.168.178.10`
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::SetActualParent
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 T DNS            : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Certification  : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Incoming       : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Outgoing       : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 T >>> StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 T DNS            : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Certification  : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Incoming       : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T Outgoing       : problem 0, changed 0, already reported 0
30.06.2019 12:34:26 1B00 T <<< StatusReporting::StatusReporter::Done
30.06.2019 12:34:26 1B00 I Getting a new router certificate...
30.06.2019 12:34:26 1B00 D Getting the parent message router object using IOR
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000a0000003132372e302e302e310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001008600004f4154010000001800000001008600010001000100000001000105090101000000000014000000080000000100a60086000220
30.06.2019 12:34:26 1B00 D Getting the certification object...
30.06.2019 12:34:28 1B00 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

30.06.2019 12:34:28 1B00 W Failed to get certificate, retrying in 600 seconds

So Sophos appears to have difficulties with the certificate. However when I connect OpenSSL with the CAC.pem cert it verifies ok:

C:\Program Files\OpenSSL-Win64\bin>openssl.exe s_client -connect 192.168.178.10:
8194 -CApath . -CAfile cac.pem
CONNECTED(000000DC)
Can't use SSL_get_servername
depth=1 CN = EM2_CA
verify return:1
depth=0 CN = Router$GM-DC
verify return:1
---
Certificate chain
 0 s:CN = Router$GM-DC
   i:CN = EM2_CA
 1 s:CN = EM2_CA
   i:CN = EM2_CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZFTTJf
Q0EwHhcNMTkwNTE1MDgzODM5WhcNMzkwNTExMDgzODM5WjAXMRUwEwYDVQQDDAxS
b3V0ZXIkR00tREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIkf7f
d6rJwj/9R+//Q8Axr55vtDsqCF8ugr9agWid2+wgiPhK/rz5diA/Q2/X9ulgwKro
LXTJjgAToTiJ3npvMERBcaGZC03Nxyai3tLgjmPiMhilKMhm8MUvH5/SEQIqW/uC
EfVjYhHddF39iHUUtAHhxiUlkSl69tvfF1o2574Qsy90XDPc6Z8+vMbqRpjk8tOU
1NsK3mwSaCogSOfXEi75Q7ylupNnaD9YVcZR5ldoKgKwgTlh5h8Dbfqyc1gjSZV6
13t2B8+0VpjYj5rkA3r1U3wrvfcy2XxcxjEb0geFt6flg1BmRcOj1i6/NgDBRw6r
UAf+d2UJ80SKtUqZAgMBAAGjfzB9MB0GA1UdDgQWBBRh6uuiv9XHef16Sl4zgEml
+u2cyjA5BgNVHSMEMjAwgBQAmTl0k2AaQlvQE8lzwEsFqQKRuaEVpBMwETEPMA0G
A1UEAwwGRU0yX0NBggEBMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMAYGAncB
BAAwDQYJKoZIhvcNAQELBQADggEBACOi0ug9ZTpanb2fR49g8I3coWNxKrAF8c9w
BRs5sXRUb3rfSZGwzUBNqA0stI3KAuTm+Oy5YVg/mog+kCo3q9b6R+RhR2ZO+Prp
dIaPuLVyGkBw9OtMPiESj7BH169aUOvzcMaI821nf932lP6/FOEW0STWOJ5odJLX
6rdSM7rSrTQM4Rz2LHt/Dp5vCpwuVqAIwAzWv60nbWKn9cSUlkHoplE06Iez1/7F
/NXkQeWMyzi6suRzP2ZXhiIYZ3PT36vbIbmUs3Cn9FRLP3eNamhSK2koIUMzdgII
BY1AsBEqdEuOkR9cie4cTXTmckgZPNJChP1XpyoHZ0IjvkJdof8=
-----END CERTIFICATE-----
subject=CN = Router$GM-DC

issuer=CN = EM2_CA

---
Acceptable client certificate CA names
CN = EM2_CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DS
A+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:E
CDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SH
A384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+S
HA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 2007 bytes and written 623 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 16AD306CC7F2A9A5B7DF37713A9F38B78FB55EC97E4B92E64FE4D24AC6ACA6BF

    Session-ID-ctx:
    Master-Key: 097AF2105E22941C524B6B10994A6BE19C9339DECB83B6FE11669DBF075431A6
452AC15A2D4A4734AC9017746EF07AAC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 23 af 01 f6 34 5e e9 d0-eb 4a a2 16 3c b9 b2 a7   #...4^...J..<...
    0010 - ff 3d c2 0c 97 59 0d d2-5c 94 25 80 8b 1a 60 72   .=...Y..\.%...`r
    0020 - d6 b8 9e 5c 86 09 84 e2-54 36 ed 8c 64 5d e8 9d   ...\....T6..d]..
    0030 - cc 98 0f 7b 92 39 93 29-0e 98 7d 80 df 09 1e 41   ...{.9.)..}....A
    0040 - 63 b3 7d 71 b1 ae 60 60-85 55 6a ee a1 18 e3 ce   c.}q..``.Uj.....
    0050 - b0 7e f6 f5 37 51 cd 37-6d 09 55 d3 02 07 82 2d   .~..7Q.7m.U....-
    0060 - 4c 09 f1 88 32 fc 59 0f-df d9 b8 31 54 25 ad 8f   L...2.Y....1T%..
    0070 - 4d 2d d1 61 5c 2a 3b da-61 c0 93 af 6a 1f 3e 5a   M-.a\*;.a...j.>Z
    0080 - 90 d3 9b 61 26 5e a2 7a-d6 d3 73 e2 b2 4e 3e ea   ...a&^.z..s..N>.
    0090 - b6 4c 1b fe c0 4b 54 38-c9 ec 8e a9 b9 40 35 26   .L...KT8.....@5&
    00a0 - d3 2e 44 a9 da 13 5a 7d-60 4c eb 0e 77 90 3f e8   ..D...Z}`L..w.?.
    00b0 - 7a f9 18 60 8f 86 78 fa-51 fc 85 39 61 cd ea ed   z..`..x.Q..9a...

    Start Time: 1561884633
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no




Also I tried telnetting to the server this shows the IOR however I found no way to decode this;

IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f75
7465723a312e300000000100000000000000a0000000010102000a0000003132372e302e302e3100
01204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250
657273697374656e740003000000010000004d657373616765526f75746572000000030000000000
0000080000000100f001004f415401000000180000000100f0010100010001000000010001050901
01000000000014000000080000000100a60086000220



The CertManager on the Sophos Enterprise Console server shows no entries in the current log which is strange because 20 clients are constantly trying to connect...

<pre>
30.06.2019 11:21:25 089C I SOF: C:\ProgramData/Sophos/Remote Management System/3/CertificationManager/Logs/CertManager-20190630-092125.log
30.06.2019 11:21:25 089C I [CertMgr]Certification Manager starting...
30.06.2019 11:21:25 089C I [CertMgr]Certification Manager started
30.06.2019 11:21:26 089C I [CertMgr]Enabling request processing
30.06.2019 11:21:26 0C0C I InitialiseClientLibraryLocal CM, SOFTWARE\Sophos\Certification Manager\MessengerStore, CMConfig.reg, 0,  ...
30.06.2019 11:21:26 0C0C I Initializing ...
30.06.2019 11:21:26 0C0C I [Msgr:RM]Logged on to Message Router
</pre>


Any thoughts how to solve this? I have been staring at it for quite some time now but unable to fix it...any help is very much appreciated!



This thread was automatically locked due to age.
  • The IOR string can be decoded using catior.org for one. 

    From the client log provided:

    30.06.2019 12:34:26 1B00 D Getting the parent message router object using IOR
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000a0000003132372e302e302e310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001008600004f4154010000001800000001008600010001000100000001000105090101000000000014000000080000000100a60086000220
    30.06.2019 12:34:26 1B00 D Getting the certification object...

    Output:

    Type ID: "IDL:SophosMessaging/MessageRouter:1.0"
    Profiles:
    1. IIOP 1.2 127.0.0.1 8193 "\x14\x01\x0f\x00NUP\x00\x00\x00!\x00\x00\x00\x00\x01\x00\x00\x00RootPOA\x00RouterPersistent\x00\x03\x00\x00\x00\x01\x00\x00\x00MessageRouter"
          TAG_ORB_TYPE TAO (TAO\x00)
          TAG_CODE_SETS char native code set:       ISO-8859-1
                        char conversion code sets:  UTF-8
                        wchar native code set:      UTF-16
                        wchar conversion code sets: 
    
          TAG_SSL_SEC_TRANS port = 8194 supports 166 requires 134

    So the client is trying to get the IOR off the server of port 8194 and is getting back 127.0.0.1 port 8194. So the client router then tries to connect back to itselft on port 8194.


    I thought there was detection in the router for preventing the IOR from containing a loopback address.  Maybe - https://community.sophos.com/kb/en-us/133590 ?

    Can you configure the server's router's IOR to be the IP address as per the following steps on the management server:

    1. Go to HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath and change the value data to

      C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://<SEC server IP address>:8193/ssl_port=8194

      I assume this is to be: 
      192.168.178.10 if this is the static IP of the management server. 

      Does it have a static IP?  If not you can override the address in the IOR to be a FQDN.
      https://community.sophos.com/kb/en-us/50832 details how you can use the switches hostname_in_ior and ORBDottedDecimalAddresses in the router args to get a adress in the IOR the clients will use.

    2. Change the value data of the following registry keys to -ORBListenEndpoints iiop://<SEC server IP address>:8193/ssl_port=8194:

      32-bit: HKLM\SOFTWARE\Sophos\Messaging System\Router\ServiceArgs
      64-bit: HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ServiceArgs

      This ensures that the changes made persist even with any RMS updates or reinstallations.

    3. Restart the Sophos Message Router service.

    If you then look at the IOR string in catior.org, you should see the IP address in it rather than loopback.  This will be the IP the clients read off the servers IOR port (8192) so they can connect back to it on port 8194.

    You can think of the IOR string that is put out on port 8192 as a signpost telling the connecting router (client) how to get to port 8194.  The first thing is to get an IP in there that the server and clients can use to get back to the server.

    Hope it helps.

    Regards,

    Jak





     

  • Hi Jak,

    Thank you very much for this. I was on the right track with the IOR but couldn't find a way to translate it so you provided the missing pieces of the puzzle.

    I still think it is strange that with a new installation this problem occurs as it should have used the static ip-address or servername from the beginning automatically.

     

    After the registry change (adding the static server ip) and restart of the message router service the agents came back online almost instantly. So very happy with this.

    Thanks a lot!!! At least I can get some sleep tonight :)

  • Glad the information helped you figure it out.

    Regards,

    Jak