Sophos Endpoint Public RMS cannot get certificate

the client hasn't yet managed by SEC

Hello oki.herdian,

as far as I can see the server advertises just the private IP and port 51285 (that usually is 8193). Ideally it should put its public FQDN (or at least the NATed public IP) into the IOR. Apparently you have made some modification - where and which?

The article outlines how to make the server return a FQDN instead of an IP. The FQDN should either resolve to the private IP on the internal network or the server should be reachable on the public IP from the internal network.

Christian 

Hello QC, 

Yes, i actually have configured the FQDN as well, the FQDN is resolved to external ip public of SEC that is already NATed to internal private ip address. 

so how can i change that to our Public FQDN and port 8193 ? 
which file do i need to check ? 

Hello oki.herdian,

apparently the endpoint connects to the server's NATed port 8192 as it receives an IOR. The How to change applies also to the main server and modifying these keys should make the Message Router return the FQDN instead of the private address. Can't say why it returns port 51285 - what is the current value of the mentioned keys?

Christian

Hello oki.herdian,

I don't think that the gateway would fiddle with just the port in the IOR, to make sure please compare it with an IOR received on the internal network (either from the logs or with telnet server 8192).

Christian

Hi Christian,

I found that if there's a typo in in -ORBListenEndpoints, it will change the port to a really high number.  I've just tested this in my lab with this key:

"C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -RBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=MR.domain.com

It returned port 52524.  With "OBListenEndpoints" it returns 52395.

both IOR are identic

from : external IP :

010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e31322e38300054c84100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001009702004f4154010000001800000001009702010001000100000001000105090101000000000014000000080000000100a600860055c8

from internal IP :

010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f75

7465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e3132

2e38300054c84100000014010f004e5550000000210000000001000000526f6f74504f4100526f75

74657250657273697374656e740003000000010000004d657373616765526f757465720000000300

0000000000000800000001009702004f415401000000180000000100970201000100010000000100

0105090101000000000014000000080000000100a600860055c8

Hi MEric,

here are the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\ServiceArgs

-ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=xxx.co.id

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath

"C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=xxx.co.id

so based on your statement, it means the ssl connection config is coming from server's side (message router registry of the server) instead of what we specify in mrinit.conf, so the client will initiate the connetion (rms connection) based on what we specified inside mrinit, and then client's  message router contact server's message router then the server will send IOR to the client, after that, ssl connection will be generated based on IOR code, is it correct ?

Thanks

Hello MEric and oki.herdian,

apparently the TAO library simply ignores unknown flags/parameters (there might be a warning at startup in the log) but otherwise it commences work. In the absence of an explicit port it requests an ephemeral port (that's why you get different ones - not because of the different typo) and listens on it. As long as the path isn't blocked by a firewall this works, CORBA is dynamic.

Christian

Hello oki.herdian,

the keys look ok, I don't see a typo.

the ssl connection config
is not really complicated but mrinit.conf is not involved in actual operation. As its name implies it's only used for initialization (performed by ClientMRInit.exe). Registry values under the Messaging System and Remote Management System registry keys are set according to the parameters it contains.
Client and server have to agree on the IORSenderPort (and the cryptographic Keys). The client tries to connect to this port trying all of the ParentRouterAddress addresses (in case the client acts as a message relay it uses MRParentAddress) until it succeeds. The server (could be the management server or a relay) responds with an IOR (interoperable object reference) that contains one or more "profiles" (i.e. host/port pairs that tell the client where to find the desired "object" -  in this case the server's Message Router).

Does this answer your question?

Christian

Hi oki.herdian,

Christian's last reply explains how the connection gets established in more detail than I know it. After mrinit.conf initialization, the client will try to connect to all ParentRouterAddress addresses on port 8192 in order until it receives an IOR.  This IOR returned by the server contains an IP/FQDN + port that the client will then attempt to establish an SSL connection to.

The registry key doesn't seem to line up with the IOR that is being given back. Was the Sophos Message Router restarted after this change was made?  The IOR you posted returns an internal IP address while the registry key you posted should return xxx.co.id.

Hi oki.herdian,

Christian's last reply explains how the connection gets established in more detail than I know it. After mrinit.conf initialization, the client will try to connect to all ParentRouterAddress addresses on port 8192 in order until it receives an IOR.  This IOR returned by the server contains an IP/FQDN + port that the client will then attempt to establish an SSL connection to.

The registry key doesn't seem to line up with the IOR that is being given back. Was the Sophos Message Router restarted after this change was made?  The IOR you posted returns an internal IP address while the registry key you posted should return xxx.co.id.