Installed new Enterprise Console, now it denies me access

Are you trying to open a "remote console"?

Forget the roles and sub-estates for the moment (you can read it up later). Sophos install several local users and groups and the user accessing the console must be a member of a group with sufficient rights. On the management server add the user(s) to the "Sophos Full Administrators" group and you are done (for the moment). You can also add a Domain Security Group.

Christian

Thanks for the reply,

I'm not sure what you mean by remote console, I have been a Sophos network admin for about 5 years but I am new to version 4, I tried upgrading from v 3x but it did not work so I picked a new server (Server 2003 R2 std) and did a new install, it went smoothly and I was able to scan the network..we have 100+ clients, arrange them into groups and upgrade them to Endpoint version, they are all looking at the new CID and seemed OK, then when I closed the EC I could not open it again

Sophos has created several users and groups including the Enterprise Console Admins group, I have made the domain admin and myself members of this group

Normally I would use RDP from my desktop PC  to access Enerprise Console logging on as a domain administrator so I guess I am logging on to the local console on theSophos  server

By remote I mean you install just the console on a workstation and run it from there - no login to the server required.

The Enterpris Console Help manual explains the membership requirements - look at chapter 4. The user you use must be a member of the Sophos Full Administrators group. 

Why did the upgrade fail? I had a EMLib/SUM migration problem on one server but nothing serious.

Just curious -  how did you get the clients talking to the new management server?

Christian

Hi,

I have tried installing the console on my workstation but it fails with this error;

"Cannot connect to the management server component on <Sophos Server> etc,

this is because the management server is an earlier version or no management server exists"

When I go back to the server and try to re-install the management server component it also fails with this error;

"setup has encountered an unknown error and cannot recover, setup will rollback,

function name: CreateGroupand User_MGMSrv"

During the server re-install it reports that it is creating a new user; SophosUpdateMgr and prompts me for a password for this new user, 

I can't explain how I managed to get the server to pick up the clients, I unstalled it and stayed with it using RDP from my workstation, it was not until I closed the session down and tried logging on again the the problem started

Don't despair :smileyhappy:. What do you mean by "try to re-install the management server"? What steps did you take before that? Setup usually offers only Modify, Repair or Remove.  Or did you uninstall first?

If you did uninstall and the user SophosUpdateMgr exists try selecting "existing user" ( does it ask whether you want Default User, New User or Existing User?).

As for the unknow error: there should be an entry in the event log too. What does it say?

Christian

Have you added yourself to the new group called Sophos Full Administrators?

Hi

It's odd that you were initially able to open Enterprise Console: were you logged in as a different account then from now?

If you haven't setup Role Based Administration (RBA) yet (you may not plan or need to), specifically the sub-estates section, then by default you just have the "Default" sub-estate of which all Enterprise Console groups reside within. 

Sub-estates can be used to partition up your groups in Enterprise Console such that a particular Windows user or group has access to just a subsection of SEC groups.

As a simple example you might have two top level groups In Enterprise Console called Americas and Europe, each containing many child groups.   You could then create two sub-estates called Americas and Europe of which each only contains all the groups of those two regions.  You are then able to assign Windows users or security groups access to these sub-estates.  This enables the administrators in charge of Sophos. or “Sophos Full Administrators” if you will, to delegate access rights to others. 

In previous versions you either had access to Enterprise Console and all groups or you did not.  This was defined by being a member of “Sophos Console Administrators” Windows security group, as this gave you access to the Sophos Management Service and in turn Enterprise Console.

In Enterprise Console 4 however you still need to be a member of “Sophos Console Administrators” to gain access to the Sophos Management Service but to see all groups (by default the “Default” sub-estate), you also need to be a member of “Sophos Full Administrators”.  You also need to be a "Sophos Full Administrator" by default to be able to configure RBA.

I hope that helps to clarify the sub-estate part of RBA and may help with your problem.  The other part to RBA is the ability to assign different rights to Roles within Enterprise Console should you wish to control what users can configure.

All that being said, if your account is a member of both "Sophos Console Administrators" and "Sophos Full Administrators" and you have logged back off and back on again to refresh your token and still you have the same problem, then something more interesting might be going on.  In order to determine what that might be, you can carry out the following diagnostics:

1. Close Enterprise Console.
2. Stop the "Sophos Management Service" service.
3. Add the following registry keys to the management server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{48502EEA-4629-4dd6-9D67-CBB1A80C29A4}]
@="TraceRBA"
"ErrorLevel"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{9D624120-2E7B-47a2-BD4D-BDEB7E5388D3}]
@="TraceConsole"
"ErrorLevel"=dword:00000003

Please adjust accordingly for a 64-bit OS.

4. Start the "Sophos Management Service"
5. Download and start DebugView, available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
6. Launch Enterprise Console.

DebugView should populate with verbose logging of the significant components which can be saved as a log file and should help to determine the problem for Sophos support or if you are able to provide access to the log on this forum.

Note: Please remember to remove the above keys once complete and you will also need to restart the Sophos Management Service.

I hope this helps.

Thanks

I finally managed to install Enterprise Console, I had tried and failed three times on different machines and the only thing they had in common was membership of the same domain, after reading through the FAQ's and KB articles (see 61397)

I decided to delete all Sophos groups and some users from the AD, uninstall Enterprise Console and start again, it worked fine.

Earlier installs had created lots of different users and groups which I was reluctant to delete in case they were needed by Sophos, I did not know that they would be re-created by the installer as needed

Thanks for all the interesting contributions

Regards

Frank