Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 19189 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console4.5/client9.5 - all PCs greyed out and won't report back, Help please!!

Sophosfan1

I had to reinstalled the console and it assigned itself a new certificate which was different to all the certificates on the existing clients. (I was unable to backup) when I reprotected the clients from the new console it does not automatically dish out a new certificate.

How do I distribute the new certificate?

Note: We have far too many computers to reinstall Sophos on. Plus many remote users :(

Cheers

:8665


This thread was automatically locked due to age.
Parents
  • 0

    Update: Please see the last thread in this post for the latest script as it has gone through a few revisions and it's hard to keep track.  There is now a HTA that generates a script to make things easier.  Also fixed a bug in the function that determins if the machine is 64 or 32.  It got the hardware platform rather than the OS before.

    ===

    Hello,

    Are you able to run a script on them all easily, E.g.a start-up script?  I wouldn't want to write a script that you couldn't run.  That being said here are the steps that need to be performed on the clients without re-protecting.  I would suggest running the steps manually on one "Client" machine first to check they work and the machine becomes managed again in SEC.

    1. On the "guinea pig" client stop the services:

    "Sophos Message Router"

    "Sophos Management Agent"

    2. If exists, delete from "\program files\sophos\remote management system\" the file mrinit.conf.orig.  

    3. copy from the CID/distribution point the new files: "cac.pem" and "mrinit.conf" and place them in:

    \program files\sophos\remote management system\

    on the client.

    Note: The new mrinit.conf should be opened in Notepad to check that the parent address values are right and that the values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\RouterKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\ManagedAppKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\DelegatedManagerKey

    on the management server align with the values in the mrinit.conf to ensure the version of mrinit.conf in the CID and all over the server is the same.

    4. Delete from the client the registry keys and values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\cac

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\CertificationIdentityKeys\CertificationIdentityKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkp

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\CertificationIdentityKeys\ManagedApplication

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\

    CertificationIdentityKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp

    5. Run on the client (needs to be as an admin)

    \program files\sophos\remote management system\clientmrinit.exe

    6. Start the services:

    "Sophos Message Router"

    "Sophos Management Agent"

    7. Wait for the clients to get new certificates, should only take a couple of minutes.

    The pkc and pkp values for the agent  and router will be a good marker for this taking place.

    If you could check this fixes one of the clients, that would give you an approach that then needs to be automated in a script.

    Hope it helps,

    Jak

    :8667
Reply
  • 0

    Update: Please see the last thread in this post for the latest script as it has gone through a few revisions and it's hard to keep track.  There is now a HTA that generates a script to make things easier.  Also fixed a bug in the function that determins if the machine is 64 or 32.  It got the hardware platform rather than the OS before.

    ===

    Hello,

    Are you able to run a script on them all easily, E.g.a start-up script?  I wouldn't want to write a script that you couldn't run.  That being said here are the steps that need to be performed on the clients without re-protecting.  I would suggest running the steps manually on one "Client" machine first to check they work and the machine becomes managed again in SEC.

    1. On the "guinea pig" client stop the services:

    "Sophos Message Router"

    "Sophos Management Agent"

    2. If exists, delete from "\program files\sophos\remote management system\" the file mrinit.conf.orig.  

    3. copy from the CID/distribution point the new files: "cac.pem" and "mrinit.conf" and place them in:

    \program files\sophos\remote management system\

    on the client.

    Note: The new mrinit.conf should be opened in Notepad to check that the parent address values are right and that the values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\RouterKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\ManagedAppKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\DelegatedManagerKey

    on the management server align with the values in the mrinit.conf to ensure the version of mrinit.conf in the CID and all over the server is the same.

    4. Delete from the client the registry keys and values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\cac

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\CertificationIdentityKeys\CertificationIdentityKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkp

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\CertificationIdentityKeys\ManagedApplication

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\

    CertificationIdentityKey

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp

    5. Run on the client (needs to be as an admin)

    \program files\sophos\remote management system\clientmrinit.exe

    6. Start the services:

    "Sophos Message Router"

    "Sophos Management Agent"

    7. Wait for the clients to get new certificates, should only take a couple of minutes.

    The pkc and pkp values for the agent  and router will be a good marker for this taking place.

    If you could check this fixes one of the clients, that would give you an approach that then needs to be automated in a script.

    Hope it helps,

    Jak

    :8667
Children
No Data
Unfiltered HTML