Configure message relay in ver 5.2.2

The utiliy responsible for setting this config as part of the RMS install is clientmrinit.exe.

This is the executable that reads the customised mrinit.conf file and determines if this computer to be the relay.  

If yes, then the router is "upgraded" to a server class router and the registry keys are updated.

Can you find the log file this exe creates under \windows\temp, it's called clientmrinit something?

Regards,

Jak

I see a number of sophos logs in that folder but none of them have mrinit in the title.  I have removed and re-added the AV software a few times on this machine to try and trigger it to turn into a relay so I have several versions of some logs,  What I have is:

Sophos Anti-Virus CustomActions Log_xxxx  <--Eight of these

Sophos Anti-Virus Install Log_xxxx  <--Eight of these

Sophos Anti-Virus Major CustomActions Log_  <--Two of these

Sophos AutoUpdate Setup log  <--One of these

Sophos RMS install log  <--One of these

Sophos RMS Install Log_xxxx  <--Four of these

The Sophos RMS install log mentions clientmrinit in a few places.  Most of them appear irrelevent but there are these entries if they mean anything:

MSI (s) (C8:64) [15:14:03:293]: Skipping action: RunClientMRInit (condition is false)

MSI (s) (C8:64) [15:14:03:324]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\Sophos\Remote Management System\ClientMRInit.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0).

I was watching the movie again at that link I provided above and I realized there is something I did not do that may be relevant.  The machine I am trying to turn into a relay (I will call it RelayServer) was already an update manager.  So it already had a distribution point on it.  I did not create a new one.  At around the 5 minute point on the video they are adding the remote server as a distribution point for the main server.  I did not do this since RelayServer already had a distribution point.  If I try and do this now it won’’’’t let me because the distribution point on RelayServer is called SophosUpdate so when I try and add the folder \\RelayServer\SophosUpdate as a distribution point on the main Server I get :

The location ‘‘‘‘\\RelayServer\SophosUpdate’’’’ ends with the reserved folder name ‘‘‘‘SophosUpdate’’’’.  Please choose another location.

Unless I am mistaken, the distribution point on RelayServer that was created in the process of making it an update manager should be getting updated from the main server anyway.   But if I look at the distribution tab for the main server the only distribution point listed is \\MainServer\SophosUpdate.  So maybe this is my problem?

I used the instructions from the Sophos Enterprise Console Advanced Startup Guide for ver 5.2.  Basically I installed an additional console on RelayServer then rebooted and ran \\MainServer\SUMInstallSet\Setup.exe on RelayServer.  This installed update manager on RelayServer and created the distribution point \\RelayServer\SophosUpdate. 

Then I followed all of the other instructions as in the video: modified the mrinit file, copied it to the rms subdirectory, ran ConfigCID.exe on the main server while indicating the appropriate directory on RelayServer,  and then used various methods to push the protection to RelayServer to try and trigger it to turn into a message relay.  I also did not have to create a group or an update policy for RelayServer since they already existed.

Hello PBJ_Family,

a SUM (whether on the management server or on some other computer) always creates (and deploys to) the default \\Self\SophosUpdate share. It fetches the updates from either the Sophos Warehouse or the Warehouse maintained and provided by another SUM in the same hierarchy. The Source and Distribution points for a specific SUM are configured in the Update managers view.

he distribution point on RelayServer [...] should be getting updated from the main server anyway

A CID's contents are made available to the endpoints by either Windows file services or a Webserver - neither necessitates an additional SUM. 

A relay doesn't need to be a SUM, a server running a SUM doesn't have to act as a relay. In order to act as a relay a (potential) RelayServer has to update from a CID with an appropriate mrinit.conf (one that "names" RelayServer in ParentRouterAddress). In this case it would expect to find its upstream router at MRParentAddress (MRP). If RMS detects that the local computer matches MRParentAddress it assumes it's running on the management server. If neither matches RMS assumes it's on a "simple" endpoint and uses ParentRouterAddress (PR).

Normally you'd want that some of the endpoints talk directly to the management server and some go through the relay. In this case you need (at least) two CIDs: One with an mrinit.conf where both MRP and PR point to the management server and the other (from which the RelayServer and all endpoints that should use it have to update)  where PR points to RelayServer. The location of the CIDs and which SUM maintains them is unimportant but with a SUM on RelayServer it's only reasonable that the "relay CID" is maintened by and on the RelayServer.  

I hope it is clearer now.

BTW - while a relay is only meaningful in conjunction with SEC it's not a feature of SEC and thus not (directly) dependant on its version. It's RMS which provides this function, therefore the Applies to in article 14635 is perhaps not ideal (apart from the fact that it's incomplete :smileyhappy:).

Dunno what happened to the ClientMRInit logs (or the calls to ClientMRInit.exe) though.     

Christian   

HI Christian

Thanks for your response.  Unfortunately nothing in your post really tells me what is wrong or how to fix it.  RelayServer is named as the PR both for itself and a couple machines now deployed in that site.  And yet it hasn't converted itself to a relay. 

Hello PBJ_Family,

it hasn't converted itself to a relay

is it "just" the ConnectionCache value which isn't as expected? If there are already endpoints which are supposed to use the relay it should be rather easy to determine that it basically works:

• the endpoints appear in the console
• in the Router-yyyymmdd-hhmmss.logs on the management server appear lines containing origin=Router$RelayServer:nnnnn.Router$SomeEndpoint:mmmmm.Agent
• in the router logs on the relay you see apparent traffic from/to the endpoints

If you open the file ReportData.xml in %ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport\ with a browser the last item is RMS router type.

I've never seen that the ConnectionCache value hasn't changed but then you don't install relays in vast numbers. I see an additional value HostIPToParent which obviously holds the "parent(i.e. management server)-facing" IP. 

I'd try to "demote" the relay by instructing it to update from the main CID (if this is possible) watching for changes (registry and NetworkReport) and then re-promote it by redirecting it to the correct CID.

Christian

HI Christian

Thanks again for the follow up.  The connection cache reg key was the only point I was stuck on since that was the only indicator that I knew of to check for conversion to a relay.  The info you gave me would seem to further confirm that it is not a relay.  The Router-yyyymmdd-hhmmss.logs on MainServer show RelayServer talking to it but it looks no different than any other endpoint.  Specifically it does not look like origin=Router$RelayServer:nnnnn.Router$SomeEndpoint:mmmmm.Agent it looks like origin=Router$RelayServer:9002.Agent without appearing to be routing any of the other endpoints through it.  On RelayServer itself however I do in fact see the same logs indicating that the endpoints in that site are contacting RelayServer itself.  So it looks like the other endpoints have the configuration to talk to RelayServer but RelayServer itself is not sorting out that it needs to be a relay.  The last clue is the ReportData.xml file on RelayServer which you mentioned; it lists RMS router type as endpoint.  This same XML file lists Router$RelayServer:9002 under 'RMS router name '. 

The reg value for HostIPToParent is not an IP address.  It has a hex value which of course means nothing to me and a decimal value of 3232264199.  So I have no clue what that is indicating.

What method would you recommend for demoting and re-promoting?  Can I move RelayServer to a different group on MainServer and then update policies?  Or should I reprotect it after having done that?

I have 4 total physical sites and each of the remote sites is going to get one of these update/relay servers.  Today I was going to start building another one in another site so I will soon be able to tell if this is an anomoly or if the problem will happen again on another machine.

All of these server are running Server 2012 R2 if that makes any difference.

Any chance clientmrinit.exe can be run manually?

I am suspecting a failure in the install package somewhere.  I have UAC turned off by GPO so I wonder if that has anything to do with it.  I do not see logs indicating that clientmrinit.exe was ever run on either MainServer or RelaySever.  For purposes of this conversation lets say that MainServer is in site A and RelayServer is in site B. 

Site B now has two more protected servers, one is running Server 2012 R2 and one is running Server 2008 R2.  Both of them have log files indicating that clientmrinit.exe was run successfully however the log files may be indicating a problem on RelayServer itself.  Here is the log from the Server 2008 R2 server.

12.03.2015 14:12:33 0CD0 I SOF: C:\Windows\TEMP/ClientMRInit-20150312-201233.log
12.03.2015 14:12:33 0CD0 D ClientMRInit installing
12.03.2015 14:12:33 0CD0 D mrfile=`MRInit.conf`
cafile=`cac.pem`
filepath=`C:\Program Files (x86)\Sophos\Remote Management System"`
rtrname=`Router`
logpath=`C:\Windows\TEMP`
12.03.2015 14:12:33 0CD0 I Opening initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/MRInit.conf
12.03.2015 14:12:33 0CD0 I Opening root certificate initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/cac.pem
12.03.2015 14:12:33 0CD0 I Intelligent updating is: Off
12.03.2015 14:12:33 0CD0 E MRInitData failed with exception: CAccessFailureException:CACertificate not found
12.03.2015 14:12:33 0CD0 D Old certificate not present, using new.
12.03.2015 14:12:33 0CD0 T New Message Router identity key is present.
12.03.2015 14:12:33 0CD0 T New Managed Application identity key is present.
12.03.2015 14:12:33 0CD0 T New Management Agent identity key is present.
12.03.2015 14:12:33 0CD0 D CheckParentAddress( `*** NOT SET ***`->`192.168.112.7,RelayServer.MyDomain.local,RelayServer` )
12.03.2015 14:12:33 0CD0 D IsThisComputer[192.168.112.7,RelayServer.MyDomain.local,RelayServer]
12.03.2015 14:12:33 0CD0 D Found 3 addresses
12.03.2015 14:12:33 0CD0 D Just use new parent
12.03.2015 14:12:33 0CD0 I Parent router IOR port: 8192
12.03.2015 14:12:33 0CD0 I New router IOR port: 8192
12.03.2015 14:12:33 0CD0 I Setting router service arguments: "-ORBListenEndpoints iiop://:8193/ssl_port=8194"
12.03.2015 14:12:36 0CD0 I ClientMRInit successful exit

Hello PBJ_Family,

seem to further confirm that it is not a relay

Indeed

HostIPToParent

contains the hex representation of the 4 octets, 192.168.112.7

Can I move RelayServer to a different group

Yes, any group with an updating policy pointing to a CID for the central part will do, but the CID must be customized (read: mrinit.conf in the RMS subdirectory). Dunno if it will work correctly as RelayServer looks "half-configured" but it's worth a try.

clientmrinit.exe can be run manually?

Likely  but I'm not sure about the arguments.

Christian

I ran clientmrinit.exe manually on RelayServer and it generated a log file locally instead of in the temp file.  That file may be some help. It looks like this:

16.03.2015 10:29:01 0D64 I SOF: ./ClientMRInit-20150316-162901.log
16.03.2015 10:29:01 0D64 D ClientMRInit installing
16.03.2015 10:29:01 0D64 D mrfile=`MRInit.conf`
cafile=`cac.pem`
filepath=`.`
rtrname=`Router`
logpath=`.`
16.03.2015 10:29:01 0D64 I Opening initialisation file: ./MRInit.conf
16.03.2015 10:29:01 0D64 I Opening root certificate initialisation file: ./cac.pem
16.03.2015 10:29:01 0D64 I Intelligent updating is: On
16.03.2015 10:29:01 0D64 D CA certificates are the same, no action taken.
16.03.2015 10:29:01 0D64 I Message Router identity keys match.
16.03.2015 10:29:01 0D64 I Managed Application identity keys match.
16.03.2015 10:29:01 0D64 I Management Agent identity keys match.
16.03.2015 10:29:01 0D64 D CheckParentAddress( `192.168.2.22,MainServer.MyDomain.local,MainServer`->`192.168.112.7,RelayServer.MyDomain.local,RelayServer` )
16.03.2015 10:29:01 0D64 D IsThisComputer[192.168.112.7,RelayServer.MyDomain.local,RelayServer]
16.03.2015 10:29:01 0D64 D Found 3 addresses
16.03.2015 10:29:01 0D64 I Found matching address for this computer: 192.168.112.7
16.03.2015 10:29:01 0D64 W Message Relay will not be modified/commisioned since 'intelligent updating' is enabled
16.03.2015 10:29:01 0D64 I Parent router ports match, no action taken: 8192
16.03.2015 10:29:01 0D64 I Router IOR ports match, no action taken: 8192
16.03.2015 10:29:01 0D64 D Router service args are the same (-ORBListenEndpoints iiop://:8193/ssl_port=8194), no change.
16.03.2015 10:29:01 0D64 W New configuration will not be applied since 'intelligent updating' is enabled.