Configure message relay in ver 5.2.2

Well I got to 3/4 configured.  Looks like having 'Allow Location Roaming' turned on in the update policy was preventing RelayServer from converting to a relay.  I turned that off and manually ran clientmrinit.exe and the log indicated it had converted.  Now the connection cache reg key has been changed to 20512 as expected.  I also see Router logs on MainServer indicating that RelayServer is relaying messages for the other two servers there.  The only thing that doesn't appear correct now is that the ReportData.xml file still shows 'RMS router type' as endpoint.

I think I have enough now to build the second update/relay server at a remote site and if it proceeds smoothly I may rebuild this one from scratch.

Hello PBJ_Family,

good work - and you've spotted the problem.

Indeed Location Roaming (AKA Intelligent Updating) prohibits any RMS reconfiguration (didn't think of it). As the endpoint will only update from a CID managed by the same console - why this restriction? The obvious downside is that an endpoint might not be able to communicate with the console while it is "out of town". One harmful scenario though is that at the remote site Location Roaming is not enabled. The endpoint would then configure RMS and its updating policy for the remote location. Returning, it would not only fail to update but due to the inappropriate RMS configuration unable to contact the console and receive the correct policy. Any RMS reconfiguration also means that in a migration scenario the endpoints won't pick up the changes to mrinit.conf.    

Rereading Enterprise Console: configuring message relay computers I wonder if  you've enabled Location Roaming because of the note in paragraph 2? Dunno if Sophos intends to change the AutoUpdate logic as RMSNT is never downloaded from location Sophos and thus there's no risk that the RMS configuration could be changed when the endpoint updates from Sophos. 

Christian 

Well I built a second update/relay server in another remote site and I basically have the same problem.  It won't convert itself to a relay.  I am sure I can run clientmrinit.exe manually and do it but that doesn't seem to be doing everything it should since the ReportData.xml file doesn't indicate that it is a relay.

The only thing I have done differently on this machine then the instructions to create the relay is that I actually installed the offical Setup.exe to make it a SUM first.  I even created a seperate distribution point and everything and it still will not convert to a relay.

I am going to reinstall from scratch and follow the directions exactly (without installing the SUM).  Also yes the instructions actually say "Note: If you are using "Sophos" as Secondary update location it is recommended to enable the option "Allow location roaming" to prevent the client from changing the Message Relay configuration as long as it is getting updates from Sophos."

I am using Sophos as the secondary.  But I also have laptops in the site and was planning to use the same update policy for everything although at this point I have already created multiple update policies for each site to try and get the relay server to not have that enabled.

Hello PBJ_Family,

well, there's a twist but I have no experience with it: The SUM installer comes with its own RMS, version 4.0. The Endpoint product (which provides the relay feature) uses version 3.4. SUM 1.5.2 and higher takes over RMS updating (it downloads the product from the Warehouse, not the CID). While AutoUpdate still downloads and updates RMS from the CID (3.4.x) the install is effectively a no-op as a higher-versioned product is already installed and consequently ClientMRInit is not called (I've just tested it).

I've no idea how this is supposed to work in the future. Right now it seems that you should install endpoint first , make sure the endpoint has converted to a relay and then install SUM.

BTW - you can use aliases in prectically all places, quite handy not only for migration but if your sites have their own DNS you can apply them to update locations and RMS as well (I've mentioned it for example here).  You'd set ParentRouterAddress to (just) the alias, say, relayserver.acme.com which resolves to the SEC server at the main site and the respective relay at the remote sites.

Allow location roaming

Dunno if changes are planned with RMS 4.0 and the associated AutoUpdate - as said, at the moment RMSNT is not downloaded from Sophos.

Christian

Hi Christian

I really appreciate your continued help with this.

I seem to have independently discovered some of what you posted in the last post.  I did conclude that the SUM install prior to converting to a relay was the problem.  I discovered that if I uninstalled SUM the reg keys associated with message relay were deleted even though the endpoint was still installed.  I also confirmed (after uninstalling everything and reprotecting the server) that trying to convert to a relay straight away before installing SUM or the console worked exactly as it was supposed to.

So I agree that the best process is to make the server a relay first, then install SUM.  I have also concluded that there is no good reason to install the console on these remote servers since it just connects back to the main server anyway.  It just winds up being a slower way to accomplish the same configurations.

I am reloading the OS on one of my remote servers now but my plan is to convert the machine to a relay first.  I have created additional distribution points on the main server in the main site just for this purpose.  Only the remote relay/update servers in each site will use each of these distribution points.  Once the remote servers are converted to relays I will install SUM and then setup the mrinit.conf files in the SUM distribution points to make these remote servers the update managers and installation points for each site.

So of course this doesn't work.  If you try and install SUM after it is configured as a relay it gives you an error:

"You are attempting to install Sophos Update Manager onto an already-managed computer.

You must uninstall Sophos Remote Management System from this computer first before attempting to install Sophos Update Manager onto this computer.

You should then re-protect this computer from the Enterprise Console that is used to manage Sophos Update Manager."

This is getting annoying. 

I created a support ticket.

Hello PBJ_Family,

This is getting annoying

indeed. Kudos for your reports

You must uninstall Sophos Remote Management System from this computer first

Now that you mention it - I've seen a similar message before (back then when there were Beta-tests) but frankly can't remember whether it was a full SEC install or "just" a SUM. My production SUM/relay servers have been built a while ago and I'm not in the mood I don't have the infrastructure at hand it's not that simple (looks like SUMInstallSet is built when you install SEC and not updated afterwards. Mine still contain SUM 1.4.2 and RMS 3.4 so testing with the current versions means to install/upgrade SEC as well) to perform extensive tests.

It's Support who have to come up with a general solution. As said, I can't test right now but: SUM is installed from the SUMInstallSet share. Whatever mrinit.conf you put there is used to configure RMS. Unless it doesn't work at all installing SUM with the desired mrinit.conf in the install location should do it.

Christian

You got it exactly Christian, you have to modify the mrinit.conf file in the SUMInstallSet folder prior to installing the SUM.  I actually called Sophos about it.  Here is the KB for what I was trying to accomplish. Works perfectly.

http://www.sophos.com/en-us/support/knowledgebase/111484.aspx

After this post I will see if I can change the thread topic to more accurately reflect what I was looking to do. EDIT: Nope, can't edit it now.  Oh well.

You explained something else I had observed though.  When I first install a SUM from that SUMInstallSet folder on the SEC server, it appears in the Update Manager list in the SEC as a lower version.  But after some time it updates.  So I think that older version in there doesn't matter so much.

Well this adventure got me up to speed on a lot of aspects of Sophos antivirus.  I have the UTM and SafeGuard coming up soon.  Hopefully the google fodder in this thread will be helpful for someone.

Thanks again for all the help.