This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint secV9 and Standalone computers, not showing in enterprise console

Hello,

I've setup and configured a Windows 2003 r3 sp2 standard server, with Endpoint v9 and Enterprise console v4.

Due to business needs, i need to allow some non-domain\non-network hosts to update via this server.

I've followed the KB regarding the installation and configuration of a standalone computer using my server as update repository, everything is fine.

I've used the standalone package on the sophos website and then change the update repository to my http://PublicIP server

But, i dont see the external hosts in the enteprise console .

What i miss ?

Searching in the KB, i've found an article about creating a self installer package for standalone computers, but it's a dead end ( page 404 )

Thanks in advance.

Stefano

:726


This thread was automatically locked due to age.
  • Hello Stefano,

    for a client to show in SEC it has to have the remote management (RMS) system installed and configured. Search for mrinit.conf. Although article 14635 is about message relays you might find the information in section 1.2 and 1.3 useful.

    Assuming your clients update using SMB (i.e. they update from the share, not using http) you might as well run the installer from the CID - then RMS will be set up correctly.

    As for the installer I think the article will soon be available. Meanwhil you can use the one for SEC 3.

    Christian

    :727
  • Thanks QC,

    I'll check the KB and let you know, the external clients doesnt update via smb ( port not opened to the external network ) if possibile i want to make all the updates via http and manage via sec.

    Regards.

    Stefano

    :731
  • Thanks

    Btw, i've followed the kb for the V3 and created a customized package for this kind of clients, it gets the default policy\software configuration as the lan computer, ad example the udpate path is \\SERVERNAME\SohposUpdate.

    If i'm correct i nedd to:

    On UPDATE MANAGER

    1. create a new subscription ( ad.ex ExternalClients )

    2. modify its setting to download the client for the os needed

    3. Associate it on my update server ( it's all on a single server ),

       3.a accessing on the modify option on the update server

       3.b tab subscriptions: moving the new subscription to the right pane

       3.c tab distribution: selecting the new subscription from  the drop-down end adding a new share ( \\SERVERNAME\Webupdate )

    now when i update the subscriptions, it will put the downloaded files on \\SERVERNAME\Webupdate\CID\...

    then,

    4. create an update policy ( ex. webupdate )

    5. modifying it providing the update path in a http way: HTTP://PUBLICIP/Webupdate with user\psw .

    6. create an antivirus policy ( ex. webclients )

    7. modifying it with the needed permissions

    now i should have the custom policies for my external clients, then i can follow the kb for creating a standalone package exporting the two newly-created policies .

    Is it correct or i'm missing something ?

    Thanks in advance

    Stefano

    :749
  • Back to the basics, Stefano. I think there might be a misunderstanding.

    Now I don't follow the order of the tasks necessary to protect and manage the clients but I'll start with the "target configuration" explaining some things and try to work backwards.

    In a running environment there are two "communication paths" from client to server

    1. Updating:
      -  you can either use SMB (shares) or http ("WebCID"). The contents are the same so you can simply publish the share on the web (it has been discussed already here) - you don't need an extra subscription for this
      - thus you need either port 445 (or the "older" NetBIOS ports) open into your domain or at least a port for http to the webserver
    2. Management (this is a crude description, I'll spare you the rather complex details), aka RMS
      - clients talk to the server using ports 8192-8194 on the server and the server either actively sends messages to the client using 8192-8194 on the client ("two-way" communication) or by sending them as "replies" when the client contacts the server.
      - minimum requirement is ports 8192-8194 to the server from "the Internet" (or better by using a message relay in the DMZ as described in article 14635, which in turn must have a communication path to the management server)

    What is the necessary configuration?

    1. Updating
      - in principle all you clients could use the same configuration. Specify the share as primary and the WebCID as secondary location. Outside clients will try SMB and as this fails they will fall back using the WebCID. Voilà.
      - to build the installer you need the sauconf.xml file as described 
    2. RMS
      - this is where mrinit.conf comes into play. By default it is set up that your clients will talk directly to the server
      - if you don't want this, you have two options
        a) use the message relay for all clients (inside and outside). It requires some careful setup for the management server and relay though
        b) use the direct path for inside and the relay for outside. You need two CIDs (or better: an additional distribution share) but still not an extra subscription.

    That's it for short. An unofficial addition: all this can be set up quite flexible so that clients can be "switched" from the message relay to the central server or v.v. without the need to touch them. 

    One more remark: try to use aliases for the servers/services wherever possible - otherwise your (especially the) outside clients might be left stranded in case of a server replacement

    Hope this helps. Feel free to ask (if you want using PM) if you need more information.

    Christian

    :759
  • Forgot - you might also want to look at article 50832 (eben if it's a little bit confusing at first).

    Christian

    :760