Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 4964 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing IP address on Sophos Enterprise Console 4.5?

PeteS

Hi folks,

I run two Sophos Enterprise Consoles for a university department. One is a 3.0 console with a few hundred clients, while the other is a freshly installed 4.5 console with only a test client.

Due to the unique network security environment in this department (all computers are on a private network, as they are connected to scientific instruments and should not be connected to the outside world), only a single IP-based exception was made in the firewall so that the clients can communicate with the console (which is located outside of the private network). Presently, the 3.0 console uses the IP with the exception. Allowing a second outside IP address (e.g. the second console) to connect to the network is infeasible for numerous reasons. The server for the 3.0 console is also in dire need of replacement, so upgrading it to 4.5 in-place is not an option either.

My intention is to configure the 4.5 console with the same groups, policies, etc. as the 3.0 console, only on a separate computer with a different IP address, then replace the 3.0 console with the 4.5 console by changing their respective IP addresses. Naturally, any certificates needed to authenticate with clients would be copied over to the appropriate places on the 4.5 console so clients could communicate with the 4.5 console.

Unfortunately, when I did a dry run using virtual machines, the 4.5 console didn't like having its IP address changed. The management console GUI couldn't connect to the management service running on the same system. Unfortunately, I've found no information on this topic on the Sophos website, nor any information in the help files. The backend of the Enterprise Console seems to be a dark, mysterious place and it's not obvious how to make these changes.

Does anyone have any tips or tricks to making this transition work? I realize that my particular setup is not exactly a common task, but surely there's some mechanism to change a console's IP address without everything dying horribly.

:5047


This thread was automatically locked due to age.
  • 0

    Hello PeteS,

    Naturally, any certificates needed to authenticate with clients would be copied over to the appropriate places on the 4.5 console so clients could communicate with the 4.5 console.

    Did you export/import the Certification Manager registry keys before SEC4.5 install? This is necessary. Apart from that you have to replace mrinit.conf in the CIDs.

    Unfortunately, when I did a dry run using virtual machines, the 4.5 console didn't like having its IP address changed. The management console GUI couldn't connect to the management service running on the same system

    What is the exact error message you are getting? The GUI should "find" the local server (as it doesn't use an IP address and for "local" not even the server's name). Did you also change the server's name (in which case the database connection might fail)?

    Christian

    :5057
  • 0

    Did you export/import the Certification Manager registry keys before SEC4.5 install? This is necessary. Apart from that you have to replace mrinit.conf in the CIDs.

    Yes.

    What is the exact error message you are getting? The GUI should "find" the local server (as it doesn't use an IP address and for "local" not even the server's name). Did you also change the server's name (in which case the database connection might fail)?

    I'm afraid I don't have it right here, but I believe it was that the GUI couldn't connect to the local console. Same type of error as if the management service wasn't running (it was).

    I didn't think about the server name change; I had changed the name as well as the IP address. It's likely that your idea that the database connection is the one that's failing. Any ideas as to how one might fix that? I'm afraid I'm more of a *nix server guy that's been giving the "manage our Sophos server" hat and am not terribly familiar with Windows SQL servers and their intracacies.

    :5067
  • 0

    I had changed the name as well as the IP address

    Can't check as I don't have a test server available at the moment. I think that the Sophos Management Service will fail to start if the database connection is not available. If only the database connection is the problem you can correct it by editing the registry. The key HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools (or ...\Wow6432Node\Sophos... on a 64bit OS) contains the value DatabaseConnectionMS which looks like  Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS45;Data Source=yourservername\SOPHOS;

    The server name is used in several places though and this article (for SEC4) just says: don't.

    Do you really need to change the IP or can you run 3.0 and 4.5 in parallel for a time (and keep the new name and address)? Thinking about it ... I think the clients' RMS will "find" the new server if it has the same address as the old one. The will of course not update as the "old" CIDs no longer exist. But they should then get the new updating policies from the new server ...

    Christian

    :5075
  • 0

    The server name is used in several places though and this article (for SEC4) just says: don't.

    Indeed.

    I resolved the problem by configuring the new EC with the same name (but different IP address) as the old EC. When the time came, I turned off the old EC, turned on the new EC, and changed the new EC's IP address to that of the old one.

    I need to re-deploy the clients to clients, but it's only a few hundred computers and I need to be there anyway to configure them to use WSUS (huzzah for higher-ups deciding not using Active Directory).

    So far, so good.

    :5082
  • 0

    I need to re-deploy the clients

    This should not be necessary as the clients should "talk" to the management server and therefore - as I said - receive the new updating policies and upgrade automatically.

    Christian

    :5092
  • 0
    Indeed. However I ended not copying the CertificationManager info onto the new console this time, so I think the clients aren't authenticating properly without being redeployed. So far, none of the non-redeployed clients are communicating with the console, while all of the redeployed ones (even ones that were troublesome with the old console) are working fine.
    :5093
  • 0

    Hm, it's probably not the certificates as then re-deployment wouldn't let the clients communicate (unless you manually uninstall RMS first). I'd check the Network Communications Report and the router logs for the reason (but that's just because I'm lazy and wouldn't want to re-deploy :smileywink: ).

    Christian

    :5094
Unfiltered HTML