Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2499 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating EC v4 to new server - updates now fail

GaryP

Good evening,

Recently moved an installation of Sophos EC  v4 from our old server to the new live server. Followed the Sophos Migration guide to the letter (no number just dated June 2010).

Initially tried to move everything from v4 to v4.5 but that did not work. Doh should have engaged brain first, stupid.

Then installed v4.0 on the new server and the migration seemed to go ok. EC started up fine and all the computers were present.

Selected Update Manager and tried to force an update. This went away for a while and then failed. Might have a handle on this as I realised I did not clean out the Sophos Update share between version (v4.5 and v4.0) so I have a plan on how to solve that issues.

Went to a client and tried to get it to update it failed with 'Could not connect to server'. From memory its running EP 9.0

On checking the configuration of the update I noticed it uses SophosUpdateMgr as the user with a hidden password. Now my understanding is that the EC will create this user with a random password when it is installed if it does not already exist. Does this then get changes when I restore the registry / certificates / database  or do I have to invade the AD on the old server to find the password and then set it on the new and run the Sophos 'hide' it etc.?

If its not that can anyone please provide a pointer to the probable cause of the problem.

Regards

Gary

:5531


This thread was automatically locked due to age.
  • 0

    Hi,

    My understanding is that the passwords used by the Sophos Management Service are stored in the Windows Private store which is essentially the registry on the machine where the management service runs.

    When you run ExportPrivateStore.exe as part of the server migration, you are exporting these to XML format, so you can move them to another machine.  The same account that wrote them to the private store needs to be used to export them.  As the Sophos Management Service wrote them and runs as System, you need to run ExportPrivateStore.exe as System and for this reasons psexec is suggested as it is an easy way of running as this user.  This is also true when importing them, you need to import them as System on the new machine so the Management Service can read them back out.

    They seem to be a pair, a key and a value, the password being the value and the key being a unique identifier.  This unique identifier string can be found in the policies table in the XML.  So I assume when the Management Service encounters this unique identifier and needs to convert it into the password it makes a lookup to the private store to obtain the password.

    Under the Management Service registry keys you can see the "private" key which lists all these values.  You can see the "Begin" and "End" secure ticket markers.  

    I assume these are the same on both machines and this stage of the migration all went ok?

    To check, if you still have the old server, I would suggest running:

    ExportPrivateStore -s -e old.xml

    and then run:

    ExportPrivateStore -s -e new.xml

    on the new server and compare the outputs, this would at least be a double check that this stage went to plan.  Remembering to run the commands as system.

    I hope this gives you something to check in this area.

    Thanks,

    Jak

    :5534
  • 0

    Good afternoon Jak,

    thank-you for the suggestions, I will check this on Friday when I am next at the School.

    From memory all the steps went as planned with no errors reported. Each command was performed while logged in as Administrator.

    One item I did notice when looking at the exported files (I have a copy on a memory stick withj me now) was that the EC on the old server was installed on D: and C: on the new server. I cannot see how this would cause an y problems.

    Regards

    Gary

    :5547
  • 0

    Still having problems here and not sure how to go forward.

    Checked the keys as you suggested and found them to be different. Took three attempts to install them and eventually they came through as the same. Did nothing different apart from running the second and third attempt with psexec -s.

    Still cannot get the clients to communicate with the server.  Still receiving the 'Could not connect to server'.message.

    When trying to update the server with EC, the system gets as far as 'Dwonloading Binaries' and then fails.

    I checked and the Warehouse is being populated, but the Working directory is empty and the CID directory is not even being created.

    Tried clearing the Working (empty anyway) and warehouse directories after deleting SUM_status.xml as instructed by the Sophos articles but that made no difference.

    Took a look at the log files and noticed the following package sync errors. Does anyone understand what is going on here?

    Package synchronisation started.
    2010-10-22 15:32:33 : Cmd-ALL << [I1012][8b53ecb8caaa96d152d45c855fcab71ex000.dat] Starting to synchronise file '8b53ecb8caaa96d152d45c855fcab71ex000.dat'...
    2010-10-22 15:32:33 : Error during package synchronisation: Cannot create stream http://sophos2.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-10-22 15:32:33 : Sync failure: Cannot create stream http://sophos2.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-10-22 15:32:33 : EventLog: 3758112769 1 Inserts:> "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Cannot create stream http://sophos2.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat" "RECOMMENDED" "http://sophos2.yhgfl.net/libraryv4//Warehouse"
    2010-10-22 15:32:33 : Cmd-ALL << [E4001][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Cannot create stream http://sophos2.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat][RECOMMENDED][http://sophos2.yhgfl.net/libraryv4//Warehouse] Synchronise operation failed when synchronising payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Cannot create stream http://sophos2.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-10-22 15:32:33 : EventLog: 3758112827 1 Inserts:> "7D48A012-0C64-4F21-BA27-A9CEDF442749" "Not attempted." "0.0.0" "http://sophos2.yhgfl.net/libraryv4//Warehouse"
    2010-10-22 15:32:33 : Cmd-ALL << [E403B][7D48A012-0C64-4F21-BA27-A9CEDF442749][Not attempted.][0.0.0][sophos2.yhgfl.net/.../Warehouse] Payload '7D48A012-0C64-4F21-BA27-A9CEDF442749' could not be synchronised because the synchronise operation failed due to an earlier error.
    2010-10-22 15:32:33 : EventLog: 3758112827 1 Inserts:> "A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1" "Not attempted." "1.0.3.122" "http://sophos2.yhgfl.net/libraryv4//Warehouse"
    2010-10-22 15:32:33 : Cmd-ALL << [E403B][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][Not attempted.][1.0.3.122][sophos2.yhgfl.net/.../Warehouse] Payload 'A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1' could not be synchronised because the synchronise operation failed due to an earlier error.
    2010-10-22 15:32:33 : Cmd-ALL << [E400D][ActionSyncPrograms][DispatcherPrograms-2010-10-22T14-32-26-2] Action 'ActionSyncPrograms' with caller 'DispatcherPrograms-2010-10-22T14-32-26-2' failed!
    2010-10-22 15:32:33 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub0][DispatcherPrograms-2010-10-22T14-32-26-2] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherPrograms-2010-10-22T14-32-26-2' started...
    2010-10-22 15:32:33 : Cmd-ALL << [E402D][DispatcherPrograms-2010-10-22T14-32-26-2][F26F7EC0-1302-4DA7-8B6B-A5383051D41A] Gather Currency Data operation invoked by dispatcherId 'DispatcherPrograms-2010-10-22T14-32-26-2' on product with rigid name 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A' has been aborted because the data has not been synchronised correctly.
    2010-10-22 15:32:33 : Cmd-ALL << [E400D][ActionGatherCurrencyData-Sub0][DispatcherPrograms-2010-10-22T14-32-26-2] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherPrograms-2010-10-22T14-32-26-2' failed!
    2010-10-22 15:32:33 : Cmd-ALL << [I1021][ActionDecodeEverything-Sub0][DispatcherPrograms-2010-10-22T14-32-26-2] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherPrograms-2010-10-22T14-32-26-2' started...
    2010-10-22 15:32:33 : Cmd-ALL << [E402A][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED] The decode of payload F26F7EC0-1302-4DA7-8B6B-A5383051D41A and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
    2010-10-22 15:32:33 : Cmd-ALL << [E400D][ActionDecodeEverything-Sub0][DispatcherPrograms-2010-10-22T14-32-26-2] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherPrograms-2010-10-22T14-32-26-2' failed!

    Thank-you in advance for any help.

    Regards

    Gary

    :5683
  • 0

    Hi,

    As a quick test, in SEC I would create a new updating policy, call it test and choose the same subscription as the clients are using. I would then apply this config to one client (you might have to move one test client to a new group, to which the test updating policy is linked to).  I would wait until it said it complies with the updating policy then check the iconn.cfg file on the machine:

    Vista+ in: "\ProgramData\Sophos\AutoUpdate\Config\", otherwise: "\Program Files\Sophos\AutoUpdate\Config\"

    If other machines that are failing are using the same account as in the test policy I would suspect the password string and or the update path to match in their iconn.cfg files.  If the don't this would at least explain why they are failing as based on the information, it's not clear to me from "Could not connect to server'.message if this is due to:

    1. The path is just incorrect, i.e. they distribution point path the clients are using doesn't exist.  Wrong Sxxx number for example.

    2. The password the clients are using is correct or not.

    3. There are no files in the CID path due to SUM not populating the distribution point.

    Or all of the above.

    I would also check that the paths in the bootstrap locations dialog in SEC are connect for the subscriptions and the clients are using the correct paths.

    From the logs you have, I would also suggest on the machine where SUM exists, browsing to:

    http://sophos2.yhgfl.net/libraryv4//Warehouse/

    for this example and check you can download the first file SUM says it cannot download.

    Hope this helps.

    Jak

    :5685
  • 0

    Hi

    Thank-you for the guidance. I have to agree that the client connection problems are probably caused by either a password error (hope that is now fixed) or more likely the fact that the CIDs are not present as I cannot actually do an update within SUM.

    I had a little time at the customner's site today and concentrated on the SUM update issues.  I did a few update now operations and reviewed what was shown in the logs. Interestingly the file that always failed on update 8b53ecb8caaa96d152d45c855fcab71ex000.dat was in fact not present on the SOPHOS update server.

    Fortunately on one of the update runs some other files did manage to stream correctly, which I believe shows that any authentication in place is working correctly. It just appears to be that single update. 

    010-11-02 15:55:20 : Cmd-ALL << [I1012][1da90b76a90390c59d2522165e3b2b2ax000.dat] Starting to synchronise file '1da90b76a90390c59d2522165e3b2b2ax000.dat'...
    2010-11-02 15:55:20 : Cmd-ALL << [I1013][1da90b76a90390c59d2522165e3b2b2ax000.dat] Finished synchronisation of file '1da90b76a90390c59d2522165e3b2b2ax000.dat'.
    2010-11-02 15:55:20 : Cmd-ALL << [I1012][61a5fb191ae2ae876db31dcce75e4183x000.dat] Starting to synchronise file '61a5fb191ae2ae876db31dcce75e4183x000.dat'...
    2010-11-02 15:55:24 : Cmd-ALL << [I1013][61a5fb191ae2ae876db31dcce75e4183x000.dat] Finished synchronisation of file '61a5fb191ae2ae876db31dcce75e4183x000.dat'.
    2010-11-02 15:55:24 : Cmd-ALL << [I1012][8b53ecb8caaa96d152d45c855fcab71ex000.dat] Starting to synchronise file '8b53ecb8caaa96d152d45c855fcab71ex000.dat'...
    2010-11-02 15:55:24 : Error during package synchronisation: Cannot create stream http://sophos.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-11-02 15:55:24 : Sync failure: Cannot create stream http://sophos.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-11-02 15:55:24 : EventLog: 3758112769 1 Inserts:> "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Cannot create stream http://sophos.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat" "RECOMMENDED" "http://sophos.yhgfl.net/libraryv4//Warehouse"
    2010-11-02 15:55:24 : Cmd-ALL << [E4001][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Cannot create stream http://sophos.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat][RECOMMENDED][http://sophos.yhgfl.net/libraryv4//Warehouse] Synchronise operation failed when synchronising payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Cannot create stream http://sophos.yhgfl.net/libraryv4//Warehouse/8b53ecb8caaa96d152d45c855fcab71ex000.dat
    2010-11-02 15:55:24 : EventLog: 3758112827 1 Inserts:> "7D48A012-0C64-4F21-BA27-A9CEDF442749" "Not attempted." "0.0.0" "http://sophos.yhgfl.net/libraryv4//Warehouse"
    2010-11-02 15:55:24 : Cmd-ALL << [E403B][7D48A012-0C64-4F21-BA27-A9CEDF442749][Not attempted.][0.0.0][sophos.yhgfl.net/.../Warehouse] Payload '7D48A012-0C64-4F21-BA27-A9CEDF442749' could not be synchronised because the synchronise operation failed due to an earlier error.

    Before doing these updates I stopped the SUM service, cleared our the Warehouse and deleted the SUM..xml file, then restarted the service as instructed for a 80040406 error by Sophos.

    Does anyone have any idea why this rogue update is still appearing even though I have cleared the Warehouse and SUM update status file? IS this error causing all the remaining updates to fail and thus the CIDs not to be generated?

    Regards

    Gary

    :5709
  • 0

    Hello Gary,

    8b53ecb8caaa96d152d45c855fcab71ex000.dat is not on the server shown in the logs and also not in its filestore.dat. Checked one of my warehouses -  "my" filestore.dat does contain the 8b53... (and also has a different size) and the 8b53... is there. Can't say whether this is normal, might be an issue with the warehouse at yhgfl.net. I suggest you call Support with this info.

    Christian

    :5726
  • 0

    Thanks, will have to talk to the YHGFL support as they supply Sophos tot his school.

    On a related matter, could this be part of my problem.

    From the release notes for EC v4.0 :-

    (DEF 36019) If Sophos Endpoint Security and Control is not installed on the server running the Enterprise Console management server, endpoint computers show “Unknown” as their up-to-date status. Sophos Endpoint Security and Control must always be installed (although it does not have to be running) on the server running the Enterprise Console

    management server. Otherwise, Enterprise Console will not be able to manage endpoint computers correctly.

    Am I reading this right, if I don't install but not necessarily execute Endpoint Security on my server then I should not expect EC to manage my endpoints correctly.

    Has anyone not installed Endpoint Security and Control or used another package to protect their server? To be honest I have installed ESET on the server to protect the mail system and server files rather than SOPHOS. Will this be having a major affect?

    As the amount of mail comming in is very small I might risk removing the ESET software and seeing if it makes any difference and then as a second test installing the Endpoint Software on the server.

    Any thought?

    Thank-you in advance for your help and time.

    Regards

    Gary

    :5822
Unfiltered HTML