Hello all
We have just set up our new Sophos Environment with 2 Servers.
1x SEC Server in LAN, 1x Message Relay Server in DMZ.
Everything worked fine but now we have a strange problem:
Our message relay Server changed into an endpoint.
Any ideas how we can revert this behaviour?
thx
Hi QC
thx for your feedback.
Yes the MR is also a SUM. both servers are SUM (SEC and MR).
it has been a relay for about 1 week or even longer.
i guess it changed back because we didn't place the mrinit.conf file in the rms subfolder.
but how can we now change the endpoint to an MR again?
Hi QC
thx for your feedback.
Yes the MR is also a SUM. both servers are SUM (SEC and MR).
it has been a relay for about 1 week or even longer.
i guess it changed back because we didn't place the mrinit.conf file in the rms subfolder.
but how can we now change the endpoint to an MR again?
Hello Tommy Rohner,
I assume you did correctly install the SUM (i.e. SUM first, then Endpoint) - in fact the SUM installer should prompt you to uninstall RMS if it's already installed. It used to ignore changes to mrinit.conf (i.e. ClientMRInit refused to run) but it seems the logic has changed somewhat - logs from the 10.6.4 upgrade suggest that ClientMRInit did run on the relays (but not on the SEC server). For whatever reason there are no ClientMRInit logs though.
Is RMS listed in Control Panel → Programs and Features (it shouldn't be there)? Are there any install/uninstall logs with RMS or ClientMRInit in their name in %windir%\Temp?
As the logic seems to have changed, putting the correct mrinit.conf into the (correct) \rms subdirectory (don't forget to run ConfigCID.exe) might indeed resolve the issue.
Christian
Hi again
yes, we installed sum before endpoint.
no, rms is not listed in programs and features, there is only: SAV, SAU, SSP, SUM.
unfortunately there are no rms or clientmrinit uninstall logs..
we already made the changes in the mrinit.conf file again, and copied in the rms subfolder.
after running configcid.exe there is no change.
in reportdata.xml the routertype still shows endpoint instead of message relay.
i could do a complete reinstall but i'm afraid the routertype will change back again...
Hello Tommy Rohner,
i'm afraid the routertype will change back again
that why I've not yet suggest a "fix" as it might not persist.
Well, I just did a test changing a few letters in the Parent's name (in \rms\mrinit.conf), with the next update a Sophos RMS Install log was created in %windir%\Temp\. I've found the following (not the complete log, a snippet with some lines shortened):
Installation canceled - RMS will be managed only by the SUM installer.
CopyPrerequisite(from=C:\ProgramData\Sophos\AutoUpdate\cache\rms\, ...
Backing up `C:\Program Files (x86)\Sophos\Remote Management System\mrinit.conf`
Copying from `C:\ProgramData\Sophos\AutoUpdate\cache\rms\mrinit.conf` ...
Applying MrInit.conf settings: [ClientMRInit.exe] ...
This suggests that ClientMRInit has been called and indeed the registry values have been changed. ReportData.xml though has not been updated - apparently the Router service has not been restarted. Did the obvious, restarted the service and the NetworkReport reflected the changes in mrinit.conf. Please restart the Sophos Message Router and check if it reconfigures.
Christian
Hello Tommy Rohner,
the SEC server isn't involved. Is there an RMS Install log with contents similar to those I've posted? If not, could you try to change mrinit.conf (changing the case of one or more letters in one of the hostnames is safe and sufficient) and check if a log is created?
Not a solution but a workaround is modifying the registry keys to match the values (near the end under Technical information) in configuring message relay computers.
Christian
yeah i've found a log, but it's already a few days old:
Install from:[C:\ProgramData\Sophos\AutoUpdate\cache\rms]
Install to :[(null)]
RMS: Current product is not installed.
TP: Successfully requested Sophos Endpoint Defense disable tamper protection of RMS.
MsiPackagePath: [C:\ProgramData\Sophos\AutoUpdate\cache\rms\Sophos Remote Management System.msi].
Result of loading C:\Program Files (x86)\Sophos\AutoUpdate\SAUConfigDLL.dll is: [71bf0000]
Installation canceled - RMS will be managed only by the SUM installer.
CopyPrerequisite(from=C:\ProgramData\Sophos\AutoUpdate\cache\rms\, to =C:\Program Files (x86)\Sophos\Remote Management System, file=mrinit.conf)
Missing source file `C:\ProgramData\Sophos\AutoUpdate\cache\rms\mrinit.conf`
Restoring backup `C:\Program Files (x86)\Sophos\Remote Management System\mrinit.conf.orig`
Applying MrInit.conf settings: [ClientMRInit.exe] [-logPath "C:\WINDOWS\Temp" -filePath "C:\Program Files (x86)\Sophos\Remote Management System"]
TP: Successfully registered for tamper protection with Sophos Endpoint Defense.
Hello Tommy Rohner,
was the server protected before you installed SUM? The mrinit.conf.orig is usually created when the CID an endpoint updates from is configured with a custom mrinit.conf. If later the endpoint updates from an unconfigured CID it falls back to the original mrinit.conf.
Nevertheless, just modified mrinit.conf another time and the MR/SUM created a new RMS Install log. If your doesn't I wonder whether it is updating from the correct CID?
Christian
yes, the Server was protected by our old Sophos Environment.
I first uninstalled every Sophos product and then i installed the new SUM.
after modifying mrinit.conf, no RMS Install.log has been created. i've just tested this 5 minutes ago. but as i mentioned before, rms is not installed on the Server.
how can i check if the Server is updating from correct CID?
we have 2 cids on each Server (total 4).
Clients are updating from MR and MR is updating from SEC.
Hello Tommy Rohner,
how can i check
several ways (assuming you know which is the right CID [:)]): the console's Endpoints view, tab Update Details; the local Sophos GUI on the MR updating configuration; or (preferred) its Updating log which will show the location actually used.
MR is updating from SEC
please note that an endpoint running SUM has two distinct update processes: the regular AutoUpdate for the Endpoint software and SUM's product update. Also note that the contents of a CID are important, not where it's hosted. Normally a SUM/MR hosts the CIDs configured with an mrinit.conf that has the MR in the ParentRouterAddress. In order to recognize itself correctly as an MR the MR must update from such a CID.
You can have both a (MR-)configured and an unconfigured CID on one or both servers. Why two CIDs - different subscriptions?
Christian
I'll try to explain a little bit better what our Scenario Looks like:
We have 2 Servers.
Server1 is SEC/SUM in LAN.
Server2 is MR/SUM in DMZ.
Server 2 has an internal and an external IP with Split DNS.
SUM on Server 1 gets Updates from Sophos.
SUM on Server 2 gets Updates from Server 1.
MRInit.conf in CIDs on Server 1 contain:
"MRParentAddress"="Server1"
"ParentRouterAddress"="Server1"
MRInit.conf in CIDs on Server 2 contain:
"MRParentAddress"="Server1"
"ParentRouterAddress"="Server2"
we have 2 Update Policies:
Default: for all Clients -> Primary update path: \\server2\SophosUpdate\...
SOPH: for the both Servers -> Primary update path: \\server1\SophosUpdate\...
for Updates we use WebCID (http).
we have 2 CIDs because we need previous recommended (for all Clients) and recommendend (for test Clients) Software Updates.
the 2 CIDs on Server 1 are identical with the 2 CIDs on Server 2, only the MRInit.conf files are different.
