Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 4021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote endpoints not checking in

Oliver Marshall

Hi

 

We have a few endpoints outside of the office. 

I've opened up ports 8192 and 8194 tcp on an external IP, forwarded those to the Sophos box and set up a public DNS and an internal DNS, both the same, both pointing to the Sophos box. 

I've edited MRINIT.CONF and then updated the packages using the packaging process from the KB. 

 

However none of the external endpoints are checking in. I've checked that both ports are open and we get a respones externally. 

 

One thing I have seen is that the MRINIT.CONF file on the remote endpoints shows the .local name of the Sophos server, not the FQDN. However the correct settings are in the compressed savinst.exe file created by winrar during the packaging process. 

 

My guess is that I've missed a setting on the sophos server, which the endpoints are then pulling when they first check in. 

 

I'm aware that we should have a box in the DMZ but for 2 machines (both on fixed IPs) I'm happy to suffer the slings and arrows of IP restricted port opening. 

 

Any ideas what I've missed?

 

Olly



This thread was automatically locked due to age.
Parents
  • 0

    Hello Olly,

    in the compressed savinst.exe
    this is your own build, not created with the Deployment Packager, is it? With what parameters do you call setup.exe?

    As to mrinit.conf: Its contents depend on the environment (fixed IP or DHCP, result of reverse lookup) of the SEC server at install time. Usually you get IPv4, IPv6, FQDN, NetBIOS. An endpoint first tries port 8192 on all available addresses/names in succession until it gets an IOR in return. This will contain one or more hostnames/IPs and port (we expect 8194) for the server. As jak has said, if connection to port 8192 is successful you should find the IOR in the logs. It is possible that the endpoints can fetch the IOR but the IOR contains the server's local IP instead of the public one.
    What changes did you make to mrinit.conf when you edited it and where did you put it? Is the mrinit.conf on the endpoints the one you've edited or the one you see in the CIDs?

    Christian

  • 0 in reply to QC

    The IOR returns the internal lan IP rather than an FQDN. 

     

    1. IIOP 1.2 192.168.18.22 8193 "....NUP...!........RootPOA.RouterPersistent.........MessageRouter"
            TAG_ORB_TYPE 0x54414f00
            TAG_CODE_SETS char native code set: ISO-8859-1
                          char conversion code set: UTF-8
                          wchar native code set: UTF-16
                          wchar conversion code set: 
            
            TAG_SSL_SEC_TRANS port = 8194 supports = 166 requires = 134


    The mrinit.conf file includes ;

    "MRParentAddress"="sophos.mydomain.co.uk,SOPHOS"
    "ParentRouterAddress"="sophos.mydomain.co.uk,SOPHOS"


    Is there a way I can tell the server aspects of the new FQDN that they should be broadcasting without having to reinstall it again?

    Olly
  • 0 in reply to Oliver Marshall

    Hello Olly,

    please see Using Sophos message relays in a public WAN - apples to any router (thus also the management server).

    Christian

Reply Children
No Data
Unfiltered HTML