Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2968 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newly instaled XP clients disappear from EM 3.0 console

NLNAV

Hello,

I'm having a strange problem. Since a few days my newly deployed XP clients disappears from my Em 3.0 console when i comply them with the group policy.

Situation.

We are upgrading our clients from w2k to XP with an pre configured image. Sophos is already installed in this image. The client appears in the em console when it joines the domain.

The status showing in em is "differs from policy" and "waiting for response from computer". After the "comply with group policy" action the client disappears from the em console.

The client reappears again after a reboot and has the same status as mentioned above.

Does anyone have an idea?

Regards,

Peter

:4387


This thread was automatically locked due to age.
  • 0

    Hi,

    this happens because Sophos RMS assigns an ID at the installation, and cloning computers with this ID causes to EC to handle them all as one entity. You will only see the last machine that connected to the server, it will overwrite the object's content.

    I remember a KB-article which explained the procedure to reissue a new ID and a new certificate to the RMS-service of each client, however I don't find it right now, instead there is an article about preparation before imaging.

    If the problem concers just a few PCs, deinstall RMS and reinstall. If the problem concerns large volumes, contact support to get advice.

    Best regards,

    Detlev

    :4391
  • 0

    Hi,

    The strange thing is that this is happening since a few days. We installed 10 other clients with the same image and they didn't have the problem.

    I must say the group with the problem is using only a changed updating policy, the other policies are on default. Could this be the problem?

    :4393
  • 0

    Hello Peter,

    can't say I know exactly what's going on. Maybe this helps a little:

    Most of our clients are not under the IT-departments control (but nevertheless when they install Sophos they report to SEC and are managed). I've found out that literally hundreds of clients had been installed with one of three images and in SEC computers disappeared, re-appeared in the Unassigned group, changed names, showed tons of alerts, seemed to change policies at will and the like. With SEC 4.0 and SAV9.0 I noticed that they started to get "individual" identities when they upgraded (guess due to changes in the RMS component they re-registered when upgrading the client RMS). Over time most of them got their own identity.

    In order to identify which client is a clone I checked the database using osql/sqlcmd. A very interesting value is in column MessageSystemAddress of table ComputerAndDeletedComputers as it is a "high priority" value to determine a client's identity. So if you just change a computer's name it remains the same from SEC's point of view. I said "high priority" because SEC tries very hard to recognize an already known computer - if you un- and reinstall RMS it gets a different identity. So now you have two computers with the same name. Are both valid? If name and domain/workgroup are the same then probably only one is valid (as you otherwise would have problems with Windows networking). But what if they are the same but the computers are on different LANs? So SEC applies some logic (which changes from version to version) to address these questions.

    I used this query (I prefer sqlcmd because it has better formatting options) while dealing with the "clones":

    sqlcmd -E -S .\SOPHOS -d SOPHOS3 -Y 30 -Q "SELECT Name,Deleted,MessageSystemAddress FROM ComputersAndDeletedComputers WHERE some-selection-criterion"

    some-selection-criterion is for example: Name='CLONE01' or MessageSystemAddress LIKE 'Router$Image0%'

    Normally the computer's name is part of MessageSystemAddress but if it's name has been changed after it's been installed from an image where Sophos has already been installed then not. Here's some sample output:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    JORGOS1                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Shortly afterwards the same query gives:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    CENTRAL                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Obviously JORGOS1 and CENTRAL have been installed from the same image. In SEC CENTRAL would suddenly appear instead of JORGOS1. It's even more complex: If CENTRAL were newly installed but a deleted computer (i.e. not visible in SEC) with the same name and workgroup already existed in the database CENTRAL could suddenly appear in a different console group (perhaps Unassigned) and if then JORGOS1 again reports to SEC it will remain there.

    This is not a complete description but I hope it's of some use.

    Christian

    :4400
  • 0

    Sorry forgot to mention that the EM console is a newly installed one on a W2k3 server using a MS SQL 2005 DB installed on a seperate server. This is a new configuration which we are going to use.

    So the re-installed clients with the "old" names and IP addresses are registered on a compleet new system and doesn't have to do anything with the old EM console and DB. This one will be removed when all the clienst are renewed with the new image.

    Hope this additional info helps

    Thankz

    :4413
  • 0

    Hm, I must admit that I'm a little bit confused. Let's see ...

    So you did a fresh install of SEC3.0 (why not SEC4.0) and using the new CID(s) you built the image and you did not transfer the database? Then the client appears in the em console when it joins the domain - it should do so "immediately" (unless it can't reach the server before it's in the domain). Which policy differs? Updating? If so - what's the difference (if you can spot it)? The consoles are not on DCs, are they?

    Guess we need some more details. And what does the Network Communications Report on the client say?

    Christian

    :4421
  • 0

    Transfer of DB: We wanted to start over with a clean DB. In the old DB are a lot of entries which are no longer valid. (clients were renamed, removed from the domain etc etc) and the system was never update with this info. So a lot of old entries there.

    The clients appears immediately in SEC with the warnings Differs from policy for Antivirus and HIPS and application control policy.. The updating policy says: same as policy.

    Can't spot the differences in the policies. The old console was on a DC but was demoted to member server (W2K). The new one is on a different member server (W2K3).

    The report says there are no problems. I created a new group with policies and will created a new member with the same inmage and will put that member in the new group and see if the problem persists.

    Peter

    :4425
  • 0

    Update,

    We changed the image. We prepared sophos according the procedure i found on this site. Everything is working ok now.

    Thankz all for the possible solutions.

    Greetzz

    edit:

    article: Sophos Anti-Virus for Windows 2000+: incorporating Sophos Anti-Virus current versions in a disk image, including for use with cloned virtual machines

    :4572
Unfiltered HTML