Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 3 subscribers
  • Views 31146 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client not reporting to the the console Management

SecureIA Ltd

Hi All,

 

Not sure if this is the right place to post this but sure someone can advise or move it to the correct place if not.

 

At first it wasn't showing in the Management console at all.

So went through everything I can think of and all the guides given on the Sophos community. My first check was of the ReportData.xml file in C:\ProgramData\Sophos\Remote Management System\3\Router\NetworkReport\ and made sure the IPs where correct (which they are).

 

I then reset the Sophos Message Router Service to find it then started showing in the Sophos Enterprise console on the Management server, but now it is greyed out. I did the usual and made sure it was assigned to a group which it is and it isn't forcing the Policy on to the client. I have tried 3 Administrator accounts which are all connected through the domain the client is on.

 

I know the firewalls are all correct and everything has been set correctly, this is a new project I have recently took on as it has been an issue for a year. But the thing is the Endpoint client is updating perfectly fine.

 

So I tried a reinstallation from the Share folder (but I didn't use the SophosUpdateMgr account) which is set up in the SUM because who ever set it up previously have not saved the details to this account in our register we use for this particular infrastructure. Could this be the issue? If not, what could it be? There is the error message "The installation credentials you entered in the "Protect Computers Wizard" are either incorrect or do not give administrator access to the computer over the network, which I know they do because these are all connected to the domain. 

 

So I am now at a loss at to what this can be? 



This thread was automatically locked due to age.
Parents
  • 0

    Hello SecureIA Ltd,

    it was a simple issue until your last paragraph :-). Protect works with an account that has both administrator rights on the endpoint and at least read access to the install share (which is either the primary location or the Initial Install Share from the policy). Instead of Protect you could run the CIDs setup.exe from the endpoint.

    What does (or did) the Network Report say for the actual parent?

    Updating and RMS are independent (well, the latter is needed to report the status of the former but each can work without the other).

    Christian

  • 0 in reply to QC

    Hi QC,

     

    I did do both protect and the CIDs setup from the share folder (on the endpoint client) I don't really understand it to be honest because it is fully updating with every other client on the management console, it just isn't basically telling Sophos Enterprise Console.

     

    The senior engineers are currently rolling out a password change through SUM (because my change has stopped everything from updating now, opps) so I will see if this then changes anything.

     

    If this doesn't start it reporting it to the Sophos Console what could this then be? Would it be something to do with the RMS?

     

    Kind Regards,

    James

  • 0 in reply to SecureIA Ltd

    Hello James,

    reporting is (part of) RMS.

    Start with the Network Report, is it recent, does it say there is a parent, not just a bunch of parent addresses? Is there a connection to the server's port 8194?

    Christian

  • 0 in reply to QC

    Hi QC,

     

    So in the ReportData.xml file it says for ports:

     

    </router_name>
    <IOR_port>8192</IOR_port>
    <SSLIOP_port>8194</SSLIOP_port>

     

    For the parent address it has 1 IP and the Server name twice and for actual parent it has the same IP as "Parent Addresses" - unfortunately for security reasons I can't post the IP addresses online.

     

    Kind Regards,

    James

  • 0 in reply to SecureIA Ltd

    Hello James,

    for security reasons
    that's ok - suffices that you say there is one and it's the expected one.
    If the report is recent then AFAIK this suggests that the endpoint was able to contact the server (on port 8192), obtain the IOR, and connect to 8194 (netstat on the endpoint should show this connection). If its status in the console is still "grey" (I suppose it's disconnected, red cross on the computer icon)     then you're perhaps not looking at the correct computer object.

    You can check that it's indeed reporting to SEC by inspecting the Router log - starting from the top you should see the endpoints IOR, the servers IOR and later lines that say  Sent message ... to Router$<yourserver>..

    Christian

  • 0 in reply to QC

    Hi QC,

     

    So here is todays log files, I have taken the IP addresses out but I do 

     

    29.09.2017 07:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 08:12:58 1090 I Calling parent with heartbeat...
    29.09.2017 08:12:58 1090 I Heartbeat to parent succeeded.
    29.09.2017 08:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 08:47:14 00FC I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 08:47:14 00FC E GetterWorker: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    29.09.2017 08:47:14 00FC E Failed to get messages, logging Router$MTZ1MA01 off
    29.09.2017 08:47:44 1090 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    29.09.2017 08:47:44 1090 I RouterTableEntry state (router, logging on): Router$MTZ1MA01 is passive consumer, passive supplier
    29.09.2017 08:47:44 1090 I Logged on to parent router as Router$CRER14A:504085
    29.09.2017 08:47:44 1090 I This computer is part of the domain CRUSO
    29.09.2017 08:47:44 079C I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 09:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 09:55:45 00FC I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 09:55:45 00FC E GetterWorker: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    29.09.2017 09:55:45 00FC E Failed to get messages, logging Router$MTZ1MA01 off
    29.09.2017 09:56:15 1090 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    29.09.2017 09:56:16 1090 I RouterTableEntry state (router, logging on): Router$MTZ1MA01 is passive consumer, passive supplier
    29.09.2017 09:56:16 1090 I Logged on to parent router as Router$CRER14A:504085
    29.09.2017 09:56:16 1090 I This computer is part of the domain CRUSO
    29.09.2017 09:56:42 079C I SSL handshake done, local IP address = 0.0.0.0
    29.09.2017 10:16:35 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 11:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 12:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 12:50:16 1090 I Calling parent with heartbeat...
    29.09.2017 12:55:17 1090 I Heartbeat to parent succeeded.
    29.09.2017 13:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360
    29.09.2017 14:16:36 00E0 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 15, max number of user ports 15360

     

    We use Sophos Enterprise Console 5.3.1

     

    Regards,

    James

  • 0 in reply to SecureIA Ltd

    Hello James,

    thanks (NetBIOS names are still there), you haven't otherwise pruned the log, have you?
    The log covers 7 hours but there's no message routed or sent, I'd expect at least one AV update during this time. Please trigger an event (e.g. a "virus" detection using EICAR) that should cause a message to be sent and check the Router log what happens with it.

    Christian

  • 0 in reply to QC

    Hi QC,

     

    Just done this, took me awhile because my own Sophos on my laptop kept deleting it! But I have copied the strings over to a text document, renamed it and scan it and it was then quarantined. I am currently waiting for the logs to update (seems to be taking a while though)

     

    In the Sophos Endpoint Security and Control, on the update log it does say the Server needs to be restarted for updates to take affect, could this possibly sort this out? I will need to organise this as its a live file transfer server so I can't just reboot it, although I will be checking traffic this weekend and if I don't see any I will reboot it then.

     

    Once the logs have updated though I will post them up.

     

    James

     

    EDIT: The Endpoint has never reported this to its updating log before until I started working on it!

Reply
  • 0 in reply to QC

    Hi QC,

     

    Just done this, took me awhile because my own Sophos on my laptop kept deleting it! But I have copied the strings over to a text document, renamed it and scan it and it was then quarantined. I am currently waiting for the logs to update (seems to be taking a while though)

     

    In the Sophos Endpoint Security and Control, on the update log it does say the Server needs to be restarted for updates to take affect, could this possibly sort this out? I will need to organise this as its a live file transfer server so I can't just reboot it, although I will be checking traffic this weekend and if I don't see any I will reboot it then.

     

    Once the logs have updated though I will post them up.

     

    James

     

    EDIT: The Endpoint has never reported this to its updating log before until I started working on it!

Children
No Data
Unfiltered HTML