This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC Migration -> missing services on new server

We've been moving Sophos Enterprise Console 5.5.1 from a W2008R2 over to a W2016, using the Sophos server to server migration guide. All seemed to be well until we tried to redirect the endpoints to the new SUM. In the SEC all clients looks like offline, means they do not report their status.

Comparing the old and the new SEC551 installation we find out, that the old server has more services running than the new one.

e.g. a port scan shows:

new SEC

Host is up (0.00036s latency).

Not shown: 992 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1801/tcp open  msmq

2103/tcp open  zephyr-clt

2105/tcp open  eklogin

2107/tcp open  msmq-mgmt

3389/tcp open  ms-wbt-server

MAC Address: 00:50:56:8D:91:12 (VMware)

 

old SEC:

Host is up (0.00065s latency).

Not shown: 984 filtered ports

PORT      STATE SERVICE

80/tcp    open  http

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

631/tcp   open  ipp

1801/tcp  open  msmq

2103/tcp  open  zephyr-clt

2105/tcp  open  eklogin

2107/tcp  open  msmq-mgmt

3389/tcp  open  ms-wbt-server

5666/tcp  open  nrpe

8192/tcp  open  sophos

8193/tcp  open  sophos

8194/tcp  open  sophos

10000/tcp open  snet-sensor-mgmt

49155/tcp open  unknown

 

So what is the reason for this difference and how can we solve the problem?



This thread was automatically locked due to age.
Parents
  • Hello KaMo,

    it's the Sophos Message Router service that should listen on these ports. Please check if it is shown under Services and started. If it is not present then the SEC install did not completely succeed. If it's there but stopped there should be events in the Windows Event Log. You can also try to start it and note the error.

    The logs for the Agent and the Router in the respective folders under %ProgramData%\Sophos\Remote Management System\3\ might have additional information.

    Christian

Reply
  • Hello KaMo,

    it's the Sophos Message Router service that should listen on these ports. Please check if it is shown under Services and started. If it is not present then the SEC install did not completely succeed. If it's there but stopped there should be events in the Windows Event Log. You can also try to start it and note the error.

    The logs for the Agent and the Router in the respective folders under %ProgramData%\Sophos\Remote Management System\3\ might have additional information.

    Christian

Children
  • Sophos Message Router is running, but the Agent.log shows:

     

    31.10.2018 14:10:06 0B0C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Agent/Logs/Agent-20181031-131006.log
    31.10.2018 14:10:06 0B0C I Sophos Management Agent 4.1.1.127 starting...
    31.10.2018 14:10:06 0B0C I Starting AdapterManager ...
    31.10.2018 14:10:06 0B94 I Starting AdapterMonitor thread ...
    31.10.2018 14:10:06 0B94 I Loading new adapters: 1 registered adapters; 0 loaded adapters.
    31.10.2018 14:10:06 0B94 I Detected new adapter SDDM.
    31.10.2018 14:10:06 0B94 I Loading adapter SDDM ...
    31.10.2018 14:10:07 0B94 I SDDMA: Using host 127.0.0.1 and port 51234.
    31.10.2018 14:10:07 0C14 I SDDMA: Connecting to SDDM...
    31.10.2018 14:10:07 0C14 I SDDMA: An uninitialized socket was created.
    31.10.2018 14:10:07 0B94 I Adapter SDDM has been loaded successfully.
    31.10.2018 14:10:08 0C14 I SDDMA: Failed to connect to the SUM host: connection was refused
    31.10.2018 14:10:08 0C14 I SDDMA: The socket 820 was shut down.
    31.10.2018 14:10:08 0C14 I SDDMA: The socket 820 was closed.
    31.10.2018 14:10:08 0C14 W SDDMA: failed to connect to SDDM: Failed to connect to the SUM host: connection was refused
    31.10.2018 14:10:08 0B0C I InitialiseClientLibraryLocal Agent, SOFTWARE\Sophos\Remote Management System\ManagementAgent\Private, , 1,  ...
    31.10.2018 14:10:09 0D8C W MSClient::Connect: failed to get router's IOR from supplied address and port.
    31.10.2018 14:10:09 0D8C W NoRouterIORException: Caught MSClient::Connect: failed to get router's IOR from supplied address and port.
    ClientConnection::Reconnect()
    31.10.2018 14:10:14 0D8C I Initializing ...
    31.10.2018 14:10:14 0D8C I Running certificate verification...
    31.10.2018 14:10:14 0D8C I Compliant certificate hashing algorithm.
    31.10.2018 14:10:15 0D90 I Connected to router...
    31.10.2018 14:10:15 10D8 I Running SetAdapterStatusJob for adapter SDDM
    31.10.2018 14:10:15 10D8 I SDDMA: Connecting to SDDM...
    31.10.2018 14:10:15 10D8 I SDDMA: An uninitialized socket was created.
    31.10.2018 14:10:15 10D8 I SDDMA: Connection to SDDM successful.
    31.10.2018 14:10:15 10D8 I SDDMA: Logon key written successfully.
    31.10.2018 14:10:15 10D8 I SDDMA: Logon key sent.
    31.10.2018 14:10:15 10D8 I SDDMA: Socket connection authenticated.
    31.10.2018 14:10:15 0C10 I SDDMA: IndicationsProcessor::ConnectionCallback() called.
    31.10.2018 14:10:15 0C0C I SDDMA: The adapter is connected to SDDM.
    31.10.2018 14:10:15 0C0C I SDDMA: Sending a Status Report upstream (forced)...
    31.10.2018 14:10:18 0C0C I SDDM state observer notified that SDDM is running
    …..

    a Firewall issue on the local machine?

  • Hello KaMo,

    apparently a transient error, likely SUM was not yet up. Is the Agent running, are there repeated NoRouterIORException messages in the log?
    What's in the Router log?

    Christian

  • Hi Christian,

    snippet from router.log with many entries like:

    31.10.2018 14:12:35 09D8 I Routing to Router$client1:162025: id=13D83A4D, origin=Router$servername.EM, dest=Router$client1:162025.Agent, type=EM-SetConfiguration
    31.10.2018 14:12:35 09D8 I Routing to Router$client2:243045: id=15D83A4D, origin=Router$servername.EM, dest=Router$client2:243045.Agent, type=EM-SetConfiguration

    ..

    31.10.2018 14:15:16 13DC I Client::LogonPushPush() successfully called back to client
    31.10.2018 14:15:16 13DC I Writing router table file
    31.10.2018 14:15:16 0D4C I Sent message (id=03D9AA49) to Agent
    31.10.2018 14:15:16 13DC I Logged on Agent as a client
    31.10.2018 14:15:16 09D8 I Routing to Agent: id=01D9AAE4, origin=Router$servername, dest=Router$hg-as07.Agent, type=EM-ClientLogon
    31.10.2018 14:15:16 0D4C I Sent message (id=01D9AA52) to Agent
    31.10.2018 14:15:16 0D4C I Sent message (id=01D9AAE4) to Agent
    31.10.2018 14:15:36 09D8 I Routing to EM: id=01D9AAF8, origin=Router$servername.Agent, dest=EM, type=EM-GetStatus-Reply
    31.10.2018 14:15:36 0FB8 I Sent message (id=01D9AAF8) to EM
    31.10.2018 14:22:00 09D8 I Routing to EM: id=01D9AC78, origin=Router$servername.Agent, dest=EM, type=EM-GetStatus-Reply
    31.10.2018 14:22:00 0A08 I Sent message (id=01D9AC78) to EM
    31.10.2018 14:24:03 09D8 I Routing to EM: id=01D9ACF3, origin=Router$servername.Agent, dest=EM, type=EM-GetStatus-Reply
    31.10.2018 14:24:03 16A8 I Sent message (id=01D9ACF3) to EM
    31.10.2018 14:34:27 09D8 I Routing to EM: id=01D9AF63, origin=Router$servername.Agent, dest=EM, type=EM-GetStatus-Reply
    31.10.2018 14:34:27 0FD8 I Sent message (id=01D9AF63) to EM

     

    The UpdateManager in the SEC is online, no alerts, no Errors, last updated and download status is current date/time.

  • Hello KaMo,

    everything seems fine - except that there is no communication to and from the "outside". A local netstat shows the RouterNT.exe listening on 0.0.0.0 ports 8192-8194 I assume.

    The scan that doesn't show these ports was done from remote, wasn't it? Indeed it looks like the firewall. Permit TCP 8192-8194 IN for RouterNT.exe - or an equivalent less or more restrictive rule.

    Christian

  • Hello Christian,

    yes it was an external nmap-scan. Now (after allowing routernt.exe) it shows:

    Host is up (0.00035s latency).
    Not shown: 989 filtered ports
    PORT     STATE SERVICE
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    1801/tcp open  msmq
    2103/tcp open  zephyr-clt
    2105/tcp open  eklogin
    2107/tcp open  msmq-mgmt
    3389/tcp open  ms-wbt-server
    8192/tcp open  sophos
    8193/tcp open  sophos
    8194/tcp open  sophos

     

    ….and 3 Clients are now online and <policy compliance> changes from "awaiting policy transfer" to "awaiting policy from console". I will give it a try and check tomorrow.

     

  • Hello Christian,

    are there any other services/ports which should be manually added to the firewall exceptions?

  • Hello KaMo,

    requirements haven't changed for 5.5.1. Other than the RMS ports a rule is normally only required when you use remote consoles.

    Christian