This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use Update Manager and Message Relay in the same agent group?

Dear friends

I have a client with 10,500 machines using sophos agents installed in the SEC.

We have seen a high bandwidth consumption on the SEC Server.

Today we have 120 update manager configured, even then we have great bandwidth consumption in the SEC.

I installed a Message Relay on a separate server.

When I set up police in update, I have the option to put the update manager or the message relay.

How do I use the two settings together?

I need the update manager to continue working and I need Message Realy as well.

Thank you.

This thread was automatically locked due to age.

Parents

0 QC over 5 years ago

Hello Marcio Sousa,

high bandwidth
can you perhaps verify that it is traffic on TCP port 8194? Unless they are plagued by constant detections or events endpoints should be rather reticent, traffic coming most notably from the status messages after detections data updates - some kB every few hours. Usually it's the number of connections that causes problems. But even updating shouldn't result in high bandwidth, I have 3000+ endpoints checking for updates every 10 minutes. Unless endpoints are updating directly from the SEC server you have just over 100.
As an aside - you have, if I read the numbers correctly, more SUMs than average endpoints/SUM.

Anyway, with more that 10.000 endpoints relays are a good idea. You can't configure relays directly, the information is contained in the CID.

Using a server both as SUM and Message Relay (MR) is common. Unfortunately the configuration as MR must be done with the installation of SUM. The recommended way in your case is to uninstall SUM (which should also uninstall RMS), configure the CIDs as needed, re-install SUM using the desired mrinit.conf.
Quite arduous with 120 SUMs/MRs - though the major work is configuring the CIDs (editing mrinit.conf, putting it in the applicable subfolders, and running ConfigCID). I think (haven't tested lately) the CID-configuration is necessary to redirect existing endpoints to the MR.
Of course you could change some other available servers into MRs - CID configuration would still be required though and it might result in an obscure topology.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 5 years ago

Hello Marcio Sousa,

high bandwidth
can you perhaps verify that it is traffic on TCP port 8194? Unless they are plagued by constant detections or events endpoints should be rather reticent, traffic coming most notably from the status messages after detections data updates - some kB every few hours. Usually it's the number of connections that causes problems. But even updating shouldn't result in high bandwidth, I have 3000+ endpoints checking for updates every 10 minutes. Unless endpoints are updating directly from the SEC server you have just over 100.
As an aside - you have, if I read the numbers correctly, more SUMs than average endpoints/SUM.

Anyway, with more that 10.000 endpoints relays are a good idea. You can't configure relays directly, the information is contained in the CID.

Using a server both as SUM and Message Relay (MR) is common. Unfortunately the configuration as MR must be done with the installation of SUM. The recommended way in your case is to uninstall SUM (which should also uninstall RMS), configure the CIDs as needed, re-install SUM using the desired mrinit.conf.
Quite arduous with 120 SUMs/MRs - though the major work is configuring the CIDs (editing mrinit.conf, putting it in the applicable subfolders, and running ConfigCID). I think (haven't tested lately) the CID-configuration is necessary to redirect existing endpoints to the MR.
Of course you could change some other available servers into MRs - CID configuration would still be required though and it might result in an obscure topology.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data