This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.2.1 air gap configuration question

Hi all.

I am just getting started with Enterprise Console 5.2.1 and Endpoint Security and Control 10.2 and I hope someone can give me some advice.

I need to deploy to a number of air gapped networks and have been following the Sophos article 64899 to set this up. The non air gapped server (internet facing) works as expected and can manage a test endpoint computer successfully and deploy software packages, policies and updates to it.

I then copied the contents of the above server's warehouse folder to CD and transferred the data to the appropriate share on the test air gapped server as per article 64899. The enterprise console on this server was successfully able to deploy the required packages and updates to it's test endpoint computer. The endpoint PC is successfully retrieving updates from the air gapped server. Great! I thought...

However, this PC is trying to send it's status/feedback messages to the original non air gapped server instead of it's "parent" on the air gapped network; I established this by looking at the endpoint PC's router logs. As a result the air gapped server console shows the endpoint PC as unmanaged even though it was the server used to deploy the packages to the endpoint PC in the first place.

I assume that this has happened because some of the warehouse files copied from the original server contain references to the host name/IP address of that server, not the one on the air gapped LAN. Is this assumption correct?

Am I missing something? My requirement is to manage the air gapped endpoints from the enterprise console server on their own LAN. The original non air gapped server is purely used to download the software packages and definition updates from the Sophos website and write them to CD for transfer to the air gapped server; after the testing phase it will probably never be required to manage any LAN connected endpoints of it's own. The endpoints to be managed will always be on the air gapped networks with their own respective enterprise consoles.
Any advice would be gratefully received!

Regards

Jon

This thread was automatically locked due to age.

0 QC over 11 years ago

Hello Jon,
the Warehouse does not contain a reference to the management server.
~~How did you deploy the test endpoint?~~ How did you set up the air gapped server? What besides the Warehouse did you copy from the original server?
Christian
:42816
Cancel
Vote Up 0 Vote Down

Cancel
0 ruckus over 11 years ago
Sounds like you may have copied over the CIDs folder too. If not, and in any case, if you check the MRInit.conf file in the package folder on the air gapped server it'll probably have the internet-facing configuration in it. How it got there may be a mystery but it's there now.

No biggie. On the air gapped server:

Go to the CIDs folder (C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs).

Go into the right subscription folder for the computers you deployed to (Check 'View' | 'Bootstrap Locations' in the console if you're not sure). Folder is Sxxx (e.g, S000 or S123).

Go into the package folder (for example SAVSCPXP for Windows computers).

Open the MRInit.conf file with notepad.

Check/edit the 'ParentRouterAddress' line (last one). Probably says internet-server-ip, internet-server-hostname, internet-server-FQDN. Change so the only server mentioned is the air gapped.

Save and close the file.

Copy the file into the RMS sub folder (for example: C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\rms\).

Run configCID.exe on the CID. See article 13112 for more information.

Run an update on the endpoint computer (or wait for it to check in). It'll reconfigure the ParentAddress (HKLM\SOFTWARE\[Wow6432Node\Sophos\Message System\Router\ STRING | ParentAddress) with the value from the MRInit.conf file.

The client should now report. Search the air gapped server for any other MRInit.conf files (like C:\Program Files (x86)\Sophos\Enterprise Console) as you may (just guessing) have copied something over from the internet-facing server. If you don't get all the MRInit.conf files synced up with the right addresses any new CIDs you create/ SUM creates could pick up and use a bogus setting.
:42822
- - - - - - - - - - - -

Communities Moderator, SOPHOS
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JonBignall over 11 years ago

Hi Christian.
It was a pretty standard installation on the air gapped server, the only thing I changed was the default installation drivefor the software and the location/share to pick up the updates from. I may have had the CID folder on there as well at one stage, but I removed it when I realised it wasn't required. Perhaps that caused it. I will investigate.
Thanks
Jon
:42916
Cancel
Vote Up 0 Vote Down

Cancel
0 JonBignall over 11 years ago

Thanks for the suggestion Ruckus, I will investigate and report back.
Cheers.
Jon
:42918
Cancel
Vote Up 0 Vote Down

Cancel
0 lampie over 9 years ago

can the enterprise consele in the air gapped network have another version number as the enterprise console at the non-air gapped network??
or
do they both need to have the same version number eg; both 5.2.2
:57125
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 9 years ago

Hello lampie,
guess the SUM version is the primary criterion (if both consoles have Recommended configured this shouldn't be a problem). I assume (but that's just an assumption) that the SECs are "compatible" as long as they use the same database version (which is the case for 5.2.1 to 5.3.0) but ideally they should run the same version. BTW - SESC 10.6 which is coming soon introduces a new feature for which AFAIK SEC 5.3 is required.
Christian
:57139
Cancel
Vote Up 0 Vote Down

Cancel