This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Message Relay

Hello,

I have configured Message Relay i DMZ and like I find in instructions, set it to work as Messager Relay and Distribution Point for Updates. After that I'm not albe to download updates while open only ports 8192 and 8194. When I open all ports I'm able to download updates for client. Is it planed that Sophos Client be able to download update through those two ports? 

Also, is it possible to configure Sophos Messager Relay onli to work as message relay,not an update distribution point?

I read all articles that I find on Internet (mainly on community.sophos.com) but not able to find some answers. 

Any help would be usefull.

Thanks.



This thread was automatically locked due to age.
Parents
  • Hello Nemanja Ilic [you're not the handball or the football player, are you?],

    it's not necessary to install an update manager (SUM) in order to use a server as Message Relay. Or is Distribution Point just a share on the server which is (or should be) updated from your central server?

    As you mention DMZ: Is the MR for the endpoints (e.g. laptops) not o the LAN so that they are able to communicate with the SEC? Where do (or should) they update from? Guess it's not \\SECserver\SophosUpdate - do you have a WebCID or should the update from Sophos directly?

    only ports 8192 and 8194 [...] I'm not able to download updates
    from where to where, DMZ ↔ LAN (SECserver)?
    Who is I - the message relay? Please not that ports 8192 and 8194 are for management communication (RMS) only. Updates require either NetBIOS (445 or the legacy 13x ports) or HTTP.

    Christian

  • Thenk You Christian for fast resopnse, [not football and handball player :)]

    My plan was to use MR server in DMZ for laptops when thay are outside my LAN network, so that thay can comunicate with sophos management console (for reporting and ...) and to be able to update from that MR server. Secondary update server in update policy is SOPHOS.

    First I install MR on workgroup sesrver Windows 2012 R2, but there was some problems so I instoll it on domain server Win 2012R2. Is it problem for server to be in workgroup (it is batter for security and because it is in DMZ)? 

    Now, I understand that I have to open port 445 or http from outside for update. I'm not shure if it would be allowd in my network. 

    So, what is procedure for set MR only to work as Message Relay?  How can I change mrinit.conf? (I find that file when I update distribution point, and all folders mentioned in instruction I find on share for DP). And how to update clients in that case to user MR server for Message Relay when I in update polixy put sophos management console for update server (how would client find corect mrinit file)?

    Nemanja

     

  • Hello Nemanja,

    let's start with the outside endpoints. They could use Sophos as Secondary and communicate via a message relay this has a drawback though: They can't update RMS from Sophos (and will report updating errors because of this). This might or might not be acceptable but they should regularly come in and stay on the LAN long enough for an update.

    If you create a WebCID (webserver or proxy in the DMZ) then updating RMS wouldn't be an issue.

    DP: You main server by default deploys to \\Server\SophosUpdate\CIDs\S000\SAVSCFXP. You can add another UNC location, there you'd edit mrinit.conf as described and put it in the \rms subdirectory. In the console create one or more groups (and move the endpoints in question and the MR into them), an updating policy pointing to this additional DP, and assign the new policies to these groups (thus the endpoints "find" the mrinit.conf through their updating policy). 

    With a SUM+MR in the DMZ (you have to follow this procedure to install it) it'd be perhaps less complicated, the CID on the DMZ SUM would be the "other" DP (published as WebCID). You'd need just one updating policy containing the UNC path to the main server as Primary and the WebCID as Secondary. LAN endpoints update from UNC, outside endpoints from the WebCID (which also tells them to use the MR). The drawback is you'll see updating errors for the outside clients telling you the couldn't update via UNC. This might or might not be acceptable though.

    All this is not as complicated as it sounds once you've familiarized yourself with the concepts. And - there's more than one way to skin a cat.

    Christian 

  • Hello Christian,

     

    One more question. Is it normal that mrinit.conf file in location \\ServerMR\SophosUpdate\CIDs\S000\SAVSCFXP changing after while to old data (same thata that are on "MRParentAddress"). In folder \rms mrinit.conf is pointing to SophosMR server. Is it ok or I didn't setup sometnihg correctly?

    I'll configure my SophosMR in DMZ like MR and UpdateDP for outside users trhough port 80 and let You know how is it working. 

    Thank You for assistance.

     

    Nemanja

  • Hello Nemanja,

    mrinit.conf [...] changing after while to old data
    yes, this is the expected behaviour (and one reason that you have to put it into the \rms subdirectory).

    Christian

  • Christian,

    Is there any combination of settings that I'm ablu to see on my management console if my outside computers are up to data? 

    Im my test network I configure endpoints that update from Sophos MR in DMZ (this server iz SUM and MR). Open ports 80, 8192 and 8194. Update from sophos MR is working, but on management console there is message that this computer is not up to data. On my other comuter, I block port 80 and it is not able to update from MR, and there is same message not up to data, but there is also message:  Error: coul'd not find a sorce for update package... (which is ok). 

    How endpoints comunicate with management console through MR?  I thougt that MR is used to collect information about endpoints and send it to Sophos Server.

     

    Nemanja

  • Hello Nemanja,

    not up to date [...] couldn't not find a source
    in the console please open the Computer Details for an outside endpoint. Note the Last message received from computer, is it more recent than Time next package became available? Is there a date for Time installed package became available? Also in the Update managers view please check the Last updated for your MR/SUM) and if there is an alert or error.
    Other than the not up to date - are there updating errors shown for the endpoints? Their Primary update location is HTTP from the MR, isn't it?

    Christian

  • Hello Christian,

     

    Computer COMP1 that is in the netwokr with open port 80 is updating from MR by http. That computer is in red status (not connectid), but it is on line, it's updating regulary but no information about that. It last message received from computer is 1/30/2017 and next package will be available is also 1/30/2017. 

    Computer COMP2 that is in the network with closed port 80 is not updating (which is expected), it is with update errors:  coud'n find a source for update package (it is expected also) and in it's computer details Last message received from computer is 2/1/2017 but next package will be available is 1/30/2017 which is a litle strange to me. This computer is green (is connected to management console). It also updating from MR trhough http and there is message that it's not up to data (and that is also on client side, which is expected because port 80 is closed).

    Why COMP1 showing that it is not up to data and not receive message from  computer to server, but it is up to data? Client is correctly updated. Why is this computer not connected.

    Why COMP2 is showing that it is connected to Sophos Server Console but it is not updated.

    Those are some questions that I don't understand how Sophos MR wokr, and is there any configuration that I'm able to see which computer is up to data correctly while it is updating through MR.

     

    Thenks,

    Nemanja

     

  • Hello Nemanja,

    did you install the SUM/MR with the new mrinit.conf as per Deploying a message relay and SUM installation via the SUM bootstrap executable setup.exe? Only endpoints will reconfigure RMS if mrinit.conf is placed in teh \rms subdirectory. Please see also this thread on how to check if your MR is indeed a message relay.

    If the outside endpoints are updating from the correct CID they'll want to use the "child" SUM as message relay. Thus if the SUM/MR doesn't (know that it should) act as relay SEC won't know about the endpoints' status.

    The Next package ...  (it's Next not Last that is, and in this context package means a specific combination of software, detection data , and additional IDEs) is what determines the Not since ..., . To emphasize, updating and reporting are distinct channels.

    Christian

  • Christian,

     

    to install SophosMR I used articles: 14635, 50832, video https://www.youtube.com/watch?v=9lMVMlaknEs (not this one about via the SUM bootstrap). mrinit.conf is placed in the \rms subdirectory. When I check MR it says: RMS router type  is message relay. I setup endpoints to update from MR. And for test MR is only update location (secundary location in policy is empty).

     

    Nemanja

  • Hello Nemanja,

    to make sure I understand the status correctly let's call the endpoints Inside and Outside1 and Outside2.
    Inside is updating from your SEC server, status in SEC is connected (green), and up to date
    Outside1 is updating from SUM/MR, status disconnected, update Not since, but locally updated
    Outside2 is blocked from updating, status connected, update Not since (as expected)

    Is this correct?
    Anyway, please check the Network Communications Report on the endpoints (those outside should have the MR as parent) 

    Christian

Reply
  • Hello Nemanja,

    to make sure I understand the status correctly let's call the endpoints Inside and Outside1 and Outside2.
    Inside is updating from your SEC server, status in SEC is connected (green), and up to date
    Outside1 is updating from SUM/MR, status disconnected, update Not since, but locally updated
    Outside2 is blocked from updating, status connected, update Not since (as expected)

    Is this correct?
    Anyway, please check the Network Communications Report on the endpoints (those outside should have the MR as parent) 

    Christian

Children
  • This reply was deleted.
  • Hello,

     

    I configure my laptop client to update from Sophos Server when is in LAN, and from Sophos when it is out. Configure mrinit.conf tu point to SophosMR wich is in DMZ. When my laptop is on Internet it always trying to connect to SophosMR private address (10.x.x.x). DNS record on public address for SophosMR is set correctly. When I ping SophosMR it give me public address (188.x.x.x). 

    How can I force sophos client to resolve public address? Why doesn't use DNS to look for ip address?

     

    Thenks

    Nemanja

  • I assume that the computer (when roaming) is connecting to TCP port 8192 OK of the external facing relay. The value in ParentAddress on the client is OK for this.

    However the client router is probably getting back, from the IOR string the internal IP of the external relay which of course isn't routable to the client.  Unless of course your roaming computer is part of a network with the same IP range!  Then you'd get some interesting routing if the computers are all managed under the same SEC infrastructure.

    To fix this you need to override the IP in the IOR such that the client can resolve it.  When doing so you also need to make sure the relay itself can "use" this overridden address as the local agent service will also be reading this IOR.  You can use an entry in the hosts file if needed or use DNS.

    My graphic in this post should help:
    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3154/configure-endpoint-server-10-with-rms-behind-a-firewall-nat-don-t-want-to-use-message-relay/8546

    Regards,

  • Hello,

    I'm not able to change RMS router type from "endpoint" to "Message Relay" on WORKGROUP server. Is there any specific settings? Whit server in domain Message Relay work fine. 

    Regards,

  • Hello Nemanja,

    how do you try to change RMS router type? What's in your mrinit.conf and the IOR?

    Christian

  • Hello QC,

     

    it si new server (in DMZ). Everything is setup corectly, like I did with server in domain. But server don't change RMS router type to "Message Relay" (it is working like endpoint).

    mrinit.conf i set:   parent address: sophosmessaterouter.somedomain.com  

    ior: iiop://:8193/ssl_port=8194&hostname_in_ior=sophosmessagerelay.somedomain.com

    How can I understand, it is only left that Server realise that it is messager relay for himselves (when it update from itselves, and read mrinit.conf) and to change router type from endpoint to message relay. But, because it computer name is:

    sophosmessagerelay  (not in domain) is it correctly set mrinit and ior? 

     

    Regards

  • Hello Nemanja,

    at least one of the server's IP-addresses must reverse-resolve to sophosmessagerelay.somedomain.com (of course when the outside clients resolve this name they must get the public IP of the relay). If the server can't resolve it via DNS then you should add an appripriate entry in %windir%\System32\drivers\etc\host (the file has no extension).

    Christian

  • Hy,

     

    I create host file already. Add dns extension to computer name (because it is workgrou) to full comuter name be:  sophosmessagerelay.somedomain.com. 

    ip-address revers-resolved to full computer name. 

    But server is not Message Relay yet. 

    In regedit parent address is corect:  sophosmessagerelay.somedomain.com

     

    Regards,

  • Hello Nemanja,

    is this MR also a SUM? BTW: The Parent should be the management server.

    Christian

  • Cristian,

     

    MR is SUM only for itselves. 

    I find some error: A file in rmsnt had an invalid signature. After I delete SUM and update sophosDP again (recreate SUM), and restart, server become Message Relay. Now I have to test if everithing working as I expected.

     

    Then for support Christian.

     

    Regards,