This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Message Relay

Hello,

I have configured Message Relay i DMZ and like I find in instructions, set it to work as Messager Relay and Distribution Point for Updates. After that I'm not albe to download updates while open only ports 8192 and 8194. When I open all ports I'm able to download updates for client. Is it planed that Sophos Client be able to download update through those two ports? 

Also, is it possible to configure Sophos Messager Relay onli to work as message relay,not an update distribution point?

I read all articles that I find on Internet (mainly on community.sophos.com) but not able to find some answers. 

Any help would be usefull.

Thanks.



This thread was automatically locked due to age.
Parents
  • Hello Nemanja Ilic [you're not the handball or the football player, are you?],

    it's not necessary to install an update manager (SUM) in order to use a server as Message Relay. Or is Distribution Point just a share on the server which is (or should be) updated from your central server?

    As you mention DMZ: Is the MR for the endpoints (e.g. laptops) not o the LAN so that they are able to communicate with the SEC? Where do (or should) they update from? Guess it's not \\SECserver\SophosUpdate - do you have a WebCID or should the update from Sophos directly?

    only ports 8192 and 8194 [...] I'm not able to download updates
    from where to where, DMZ ↔ LAN (SECserver)?
    Who is I - the message relay? Please not that ports 8192 and 8194 are for management communication (RMS) only. Updates require either NetBIOS (445 or the legacy 13x ports) or HTTP.

    Christian

  • Thenk You Christian for fast resopnse, [not football and handball player :)]

    My plan was to use MR server in DMZ for laptops when thay are outside my LAN network, so that thay can comunicate with sophos management console (for reporting and ...) and to be able to update from that MR server. Secondary update server in update policy is SOPHOS.

    First I install MR on workgroup sesrver Windows 2012 R2, but there was some problems so I instoll it on domain server Win 2012R2. Is it problem for server to be in workgroup (it is batter for security and because it is in DMZ)? 

    Now, I understand that I have to open port 445 or http from outside for update. I'm not shure if it would be allowd in my network. 

    So, what is procedure for set MR only to work as Message Relay?  How can I change mrinit.conf? (I find that file when I update distribution point, and all folders mentioned in instruction I find on share for DP). And how to update clients in that case to user MR server for Message Relay when I in update polixy put sophos management console for update server (how would client find corect mrinit file)?

    Nemanja

     

  • Hello Nemanja,

    to make sure I understand the status correctly let's call the endpoints Inside and Outside1 and Outside2.
    Inside is updating from your SEC server, status in SEC is connected (green), and up to date
    Outside1 is updating from SUM/MR, status disconnected, update Not since, but locally updated
    Outside2 is blocked from updating, status connected, update Not since (as expected)

    Is this correct?
    Anyway, please check the Network Communications Report on the endpoints (those outside should have the MR as parent) 

    Christian

  • This reply was deleted.
  • Hello,

     

    I configure my laptop client to update from Sophos Server when is in LAN, and from Sophos when it is out. Configure mrinit.conf tu point to SophosMR wich is in DMZ. When my laptop is on Internet it always trying to connect to SophosMR private address (10.x.x.x). DNS record on public address for SophosMR is set correctly. When I ping SophosMR it give me public address (188.x.x.x). 

    How can I force sophos client to resolve public address? Why doesn't use DNS to look for ip address?

     

    Thenks

    Nemanja

  • I assume that the computer (when roaming) is connecting to TCP port 8192 OK of the external facing relay. The value in ParentAddress on the client is OK for this.

    However the client router is probably getting back, from the IOR string the internal IP of the external relay which of course isn't routable to the client.  Unless of course your roaming computer is part of a network with the same IP range!  Then you'd get some interesting routing if the computers are all managed under the same SEC infrastructure.

    To fix this you need to override the IP in the IOR such that the client can resolve it.  When doing so you also need to make sure the relay itself can "use" this overridden address as the local agent service will also be reading this IOR.  You can use an entry in the hosts file if needed or use DNS.

    My graphic in this post should help:
    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3154/configure-endpoint-server-10-with-rms-behind-a-firewall-nat-don-t-want-to-use-message-relay/8546

    Regards,

  • Hello,

    I'm not able to change RMS router type from "endpoint" to "Message Relay" on WORKGROUP server. Is there any specific settings? Whit server in domain Message Relay work fine. 

    Regards,

  • Hello Nemanja,

    how do you try to change RMS router type? What's in your mrinit.conf and the IOR?

    Christian

  • Hello QC,

     

    it si new server (in DMZ). Everything is setup corectly, like I did with server in domain. But server don't change RMS router type to "Message Relay" (it is working like endpoint).

    mrinit.conf i set:   parent address: sophosmessaterouter.somedomain.com  

    ior: iiop://:8193/ssl_port=8194&hostname_in_ior=sophosmessagerelay.somedomain.com

    How can I understand, it is only left that Server realise that it is messager relay for himselves (when it update from itselves, and read mrinit.conf) and to change router type from endpoint to message relay. But, because it computer name is:

    sophosmessagerelay  (not in domain) is it correctly set mrinit and ior? 

     

    Regards

  • Hello Nemanja,

    at least one of the server's IP-addresses must reverse-resolve to sophosmessagerelay.somedomain.com (of course when the outside clients resolve this name they must get the public IP of the relay). If the server can't resolve it via DNS then you should add an appripriate entry in %windir%\System32\drivers\etc\host (the file has no extension).

    Christian

  • Hy,

     

    I create host file already. Add dns extension to computer name (because it is workgrou) to full comuter name be:  sophosmessagerelay.somedomain.com. 

    ip-address revers-resolved to full computer name. 

    But server is not Message Relay yet. 

    In regedit parent address is corect:  sophosmessagerelay.somedomain.com

     

    Regards,

  • Hello Nemanja,

    is this MR also a SUM? BTW: The Parent should be the management server.

    Christian

Reply Children
  • Cristian,

     

    MR is SUM only for itselves. 

    I find some error: A file in rmsnt had an invalid signature. After I delete SUM and update sophosDP again (recreate SUM), and restart, server become Message Relay. Now I have to test if everithing working as I expected.

     

    Then for support Christian.

     

    Regards,