Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 3 subscribers
  • Views 23904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Message Relay

Nemanja Ilic

Hello,

I have configured Message Relay i DMZ and like I find in instructions, set it to work as Messager Relay and Distribution Point for Updates. After that I'm not albe to download updates while open only ports 8192 and 8194. When I open all ports I'm able to download updates for client. Is it planed that Sophos Client be able to download update through those two ports? 

Also, is it possible to configure Sophos Messager Relay onli to work as message relay,not an update distribution point?

I read all articles that I find on Internet (mainly on community.sophos.com) but not able to find some answers. 

Any help would be usefull.

Thanks.



This thread was automatically locked due to age.
  • 0 in reply to Nemanja Ilic

    Hello Nemanja,

    to make sure I understand the status correctly let's call the endpoints Inside and Outside1 and Outside2.
    Inside is updating from your SEC server, status in SEC is connected (green), and up to date
    Outside1 is updating from SUM/MR, status disconnected, update Not since, but locally updated
    Outside2 is blocked from updating, status connected, update Not since (as expected)

    Is this correct?
    Anyway, please check the Network Communications Report on the endpoints (those outside should have the MR as parent) 

    Christian

  • 0 in reply to Nemanja Ilic

    Hello,

     

    I configure my laptop client to update from Sophos Server when is in LAN, and from Sophos when it is out. Configure mrinit.conf tu point to SophosMR wich is in DMZ. When my laptop is on Internet it always trying to connect to SophosMR private address (10.x.x.x). DNS record on public address for SophosMR is set correctly. When I ping SophosMR it give me public address (188.x.x.x). 

    How can I force sophos client to resolve public address? Why doesn't use DNS to look for ip address?

     

    Thenks

    Nemanja

  • 0 in reply to Nemanja Ilic

    I assume that the computer (when roaming) is connecting to TCP port 8192 OK of the external facing relay. The value in ParentAddress on the client is OK for this.

    However the client router is probably getting back, from the IOR string the internal IP of the external relay which of course isn't routable to the client.  Unless of course your roaming computer is part of a network with the same IP range!  Then you'd get some interesting routing if the computers are all managed under the same SEC infrastructure.

    To fix this you need to override the IP in the IOR such that the client can resolve it.  When doing so you also need to make sure the relay itself can "use" this overridden address as the local agent service will also be reading this IOR.  You can use an entry in the hosts file if needed or use DNS.

    My graphic in this post should help:
    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3154/configure-endpoint-server-10-with-rms-behind-a-firewall-nat-don-t-want-to-use-message-relay/8546

    Regards,

  • 0 in reply to jak

    Hello,

    I'm not able to change RMS router type from "endpoint" to "Message Relay" on WORKGROUP server. Is there any specific settings? Whit server in domain Message Relay work fine. 

    Regards,

  • 0 in reply to Nemanja Ilic

    Hello Nemanja,

    how do you try to change RMS router type? What's in your mrinit.conf and the IOR?

    Christian

  • 0 in reply to QC

    Hello QC,

     

    it si new server (in DMZ). Everything is setup corectly, like I did with server in domain. But server don't change RMS router type to "Message Relay" (it is working like endpoint).

    mrinit.conf i set:   parent address: sophosmessaterouter.somedomain.com  

    ior: iiop://:8193/ssl_port=8194&hostname_in_ior=sophosmessagerelay.somedomain.com

    How can I understand, it is only left that Server realise that it is messager relay for himselves (when it update from itselves, and read mrinit.conf) and to change router type from endpoint to message relay. But, because it computer name is:

    sophosmessagerelay  (not in domain) is it correctly set mrinit and ior? 

     

    Regards

  • 0 in reply to Nemanja Ilic

    Hello Nemanja,

    at least one of the server's IP-addresses must reverse-resolve to sophosmessagerelay.somedomain.com (of course when the outside clients resolve this name they must get the public IP of the relay). If the server can't resolve it via DNS then you should add an appripriate entry in %windir%\System32\drivers\etc\host (the file has no extension).

    Christian

  • 0 in reply to QC

    Hy,

     

    I create host file already. Add dns extension to computer name (because it is workgrou) to full comuter name be:  sophosmessagerelay.somedomain.com. 

    ip-address revers-resolved to full computer name. 

    But server is not Message Relay yet. 

    In regedit parent address is corect:  sophosmessagerelay.somedomain.com

     

    Regards,

  • 0 in reply to Nemanja Ilic

    Hello Nemanja,

    is this MR also a SUM? BTW: The Parent should be the management server.

    Christian

Unfiltered HTML