This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I do Sophos message relays setup on same management + console server ??

Hi Sophos expert

I've questions about manage Endpoint client who aren't in corporate network (like warehouse network).

 1. I've learn that Sophos message relays can help but can I set it up on same management + console server that using a public routable IP ??

 2. how can I manually add Endpoint client who are in warehouse network into management + console server located at corperate network ??



This thread was automatically locked due to age.
  • Hello Phutapong Suanyim,

    on same management + console server that using a public routable IP
    I'm not sure if I understand you correctly, if your management server has a public IP you don't need a relay at all. Otherwise please see Using Sophos message relays in a public WAN.

    manually add Endpoint client [...] into management
    an endpoint registers with the management server when the Endpoint software is installed either from a CID or from an appropriate package. As one doesn't open NetBIOS/SMB to the WAN the former is not possible (unless you install the warehouse computers while they are on the corporate network) so you have to use something like the Deployment Packager.

    The question you did not ask is from where do the warehouse endpoints get their updates? One option is to publish the updates with a web server, another is to install an additional SUM at the warehouse site (which can also be configured as a message relay).

    Christian

  • Hello Christian

    thank you for quick reply

    you understand correct that my enterprise server has a public IP address and it also setup web server for update CID.

    the warehouse endpoints can get their update via http direct through public IP to the enterprise server.

    the warehouse endpoints was setup manually from escw_107_sa_sfx.exe file downloaded on Sophos website.

     

    I have more questions the following:

     1. if I want to manage the warehouse endpoints on the console , they need to uninstall and reinstall again, right ?? 

     2. do I really need to Sophos message relays setup on server due to all warehouse endpoints can updating via http direct through public IP to the enterprise server ??

     

  • Hello Phutapong Suanyim,

    escw_107_sa
    that's the stand-alone (unmanaged) package, even if you configure them locally to update from the WebCID they wouldn't install the RMS component required for communication. Thus you 'd have to install a managed package you build with the Deployment Packager.

    uninstall and reinstall again
    is AFAIK not necessary. Should suffice that you install with your custom package over the existing installation.

    message relays setup on server
    a relay is always an additional computer/server. BTW: From the management server's POV there are no dedicated message relays (if you're interested I can explain in detail).

    public IP to the enterprise server
    guess the server has an additional private address on the corporate network. Both corporate and warehouse endpoints must be able to connect to it. They first try to connect to port 8192 (it must be open/forwarded for the public IP) on any of the addresses (IP or name) in mrinit.conf. The server returns an IOR string. You have to make sure (following How to change the message relay to make it return an FQDN in the IOR string in the public WAN article - in your case no relay is involved and it applies to the management server) that the address in the IOR (IP or name) can be reached by all endpoints. An FQDN is normally used in such a scenario, for both corporate and warehouse endpoints it must resolve to an IP they can reach.

    Christian

  • Hi Christian

     

    After I reinstall Sophos endpoint used Deploy packager to warehouse enpoints but they still not register to the Enterprise console.

     

    I also grab some RMS log from warehose endpoint , you may know issue's reason, can you please check below ??

    C:\ProgramData\Sophos\Remote Management System\3\Router\Logs\Router-20170918-050750.log

    18.09.2017 12:57:52 0AE0 I Getting parent router IOR from SEC.YYY.ZZZ:8192
    18.09.2017 12:57:52 0AE0 E ACE_INET_Addr::ACE_INET_Addr: SEC.YYY.ZZZ: Valid name, no data record for type
    18.09.2017 12:57:52 0AE0 W Parent address unknown: Valid name, no data record for type (11004)
    18.09.2017 12:57:52 0AE0 I Getting parent router IOR from SEC:8192
    18.09.2017 12:57:53 0AE0 E ACE_INET_Addr::ACE_INET_Addr: SEC: Valid name, no data record for type
    18.09.2017 12:57:53 0AE0 W Parent address unknown: Valid name, no data record for type (11004)
    18.09.2017 12:57:53 0AE0 E Failed to get parent router IOR
    18.09.2017 12:57:53 0AE0 W Failed to get certificate, retrying in 600 seconds

  • Hello Phutapong Suanyim,

    Valid name [SEC.YYY.ZZZ and SEC], no data record for type
    means that the endpoint can't resolve the ParentRouterAddress names (FQDN and NetBIOS] in mrinit.conf. That the unqualified name can't be resolved is normal for an external endpoint, SEC.YYY.ZZZ should resolve to the management server's public IP though - no data record suggests it doesn't resolve at all.

    Christian

  • Hello Christian

     

    Thank you and not it can resolved.

    After than the warehouse endpoint try getting new router certificate but failed as log shown below. What is issue , Can you please advise ??

     

    18.09.2017 13:56:24 0E50 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20170918-065624.log
    18.09.2017 13:56:24 0E50 I Sophos Messaging Router 4.1.1.127 starting...
    18.09.2017 13:56:24 0E50 I Setting ACE_FD_SETSIZE to 138
    18.09.2017 13:56:24 0E50 I Initializing CORBA...
    18.09.2017 13:56:24 0E50 I Connection cache limit is 10
    18.09.2017 13:56:25 0E50 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
    18.09.2017 13:56:25 0E50 I Creating ORB runner with 4 threads
    18.09.2017 13:56:25 0E50 W No public key certificate found in the store. Requesting a new certificate.
    18.09.2017 13:56:25 0E50 I Getting parent router IOR from SEC.YYY.ZZZ:8192
    18.09.2017 13:56:25 0E50 I This computer is part of the domain YYY.ZZZ
    18.09.2017 13:56:25 0E50 I Getting a new router certificate...
    18.09.2017 13:57:07 0E50 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

    18.09.2017 13:57:07 0E50 W Failed to get certificate, retrying in 600 seconds

  • Hello Phutapong Suanyim,

    if there's a line with Received parent router's IOR: in the log please parse the IOR here. If it isn't in the log  telnet SEC.YYY.ZZZ 8192  from the warehouse endpoint, this will return the IOR. Check the host(s)/hostname(s) in the parsed out put - is it (or at least one of them) SEC.YYY.ZZZ or the public IP that can be reached by the warehouse endpoints?

    Christian

  • Hi Christian

     

    There's no a line with Received parent router's IOR but when I telnet SEC.YYY.ZZZ 8192 from the warehouse endpoint, it will return the IOR.

    After I pared the IOR , it gave return below:

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
    no trustworthy most-specific-type info; unrecognized ORB type;
    reachable with IIOP 1.2 at host "172.19.8.186", port 8193

    The host "172.19.8.186" because the Enterprise server is VPC Instance on AWS that has only one network adapter and use Elastic IP as the public IP.

    Should I do create a network adapter for the public IP on the Enterprise server, right ??

  • Hello Phutapong Suanyim,

    so you have to make sure the server returns its name instead of the private IP in the IOR. Please see Using Sophos message relays in a public WAN, scroll down to How to change the message relay to make it return an FQDN in the IOR string and change the registry keys accordingly.

    Christian

  • Hi Christian

    now it return an FQDN in the IOR string but port number is not 8193 , is this correct ?

     

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
     no trustworthy most-specific-type info; unrecognized ORB type;
     reachable with IIOP 1.2 at host "SEC.YYY.ZZZ", port 55032