Hi Sophos expert
I've questions about manage Endpoint client who aren't in corporate network (like warehouse network).
1. I've learn that Sophos message relays can help but can I set it up on same management + console server that using a public routable IP ??
2. how can I manually add Endpoint client who are in warehouse network into management + console server located at corperate network ??
Hello Phutapong Suanyim,
on same management + console server that using a public routable IP
I'm not sure if I understand you correctly, if your management server has a public IP you don't need a relay at all. Otherwise please see Using Sophos message relays in a public WAN.
manually add Endpoint client [...] into management
an endpoint registers with the management server when the Endpoint software is installed either from a CID or from an appropriate package. As one doesn't open NetBIOS/SMB to the WAN the former is not possible (unless you install the warehouse computers while they are on the corporate network) so you have to use something like the Deployment Packager.
The question you did not ask is from where do the warehouse endpoints get their updates? One option is to publish the updates with a web server, another is to install an additional SUM at the warehouse site (which can also be configured as a message relay).
Christian
Hello Christian
thank you for quick reply
you understand correct that my enterprise server has a public IP address and it also setup web server for update CID.
the warehouse endpoints can get their update via http direct through public IP to the enterprise server.
the warehouse endpoints was setup manually from escw_107_sa_sfx.exe file downloaded on Sophos website.
I have more questions the following:
1. if I want to manage the warehouse endpoints on the console , they need to uninstall and reinstall again, right ??
2. do I really need to Sophos message relays setup on server due to all warehouse endpoints can updating via http direct through public IP to the enterprise server ??
Hello Phutapong Suanyim,
escw_107_sa
that's the stand-alone (unmanaged) package, even if you configure them locally to update from the WebCID they wouldn't install the RMS component required for communication. Thus you 'd have to install a managed package you build with the Deployment Packager.
uninstall and reinstall again
is AFAIK not necessary. Should suffice that you install with your custom package over the existing installation.
message relays setup on server
a relay is always an additional computer/server. BTW: From the management server's POV there are no dedicated message relays (if you're interested I can explain in detail).
public IP to the enterprise server
guess the server has an additional private address on the corporate network. Both corporate and warehouse endpoints must be able to connect to it. They first try to connect to port 8192 (it must be open/forwarded for the public IP) on any of the addresses (IP or name) in mrinit.conf. The server returns an IOR string. You have to make sure (following How to change the message relay to make it return an FQDN in the IOR string in the public WAN article - in your case no relay is involved and it applies to the management server) that the address in the IOR (IP or name) can be reached by all endpoints. An FQDN is normally used in such a scenario, for both corporate and warehouse endpoints it must resolve to an IP they can reach.
Christian
Hi Christian
After I reinstall Sophos endpoint used Deploy packager to warehouse enpoints but they still not register to the Enterprise console.
I also grab some RMS log from warehose endpoint , you may know issue's reason, can you please check below ??
C:\ProgramData\Sophos\Remote Management System\3\Router\Logs\Router-20170918-050750.log
18.09.2017 12:57:52 0AE0 I Getting parent router IOR from SEC.YYY.ZZZ:8192
18.09.2017 12:57:52 0AE0 E ACE_INET_Addr::ACE_INET_Addr: SEC.YYY.ZZZ: Valid name, no data record for type
18.09.2017 12:57:52 0AE0 W Parent address unknown: Valid name, no data record for type (11004)
18.09.2017 12:57:52 0AE0 I Getting parent router IOR from SEC:8192
18.09.2017 12:57:53 0AE0 E ACE_INET_Addr::ACE_INET_Addr: SEC: Valid name, no data record for type
18.09.2017 12:57:53 0AE0 W Parent address unknown: Valid name, no data record for type (11004)
18.09.2017 12:57:53 0AE0 E Failed to get parent router IOR
18.09.2017 12:57:53 0AE0 W Failed to get certificate, retrying in 600 seconds
Hello Phutapong Suanyim,
Valid name [SEC.YYY.ZZZ and SEC], no data record for type
means that the endpoint can't resolve the ParentRouterAddress names (FQDN and NetBIOS] in mrinit.conf. That the unqualified name can't be resolved is normal for an external endpoint, SEC.YYY.ZZZ should resolve to the management server's public IP though - no data record suggests it doesn't resolve at all.
Christian
Hello Christian
Thank you and not it can resolved.
After than the warehouse endpoint try getting new router certificate but failed as log shown below. What is issue , Can you please advise ??
18.09.2017 13:56:24 0E50 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20170918-065624.log
18.09.2017 13:56:24 0E50 I Sophos Messaging Router 4.1.1.127 starting...
18.09.2017 13:56:24 0E50 I Setting ACE_FD_SETSIZE to 138
18.09.2017 13:56:24 0E50 I Initializing CORBA...
18.09.2017 13:56:24 0E50 I Connection cache limit is 10
18.09.2017 13:56:25 0E50 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
18.09.2017 13:56:25 0E50 I Creating ORB runner with 4 threads
18.09.2017 13:56:25 0E50 W No public key certificate found in the store. Requesting a new certificate.
18.09.2017 13:56:25 0E50 I Getting parent router IOR from SEC.YYY.ZZZ:8192
18.09.2017 13:56:25 0E50 I This computer is part of the domain YYY.ZZZ
18.09.2017 13:56:25 0E50 I Getting a new router certificate...
18.09.2017 13:57:07 0E50 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO
18.09.2017 13:57:07 0E50 W Failed to get certificate, retrying in 600 seconds
Hello Phutapong Suanyim,
if there's a line with Received parent router's IOR: in the log please parse the IOR here. If it isn't in the log telnet SEC.YYY.ZZZ 8192 from the warehouse endpoint, this will return the IOR. Check the host(s)/hostname(s) in the parsed out put - is it (or at least one of them) SEC.YYY.ZZZ or the public IP that can be reached by the warehouse endpoints?
Christian
Hi Christian
There's no a line with Received parent router's IOR but when I telnet SEC.YYY.ZZZ 8192 from the warehouse endpoint, it will return the IOR.
After I pared the IOR , it gave return below:
object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
no trustworthy most-specific-type info; unrecognized ORB type;
reachable with IIOP 1.2 at host "172.19.8.186", port 8193
The host "172.19.8.186" because the Enterprise server is VPC Instance on AWS that has only one network adapter and use Elastic IP as the public IP.
Should I do create a network adapter for the public IP on the Enterprise server, right ??
Hello Phutapong Suanyim,
so you have to make sure the server returns its name instead of the private IP in the IOR. Please see Using Sophos message relays in a public WAN, scroll down to How to change the message relay to make it return an FQDN in the IOR string and change the registry keys accordingly.
Christian
Hi Christian
now it return an FQDN in the IOR string but port number is not 8193 , is this correct ?
object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
no trustworthy most-specific-type info; unrecognized ORB type;
reachable with IIOP 1.2 at host "SEC.YYY.ZZZ", port 55032
Hello Phutapong Suanyim,
definitely not, should still be 8193. You've changed both keys?
Please check on the server on which ports the RouterNT.exe is listening. The Router log from after the restart of the service also contains the server's IOR, you might want to check if it's the same that the endpoint receives.
Does the port change when you restart the Message Router service?
Christian
Hi Christian
I didn't touch keys or change default port
the endpoint still receives same IOR key as the server.
Yes, the port changed when I restart the message Router service.
Protocol LocalAddress LocalPort RemoteAddress RemotePort State ProcessName PID
-------- ------------ --------- ------------- ---------- ----- ----------- ---
TCP 0.0.0.0 8192 0.0.0.0 0 LISTENING RouterNT 9912
TCP 0.0.0.0 55449 0.0.0.0 0 LISTENING RouterNT 9912
TCP 0.0.0.0 55450 0.0.0.0 0 LISTENING RouterNT 9912
TCP 127.0.0.1 55447 127.0.0.1 55448 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55448 127.0.0.1 55447 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55460 127.0.0.1 55459 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55472 127.0.0.1 55471 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55507 127.0.0.1 55506 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55457 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55469 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55504 ESTABLISHED RouterNT 9912
Hi Christian
I didn't touch keys or change default port
the endpoint still receives same IOR key as the server.
Yes, the port changed when I restart the message Router service.
Protocol LocalAddress LocalPort RemoteAddress RemotePort State ProcessName PID
-------- ------------ --------- ------------- ---------- ----- ----------- ---
TCP 0.0.0.0 8192 0.0.0.0 0 LISTENING RouterNT 9912
TCP 0.0.0.0 55449 0.0.0.0 0 LISTENING RouterNT 9912
TCP 0.0.0.0 55450 0.0.0.0 0 LISTENING RouterNT 9912
TCP 127.0.0.1 55447 127.0.0.1 55448 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55448 127.0.0.1 55447 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55460 127.0.0.1 55459 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55472 127.0.0.1 55471 ESTABLISHED RouterNT 9912
TCP 127.0.0.1 55507 127.0.0.1 55506 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55457 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55469 ESTABLISHED RouterNT 9912
TCP 172.19.8.186 55450 172.19.8.186 55504 ESTABLISHED RouterNT 9912
Hi Christian
At the enterprise server, I did follow instruction "How to change the message relay to make it return an FQDN in the IOR string:" from here
To immediately affect the service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=SEC.XXX.YYY
Hi Christian
I'm so sorry , it was my mistaken to modify the registry key wrong at the enterprise server but now the registry key's correct and I get return when parse the IOR as shown below:
object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>; no trustworthy most-specific-type info; unrecognized ORB type; reachable with IIOP 1.2 at host "SEC.XXX.YYY", port 8193
Hello Phutapong Suanyim,
just change mrinit.conf?
if I understood correctly the warehouse endpoints have been set up with the SA (the unmanaged stand-alone) version. Normally you have to reinstall the managed version.
I've never given it much thought and I've never heard that upgrading an SA version to a managed one was ever taken into consideration. The following untested procedure might(!) work (and note it's definitely unsupported): Stop the AutoUpdate service, replace (keep a backup or rename it first) %\ProgramData%\Sophos\AutoUpdate\Config\iupd.cfg with the one from the already managed warehouse endpoint. You could also specify the SEC group where the endpoint should "appear" (if you try it do not re-start the Agent service at this point). As said, I haven't tested it and don't know whether the RMS install (normally scheduled by setup.exe) has prerequisites. Start the AutoUpdate service - if it works RMS will be installed on the next update check. If not (I hope it doesn't break anything) your only option is to install a managed package.
Christian