This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I do Sophos message relays setup on same management + console server ??

Hi Sophos expert

I've questions about manage Endpoint client who aren't in corporate network (like warehouse network).

 1. I've learn that Sophos message relays can help but can I set it up on same management + console server that using a public routable IP ??

 2. how can I manually add Endpoint client who are in warehouse network into management + console server located at corperate network ??



This thread was automatically locked due to age.
  • Hello Phutapong Suanyim,

    definitely not, should still be 8193. You've changed both keys?
    Please check on the server on which ports the RouterNT.exe is listening. The Router log from after the restart of the service also contains the server's IOR, you might want to check if it's the same that the endpoint receives.
    Does the port change when you restart the Message Router service?

    Christian 

  • Hi Christian

    I didn't touch keys or change default port

    the endpoint still receives same IOR key as the server. 

    Yes, the port changed when I restart the message Router service.


    Protocol LocalAddress LocalPort RemoteAddress RemotePort State ProcessName PID
    -------- ------------ --------- ------------- ---------- ----- ----------- ---
    TCP 0.0.0.0 8192 0.0.0.0 0 LISTENING RouterNT 9912
    TCP 0.0.0.0 55449 0.0.0.0 0 LISTENING RouterNT 9912
    TCP 0.0.0.0 55450 0.0.0.0 0 LISTENING RouterNT 9912
    TCP 127.0.0.1 55447 127.0.0.1 55448 ESTABLISHED RouterNT 9912
    TCP 127.0.0.1 55448 127.0.0.1 55447 ESTABLISHED RouterNT 9912
    TCP 127.0.0.1 55460 127.0.0.1 55459 ESTABLISHED RouterNT 9912
    TCP 127.0.0.1 55472 127.0.0.1 55471 ESTABLISHED RouterNT 9912
    TCP 127.0.0.1 55507 127.0.0.1 55506 ESTABLISHED RouterNT 9912
    TCP 172.19.8.186 55450 172.19.8.186 55457 ESTABLISHED RouterNT 9912
    TCP 172.19.8.186 55450 172.19.8.186 55469 ESTABLISHED RouterNT 9912
    TCP 172.19.8.186 55450 172.19.8.186 55504 ESTABLISHED RouterNT 9912

  • Hello Phutapong Suanyim,

    didn't touch keys
    and what did you do that it now returns the FQDN in the IOR?
    I notice it's not listening on 8193 and 8194, as if the -ORBListenEndpoints isn't there.

    Christian

  • Hi Christian

     

    At the enterprise server, I did follow instruction "How to change the message relay to make it return an FQDN in the IOR string:" from here

     

     

    To immediately affect the service: 

    1. Modify the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePat
      to the following (all one line):

      "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=SEC.XXX.YYY
    2. Restart the Message Router service on the message relay.
  • Hi Christian

     

    I'm so sorry , it was my mistaken to modify the registry key wrong at the enterprise server but now the registry key's correct and I get return when parse the IOR as shown below:

     

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
     no trustworthy most-specific-type info; unrecognized ORB type;
     reachable with IIOP 1.2 at host "SEC.XXX.YYY", port 8193
  • Hello Phutapong Suanyim,

    looks ok now. Does the warehouse endpoint communicate?

    Christian

  • Hi Christian

    Yes, now the warehouse endpoint communicated with the Enterprise server and it can be managed.

     

    what about existing warehouse endpoint ? can we just change mrinit.conf and without reinstall package ??

  • Hello Phutapong Suanyim,

    just change mrinit.conf?
    if I understood correctly the warehouse endpoints have been set up with the SA (the unmanaged stand-alone) version. Normally you have to reinstall the managed version.
    I've never given it much thought and I've never heard that upgrading an SA version to a managed one was ever taken into consideration. The following untested procedure might(!) work (and note it's definitely unsupported): Stop the AutoUpdate service, replace (keep a backup or rename it first) %\ProgramData%\Sophos\AutoUpdate\Config\iupd.cfg with the one from the already managed warehouse endpoint. You could also specify the SEC group where the endpoint should "appear" (if you try it do not re-start the Agent service at this point). As said, I haven't tested it and don't know whether the RMS install (normally scheduled by setup.exe) has prerequisites. Start the AutoUpdate service - if it works RMS will be installed on the next update check. If not (I hope it doesn't break anything) your only option is to install a managed package.

    Christian