Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
We've noticed some of our clients trying to communicate with other clients accross our lans on TCP 8194 which is an Sophos RMS port.
Is this normal behavior? I would expect it to communicate with the server on TCP 8194 (which it does) but not sure if clients should be trying to communicate with each other on this port?
Endpoints will communicate to the Enterprise console using 8194. Could you please post the RMS logs where it shows that it tries to connect to other endpoints?
In reply to Shweta:
Can you give me an idea of where these logs are? Windows 10 client.
In reply to Louis-M:
You can find the logs under location C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs.
C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs.
Hello Louis-M and Shweta,
the Agent communicates only internally, it's the Router speaking to the outside, thus the interesting logs should be in Remote Management System\3\Router\Logs\, shouldn't they?
Remote Management System\3\Router\Logs\
In reply to QC:
Yes, the router logs would be helpful to trace the communication.
There are many reasons why one endpoint will attempt RMS comm to another one.
The most common is that one of the endpoints is configured as a Message Relay which means it is the communication hub for a segment of endpoints out of a CID. In this case, you would see a lot of comm going to and from that machine.
Another is if you have "Allow location roaming" enabled in your update policy - that will mean endpoints will ask other endpoints for where their update location is.
I hope this answers your questions.
In reply to RichardP:
Location roaming information isn't obtained over RMS so I don't think that's it. If a client is connecting to another client, rather than say, a message relay or management server, then the IOR it is reading from port 8192 of its parent must have the IP address of the other client in it.
If you find a client that is connecting to another client on port 8194 and not the expected parent, check the router log of the client. Specifically check the IOR it read from the parent from port 8192 and what IP address or IP addresses were encoded in it. You can use catior.org to decode an IOR to the IPs within it.