This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Sub Child SUM

Hi,

i am managing a multiple cSUM setup in our company, however we have one branch office does not have direct connectivity in our parent SEC/SUM. but that branch office has connectivity to one cSUM which directly reports to our parent SUM/SEC.

heres the setup:

Branch A (reports and has connectivity to parent console)

Branch B ( dont have connectivity to parent console but can connect to Branch A)

Can i create a sub cSUM in Branch B to Branch A for the Branch B computers to be manage and reports?

cant create cSUM in  Branch B since it doesnt have connectivity to Parent SEC.

Thanks in advance.

:37199


This thread was automatically locked due to age.
  • Hello Ted,

    actually there are two points to consider:

    1. The message routing to the console
    2. The update location(s) for Branch B

    The former can again be split:

    1. SUM's communication with the management server
    2. Client communication with the management server

    I have not tested the following - you might want to check with Support (unless some other member can confirm that it works as I assume)

    Obviously Branch B should have its own SUM. I assume you have the Branch A SUM set up as a message relay for the Branch A clients - is this the case? Now in order to have the Branch B SUM report to the management server you'd have to install from Branch A's SUM by running setup.exe from its %ProgramData%\Sophos\Update Manager\Install\ directory - in other words either copy the contents of this directory on A to B or connect from B to A (note that by default this directory is on a child SUM not shared as SUMInstallSet like on the management server). As far as I can see the mrinit.conf is correctly set up for relaying. After install you should see the new (Branch B) SUM in SEC.

    The second step would be to set up the SUM B as chained message relay (i.e. configure the CID it and its clients update from). Couldn't find an article how to do it - I can just guess. As mrinit.conf has just two (unordered) fields - MRParentAddress and ParentRouterAddress - the MRParent likely has to be set to the Branch A relay and the ParentRouter to the cSUM. As said, please check with Support (unless you are willing to experiment on your own).

    HTH

    Christian

    :37201
  • Hi,

    I am using same approach for Child -SUM. We are using HTTP updating for child SUM , i wanted to know how the clients can be updated by CSUM in same network e.g. HTTP upadting, CIFS, NFS etc?  Do you have a document available to configure Child -SUM as chained relay for clients.

    Thanks :)

    vg

     

  • Hello vg,

    a SUM provides Windows shares for its endpoints, by default updating is via a UNC path (SMB). If you want your endpoints to use HTTP you have to (install and) configure a web server as needed. 

    If you also want to use the SUM as relay please see Deploying a message relay and SUM installation ... and configuring message relay computers

    Christian

  • Thanks for replying Christian,

    I have Linux clients and we are not using SMB shares, we are updating clients with local child SUM using HTTP which gets update from Parent SUM on SEC in different network using HTTP.

    I have configured IIS on both the SUMs and created separate HTTP update policies for both SUMs in SEC  but i don't see child SUM and clients getting updated . Please suggest, if child SUMs needs any kind of privilege on parent share.

    Thanks,

    VG

  • I am getting error for both SUMs "Software delivery failed" in SEC.

  • Hello VG,

    the delivery message doesn't tell the exact error, the SUMTrace log should have more information.

    I'm a little bit confused as the subject says Sub Child (which I'd understand as a SUM updating from a SUM that updates from the master). Also you mention the parent share.
    You publish the SophosUpdate share with IIS, the SUMs are configured to use this web folder as update source - correct? Other than the credentials that permit reading from  the web folder (configured in the Sources tab) no privileges are required. In the consoles Update managers view what is the Last updated status for the childs - Never? If so, the endpoints naturally don't have a CID to update from so I'd disregard them for the moment.

    Christian