Configure Endpoint Server 10 with RMS behind a firewall/NAT (Don't want to use message relay)

Question

Everywhere I look it appears Sophos really wants you to use a message relay to accomplish this. Has anyone been able to get this working with a registry hack or some other work around? :20965

jak · Accepted Answer

HI, 
 You do't need to use a relay if the SEC server is as accessible to the clients as the relay would be. 
 As long as the clients can find the server on 8192 using the parentaddress they have. They will read the IOR from 8192 and connect back to the address encoded in that. Note: you can use http://www2.parc.com/istl/projects/ILU/parseIOR/ to parse an IOR to examine the contents. 
 The problem comes when the IOR contains within it a non-routable address for the client to connect back on, It's for that reason you have to use the hostname_in_ior switch (as per http://www.sophos.com/support/knowledgebase/article/50832.html ) to override the parent IOR such that the client gets an IP address it can connect to. As an example: 
 
 This diagram shows a client which has a ParentAddress (HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router ) of sec.domain.com. 
 Using DNS this resolves to the IP 78.65.32.22. This device forwards the connection to port 8192 on to the SEC server at 192.168.1.1. The IOR has been overridden such that the address given back to the client is not the default of 192.168.1.1:8194 but sec.domain.com:8194. So the remote client can resolve back to 78.65.32.22, which will forward on to 192.168.1.1:8194 and make the connection. 
 Note: The local agents on the SEC server will also be talking to the router and will be reading the IOR, so they need to know that sec.domain.com is the local machine. For that reason I've shown the hosts file. 
 I hope this helps with your understanding on how it works and what you might need to do. 
 Regards, 
 Jak :20971