Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 7359 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message Relay/SUM - Behind NAT

warnox

Hi,

I'm setting up a Message Relay/SUM in a public WAN, using NAT. According to https://community.sophos.com/kb/en-us/50832, 'ParentRouterAddress' in mrinit.conf should contain the publicly accessible FQDN (eg. mr.company.com).

If I do this, and the MR/SUM also updates from this distribution point, the 'ParentAddress' value under 'HKLM\Software\WOW6432Node\Sophos\Messaging System\Router' eventually ends up pointing to 'mr.company.com'. This then takes the MR offline and the network report shows it's not longer a 'message relay' but an 'endpoint'.

Is this the expected behavior? Does an MR/SUM need to update from a different distribution point, perhaps one that has the 'ParentRouterAddress' configured simply as 'IP,FQDN,NETBIOS' of itself?

Additionally, the 'ServiceArgs' value in the same registry location seems to revert back to the default. Will this cause any issues?

Thanks for any help.



This thread was automatically locked due to age.
Parents
  • +1

    Hello warnox,

    to explain how an endpoint determines its role:

    • if either its IP, NetBIOS name, or FQDN (obtained with a reverse lookup) matches one of the MRParentAddress values it considers itself the management server
    • if either its IP, NetBIOS name, or FQDN matches one of the ParentRouterAddress values it configures itself as message relay
    • if there is no match it's an endpoint

    The MR should update from a distribution point its (that is the one sending through the relay) endpoints update from. If the registry key reverts and mrinit.conf contains just the FQDN then there's no reverse lookup (note it needs to reverse resolve its actual IP to the mr.domain.com which would otherwise point to the NATted address).

    Christian

Reply
  • +1

    Hello warnox,

    to explain how an endpoint determines its role:

    • if either its IP, NetBIOS name, or FQDN (obtained with a reverse lookup) matches one of the MRParentAddress values it considers itself the management server
    • if either its IP, NetBIOS name, or FQDN matches one of the ParentRouterAddress values it configures itself as message relay
    • if there is no match it's an endpoint

    The MR should update from a distribution point its (that is the one sending through the relay) endpoints update from. If the registry key reverts and mrinit.conf contains just the FQDN then there's no reverse lookup (note it needs to reverse resolve its actual IP to the mr.domain.com which would otherwise point to the NATted address).

    Christian

Children
Unfiltered HTML