Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 2 subscribers
  • Views 35345 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cause with protecting clients in SEC

Marvin Harms

Hello,

 

i have a cause with protecting clients in our network. The employees work from home and are connected via VPN.

 

In the enterprise console i click at protect, but nothing happens.

 

How i can protect these laptops ?


Primary Server is my Server and secondary is Sophos.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Marvin Harms,

    Protect requires that the management server can "find" the computer - i.e. it must be able to resolve the names (that you have probably imported by some means) with Windows networking or DNS. Nothing would be strange, something should happen - at least you should get an error message.

    Who has administrative rights on these laptops? It might be simpler to install with a package.

    Christian

  • 0 in reply to QC

    Hello Christian,

    thanks for your fast reply. I imported the clients from the Active Directory.

    The error ist 0000002E (or more "0" :D )

    I think all has administrative rights, we are all external consultants and work from home or in projects.

    I tried it with the standalone installer. The client is protected but not shown as protected in die Enterprise console.

     

     

    Marvin

  • 0 in reply to Marvin Harms

    Hello Marvin,

    so the install has succeeded. The server answers on port 8192 - is 192.168.158.139 the IP you have used for telnet? - and the response on 8194 is the expected one. If so, please check the Router log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs\. This should tell why the endpoint can't communicate with the server.

    Christian

  • 0 in reply to QC

    Hello Christian,

     

    09.03.2018 10:48:27 1C8C I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20180309-094827.log
    09.03.2018 10:48:27 1C8C I Sophos Messaging Router 4.1.1.127 starting...
    09.03.2018 10:48:27 1C8C I Setting ACE_FD_SETSIZE to 138
    09.03.2018 10:48:27 1C8C I Initializing CORBA...
    09.03.2018 10:48:27 1C8C I Connection cache limit is 10
    09.03.2018 10:48:28 1C8C I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
    09.03.2018 10:48:28 1C8C I Creating ORB runner with 4 threads
    09.03.2018 10:48:28 1C8C W No public key certificate found in the store. Requesting a new certificate.
    09.03.2018 10:48:28 1C8C I Getting parent router IOR from 192.168.158.139:8192
    09.03.2018 10:48:28 1C8C I This computer is part of the domain PARADOX
    09.03.2018 10:48:49 1C8C I This computer is part of the domain PARADOX
    09.03.2018 10:48:49 1C8C I Getting parent router IOR from fe80::bc28:431e:a704:4f2:8192
    09.03.2018 10:48:49 1C8C E ACE_INET_Addr::ACE_INET_Addr: fe80::bc28:431e:a704:4f2: Authoritive: Host not found
    09.03.2018 10:48:49 1C8C W Parent address unknown: Authoritive: Host not found (11001)
    09.03.2018 10:48:49 1C8C I Getting parent router IOR from PXNPAPP07.paradox.local:8192
    09.03.2018 10:49:10 1C8C I Getting parent router IOR from PXNPAPP07:8192
    09.03.2018 10:49:32 1C8C I This computer is part of the domain PARADOX
    09.03.2018 10:49:32 1C8C E Failed to get parent router IOR
    09.03.2018 10:49:32 1C8C W Failed to get certificate, retrying in 600 seconds
    09.03.2018 10:59:33 1C8C I Getting parent router IOR from 192.168.158.139:8192
    09.03.2018 10:59:54 1C8C I Getting parent router IOR from fe80::bc28:431e:a704:4f2:8192
    09.03.2018 10:59:54 1C8C E ACE_INET_Addr::ACE_INET_Addr: fe80::bc28:431e:a704:4f2: Authoritive: Host not found
    09.03.2018 10:59:54 1C8C W Parent address unknown: Authoritive: Host not found (11001)
    09.03.2018 10:59:54 1C8C I Getting parent router IOR from PXNPAPP07.paradox.local:8192
    09.03.2018 11:00:15 1C8C I Getting parent router IOR from PXNPAPP07:8192
    09.03.2018 11:00:36 1C8C E Failed to get parent router IOR
    09.03.2018 11:00:36 1C8C W Failed to get certificate, retrying in 600 seconds
    09.03.2018 11:08:32 1C8C E Router::Start: Caught Router stopped before certificate obtained

     

    This is the Logfile... The only entry is from the 09.03 ?

     

    Have you a idea? I am so desperate....

    Marvin

  • 0 in reply to Marvin Harms

    This Logfile is from the Endpoint or do you need the log from the server ?

  • 0 in reply to Marvin Harms

    Hello Marvin,

    the logs are removed upon a reinstall.
    Now you showed that telnet 192.168.158.139 responds with the expected IOR, the logs indicate that RMS' connection attempt to the IPv6 address immediately fails, the requests with the IP and the names time out though (you see the 20+ seconds gap in the timestamps). Question is, why does RouterNT.exe not get a response but telnet does?

    Christian

  • 0 in reply to QC

    Hello Christian,

    ah okay. Do you have a idea? Sorry but i am a total beginnner with sophos...

    I would not even know how to continue to apply the topic..

     

    Marvin

  • 0 in reply to Marvin Harms

    Hello Marvin,

    does the firewall generally permit outbound connections? Or did you have to explicitly allow telnet? If not then that one process gets a response and another not would be surprising - but anyway it suggests some local problem.
    My preferred approach is to run Wireshark to see what goes out and comes or doesn't come in.

    Christian

  • 0 in reply to QC

    Hello Christian,

    I could not see anything in wireshark, at least not with the ports.

    This cannot be true...

     

    Marvin

  • 0 in reply to Marvin Harms

    Hello Marvin,

    using just port 8192 or port 8194 as capture filter you should see at least something (i.e. the SYNs) when you (re-)start the Sophos Message Router service. To make sure Wireshark works as it should also telnet to port 8192.

    Christian

  • 0 in reply to QC

    Hello Christian,

     

    this is Telnet 8192 in CMD on my client to the server:

    From the Server for the same this here:

     

    the connection from the client to the server has apparently worked or? And at the server side the message says that the network is overloaded, right ?

     

    Marvin

  • 0 in reply to Marvin Harms

    Hello Marvin,

    wouldn't concentrate on the server side (and the screenshot is too small for my bad eyesight [:D]).
    Seriously, the telnet screenshot shows just endpoint → server 8192 ... but where's the response that you apparently get? The IOR you get with telnet should also show in the packets (though he window title doesn't suggest an additional filter). So first we'd need the complete traffic for telnet and then compare it to the one initiated by the router. Looks like (in the 2nd) that the server can't SYN to the endpoint - but why does telnet work then?

    Christian

Reply
  • 0 in reply to Marvin Harms

    Hello Marvin,

    wouldn't concentrate on the server side (and the screenshot is too small for my bad eyesight [:D]).
    Seriously, the telnet screenshot shows just endpoint → server 8192 ... but where's the response that you apparently get? The IOR you get with telnet should also show in the packets (though he window title doesn't suggest an additional filter). So first we'd need the complete traffic for telnet and then compare it to the one initiated by the router. Looks like (in the 2nd) that the server can't SYN to the endpoint - but why does telnet work then?

    Christian

Children
No Data
Unfiltered HTML