Sophos Central Admin: Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday February 1, 2020 starting at 13:00 (UTC). For more info please see KBA 133402.

Sophos Enterprise Console - Secondary Update Server

Hi All,

 

Currently having an issue where we have the Primary and Secondary Update servers listed on the SEC.

The primary, which is our on-prem server shows up on client machines but the secondary does not (this is linked to the account username and licencing key).

Is there a reason the secondary is not showing up?

 

All help appreciated.

 

Kind Regards

Stephen

  • Hi Stephen,

    Are there any other client machines connected to SEC and do they show up under client machines as connected?  Can the secondary update server connect to SEC on ports 8192/8194 and the SEC server to the secondary update server?  You can test this by installing telnet client or using Putty via telnet.

  • Hi Stephen,

     

    Is this secondary SUM newly installed?

    Can you confirm that you applied the SUM to the applicable machines AutoUpdate policy?

    Please see the following article on configuring policies to use a secondary update location for failover purposes, the article does specify using Sophos, but you can use which ever update location you choose: https://community.sophos.com/kb/en-us/12354

     Let me know if this helps.

    Thanks,

  • In reply to ZGV:

    SUM already existed 

     

    Client machines do not see it, but the installed client on the server sees the secondary location???

    All client machines have the message awaiting transfer policy

  • In reply to Cashfac IT:

    Hello Stephen,

    it's not clear what you mean by machines do not see it. As you mention Awaiting policy transfer - are you perhaps talking about the Update Details view in the Console and the Secondary location is blank? If so, and if the (most, the ones that are running) endpoints show as Connected (the green icon) select them, right-click Comply with  → Group updating policy.

    Christian

  • In reply to QC:

    Hi CHristian,

     

    All machines have a cross through them and have the Awaiting policy transfer  apart from the client software installed on the SEC server itself

     

    Kind Regards

    Stephen

  • In reply to Cashfac IT:

    Hello Stephen,

    you did reprotect them and they did connect after install, i.e. the down-arrow and the hourglass disappeared from the computer icon and there are no error messages?
    You can in addition check from the Computer Details view, column Last message time.

    Christian

  • In reply to QC:

    Hi Christian,

    I reprotected them, got the hourglass, then they went back to a cross next to the machine

     

     

    Above is what I am currently seeing

     

    Kind Regards

    Stephen

  • In reply to Cashfac IT:

    Hello Stephen,

    guess the error reported are install errors, could you check the Alert and Error Details view, the Update errors column is on the far right. Or double-click a computer to view its details.

    Could it be that a firewall (network or server-local, unlikely on the endpoints) is blocking the connection? Simple test is to try to telnet to port 8192 on the management server from an endpoint.

    Christian

  • In reply to QC:

    Hi Christian,

     

    I get the following on the install error section on most of the endpoints.

     

    Kind Regards

    Stephen

  • In reply to Cashfac IT:

    There's also nothing blocking ports as far as I can see

  • In reply to Cashfac IT:

    Hello Stephen,

    the could not be started can have several reasons, but it seems the install has run on those not yet managed. This usually means that the install task has been run the endpoint has not yet "called back".
    Can you confirm that a telnet connection from one of these endpoints to the server's 8192 succeeds?

    Christian

  • In reply to QC:

    Hi CHristian,

     

    I have tested this and it is not getting blocked

     

    Kind Regards

    Stephen

  • In reply to Cashfac IT:

    Hello Stephen,

    so you do get back a string that starts with IOR: followed by quite a number of hex digits?

    Christian

  • In reply to QC:

    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000e0000003139322e3136382e312e3134310001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100fc00004f415401000000180000000100fc00010001000100000001000105090101000000000014000000080000000100a60086000220

    Connection to host lost.

  • In reply to Cashfac IT:

    Hello Stephen,

    guess I don't disclose any secret information here. The IOR advertises 192.168.1.141 as the management server's IP, is this the correct address?
    If so, and if this endpoint does not appear connected please restart the Sophos Message Router service on the endpoint and then check the latest Router-202001....log in %ProgramData%\Sophos\Remote Management System\3\Router\Logs. It should help to determine why the endpoints don't talk to the server.

    Christian