This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message Relay Clarification

Background/Goal:

Note: Due to personnel changes, I am assuming responsibility for our Sophos infrastructure, and I am in no way a SME on this.

My organization recently acquired a new company's infrastructure, in a remote location, on a separate domain. We are using Sophos Enterprise Console 5.5.1 for our internal assets, and the goal is to install Sophos on their devices, and manage them from our internal management server.  It's worth noting we will only be managing a very small handful of their devices -- roughly 10-20.

I was led to believe that creating a message relay which is publicly accessible for their domain, within our DMZ, is the correct way to accomplish this task - as illustrated in the following KB (https://community.sophos.com/kb/en-us/50832):

Questions/Issues:

I've created a Windows 2012 R2 message relay and installed Sophos Endpoint Security and Control on it.  After reading through this KB on creating the message relay, and this KB on using the ConfigCID.exe, I am a little fuzzy on the following details:

  • Section 1.1 on the Message Relay instructions states "You must create a new distribution point" to set up a new update location for the message relay.  The instructions state to create this new update location, but doesn't necessarily clarify what that is, or how to go about this.  I assume the distribution point/update location is where the message relay pulls policies, updates, etc.  If that's the case, can I just use my existing management server as the distribution point/update location?  If so, does this require any additional package creation, or do I just use my existing S000\SAVSCFXP location?
  • If I can use my main management server as the update location/distribution point, my next question is after I drop the mrinit.conf file into the "rms" subfolder located in "\\[Management Server]\SophosUpdate\CIDs\S000\SAVSCFXP" and insert my message relay [IP-address],[FQDN-address],[NETBIOS-address] into the ParentRouterAddress field -- where do I run the ConfigCID.exe?  The KB mentions to run this "On the server with the Sophos Management Service" so I would assume my management server, but then mentions to enter "configcid \\[servername]\SophosUpdate\CIDs\S000\SAVSCFXP\" with the "path to the distribution folder".  If I use my management server as the distribution point, would that just be my management server path?  -- \\[Management Server\SophosUpdate\CIDs\S000\SAVSCFXP

TL;DR -- Can I use my existing management server as the distribution point/update location, and if so, do I run ConfigCID.exe from the management server with configcid \\[Management Server]\SophosUpdate\CIDs\S000\SAVSCFXP as the command?

Specifications:

Sophos Enterprise Console 5.5.1 on Windows Server 2012 R2

Message Relay is Windows Server 2012 R2



This thread was automatically locked due to age.
Parents
  • Hi  

    Distribution point should be the message relay server as the outside client will only be able to receive the update from Message relay, not from the Management Server.

    For config CID, please run the command on management server with configcid \\messagerelay server\SophosUpdate\CIDs\Sxxx\SAVSCFXP.

    You can refer for this video your configuration.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Jasmine,

    That video was extremely helpful, and I was able to create the Message Relay, created the Distribution Point shared folder, added it to Distribution from [Management Server], successfully ran ConfigCID.exe.  Everything in the video worked.

    My only question/issue, is the very last section of that video -- after creating the Message Relay group, and Message Relay policy to that group, then adding the [Message Relay] server into the group.

    Our issue, is that we are using AD Synchronization, and our [Message Relay] is obviously in one of our OU containers -- since it's domain-joined and needs to talk to our [Management Server] -- so, when I go to move the [Message Relay] into the newly created Message Relay group I created, it can't be moved since it's part of a synchronized group.  From what I see, any machine in a synchronized group, cannot be moved.

    So, I guess my question(s) are:

    1. Would I need to move this [Message Relay] into it's own OU, where I can then apply the Message Relay policy (so I don't affect our other machines)? 
    2. If that's the case, and it is still in our domain, how will I add this newly acquired company's devices (that are in a separate remote domain), to our management server, and manage them/point them to the [Message Relay]?  I'd assume I'd just create a new group outside of our synchronized group, and apply the Message Relay policy to that group -- then they will all point to the [Message Relay] server for updates.
    3. I guess ultimately, my big question is, once this [Message Relay] server is publicly accessible to the public WAN, how exactly do these remote machines talk to it if the mrinit.conf file has internal private IP addresses?
  • Hi  

    Please refer to the below answers for your questions:

    1. If moving the server to different OU in its own OU, it is good because we need to apply the policy to make it working as Message relay.

    2. Please refer to this KB, I think you have already referred it before as well. You need to choose the scenario which you are going to implement. Also, I'd like to know whether the computers in another company is going to use a VPN to connect to your network or not. You can deploy the protection to external clients through deployment packager as well but first, need to make sure MR is working on DMZ.

    For the group, you can create a group out of your AD sync for those new endpoints. 

    3. If you use the scenario 2 in the above mentioned KB, then you need to configure the mrinit.conf as below. MR.domain.com should be resolvable on the internet as mentioned in the above KB.
      "MRParentAddress"="192.168.0.3,[Console-FQDN],[Console-HOSTNAME]"
      "ParentRouterAddress"="MR.domain.com"

      

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hi  

    Please refer to the below answers for your questions:

    1. If moving the server to different OU in its own OU, it is good because we need to apply the policy to make it working as Message relay.

    2. Please refer to this KB, I think you have already referred it before as well. You need to choose the scenario which you are going to implement. Also, I'd like to know whether the computers in another company is going to use a VPN to connect to your network or not. You can deploy the protection to external clients through deployment packager as well but first, need to make sure MR is working on DMZ.

    For the group, you can create a group out of your AD sync for those new endpoints. 

    3. If you use the scenario 2 in the above mentioned KB, then you need to configure the mrinit.conf as below. MR.domain.com should be resolvable on the internet as mentioned in the above KB.
      "MRParentAddress"="192.168.0.3,[Console-FQDN],[Console-HOSTNAME]"
      "ParentRouterAddress"="MR.domain.com"

      

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
No Data