This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV Deployed Using Sophos Deployment Packer Show Greyed in SEC

Built a custom AV installer using the Sophos Deployment Packer from the SEC server.

Have a clean Windows 7 PC.

The custom installer works and even contact the SEC and gets all of the updates but the PC wont register with the SEC.

The PC is in a managed AD OU.

Support currently has me chasing my trail on this issue with no real answer to this issue.

If I push from the SEC to the PC all works correctly.

The only thing that has changed is we had to change the IP address of the SEC.

We followed all of the steps for doing this from support.  Plus we only used the host name of the SEC server for everything we did.

Can anybody point me in the direction to get this resolved?



This thread was automatically locked due to age.
  • I would suggest the following:

    1. Following install check the ParentAddress value in the registry on the client.  
    This is under the "Router" key (hklm\software\wow6432node\sophos\messaging system\).  I assume Support have referenced this.
    The value should be a comma separated list of addresses the router will try to connect to.  
    The client router will try each in turn timing out as it goes.  
    An un-routable/non contactable address may just slow down the router log on process but it should still work providing there is a valid address in the list.
    This values is added to the registry during the install of RMS by clientmrinit.exe which reads cac.pem and mrinit.conf from the RMS program files directory.  Those files are not read again apart from an upgrade to RMS.

    2.  Assuming the FQDN/NetBIOS is resolvable to the management server or upstream message relay.
    The client router will connect to port 8192 (TCP) of the server router and read the IOR string.  
    This string informs the client which IP and Port to connect back to on the secure port.  By default 8194 TCP.

    It's for this reason the client needs to be able to connect to TCP port 8192 and 8194 of the server.

    You can parse the string to check what's in it using either:
    http://www2.parc.com/istl/projects/ILU/parseIOR/
    or
    http://catior.org/

    3. If the client router doesn't have a certificate then it will need to get one.
    This is a one time event but needs to happen before the computer can be managed.
    Note: Ensure that the Certification Manager service on the server is started.

    Good checks to prove that the router has a certificate are:
    1. Can you telnet to port 8192, 8194 of the client router.  Until the client router has a cert it will not listen on those ports locally.
    2. Does the router have a pkc and pkp registry value under the Private key of the router is another easy one.

    4. Assuming the router has a certificate, the local Sophos Agent will also need one.  Up until the router gets one, it will be constantly trying to connect to port 8192 of the local router which will not be listening.

    There is also a pkc and pkp value under the Management Agent private key when the agent gets a certificate.

    5. To make downstream messages more timely, it is worth opening TCP port 8194 on the client.  This will ensure that the server router can inform the client when a new message is waiting for it.  The client polls for messages every 15 mins +-50% otherwise so it should still work even if the router on the server can't notify on port 8194 of the client.

    The Router and Agent logs on the client will hold all this information on state of the system. \programdata\sophos\remote management system\3\.... Feel free to attach them if needed.

    Regards,
    Jak



  • There is no (hklm\software\wow6432node\sophos\messaging system\).  The folder messaging system is missing.

     

    All ports are open.

    Cert services is running.

     

    When building the custom installer do I to check the RMS box?

  • Yes, the generated setup.vbs (use something like 7-zip to extract the contents of the SFX) will have the parameter:

    -mng yes

    meaning enable management.  I.e. install Sophos Remote Management System which is how the component appears in Programs and Features.

    Regards,

    Jak

  • I built a new custom package and selected RMS.

    Selected "Configure AutoUpdate to Download Components" This allowed me to fill in the "Primary Update Location"

    Still no luck.  Test PC will download updates but won't registry with SEC.

    The only way to get a Workstation/Server to registry is to push from SEC.

  • Do you have a router log on the client now that RMS is installed?  I assume it's installed now it's configured to be installed.

    The router logs are here:

    \programdata\sophos\remote management system\3\router\logs\

    What does that contain?

    Regards,

    Jak