Sophos Client not Connecting to the Safeguard Server, Every Option Known to Sophos Support Engineers Not Helpful

Hello,

So I am currently past being on my last limb with Sophos Safeguard. Every time there is an issue that I fix, another one arises.

So here is the situation. I was given multiple old end user machines and was instructed to get Safeguard off of them. The problem is, I am obviously not able to simply decrypt/uninstall without doing the following:

a. Adding the machine in question to the ".Decrypt Computer" and/or ".Uninstall SafeGuard" group via our Safeguard Management Center.

Easy, right?

When checking the Computer in question, I see that the last time the machine communicated with the server was all the way back in 2016 (must've been sitting in the back room for a while or something).

Now I know what you're probably thinking here; "Right click the safeguard icon and click on synchronize". I did so. I also know the next think that you are thinking; "Make sure that the certificate is still valid by checking it within the MMC". I did so, the cert is still valid.

Next, for the heck of it, I checked IIS > Start Page > Server Name > Sites > Click on Bindings > select port 443 and click edit. I see that the same non-expired cert is binded.

"Okay.." I thought to myself. Let's check that "SGNSCC (Or whatever name it's called) that shows me the connection status, pingability to the server, etc...I realized this is from 2016.. The version of Sophos that this has (Sophos 7) does not even have that function to direct me in the right direction as to where to go from here. 

I tried one more thing... I uninstalled the configuration package from the workstation, and created a new configuration package within the Management Center. I thought that maybe this configuration package was made with a new SSL Certificate (Not sure if that has anything to do with it, but like said, I am completely at my wits end).

Seeing that Safeguard 7 is not supported anymore, I was hoping that anyone here might know of other options.

  • Hi  

    I am feeling that in this case there is an issue probably with SSL certificate because of which client is not able to communicate with the server.

    I'd also like to the Safeguard Enterprise version currently you have, however, Safeguard client v7.0 should be able to sync with the any of the Safeguard Enterprise version till 8.30.

    I'd also suggest you refer to this document which has been documented a way back but is very useful to diagnose the issue of communication.

  • Hi Philip - I would create a configuration package WITH the policy assigned to it.

    This is not normally best practice - especially with an encryption policy. You want the machine to verify it CAN communicate with the server BEFORE it starts to encrypt. Encrypting by policy before the communication has taken place means that potentially a machine could encrypt without having stored the recovery key.

    However - in this case I would include the decrypt policy WITHIN the configuration. I've had a few machines that have refused to accept the "new" configuration and allow decryption. 

     

     

    Give me a shout if you're still having issues - Don't worry we can resolve this!