Message Router/Relay

Hi,

In the Sophos Remote Management System (RMS) world a "Message Router" or just "Router" is the name given for the RouterNT.exe process or "Sophos Message Router" service.

A "Message Relay" or "Message Relay Router", is a router which is configured to relay messages.  So you can have:

[SEC+Router] <-> [Message Relay] <-> [Client+Router]

or even:

[SEC+Router] <-> [Message Relay] <-> [Message Relay] <-> [Message Relay] <-> [Client+Router]
if you want to go mad.

What turns a regular router into a relay is really down to it's configuration.  Mainly due to it's ability to handle more traffic.

A Router is turned into a relay due to the configuration with mrinit.conf as per: http://www.sophos.com/en-us/support/knowledgebase/14635.aspx.

So essentially wherever the router gets it's updating from (CID\Distribution point) should be configured with a custom mrinit.conf.

So there are a couple of ways to set this up but this is the most common:

1. Install SEC (Server A)

2. Install SUM (Server B)  (Usually just run the setup.exe from the SUMInstallSet share)

3. Get the SUM at Server B to create it's local distribution points (configure subscriptions etc) by configuring them in SEC once the computer appears in SEC.

4. Deploy the endpoint software on Server B  from the local CID.

At this point the SUM at Server B is just a regular RMS client reporting into Server A directly.  To turn it into a relay you would edit the distribution point Server B is using. i.e. copy the mrinit.conf file from the root of the distribution point and copy it into the "rms" sub directory.  You then edit the file, specifying the addresses of Server B as the "ParentRouterAddress" value.  Save the file, and then run configCID.exe against this location in order to update the catalog file in the CID, so the client(s) will pull down the change.  You need to run configCID.exe on the management server machine in the later version of SUM.  If it's not possible to address the distribution point on server B from server A http://www.sophos.com/en-us/support/knowledgebase/13112.aspx has a workaround of copying a registry key over.

5.  On the next update on Server B, AutoUpdate will see the new mrinit.conf, pull it down as part of the RMS package, RMS will then re-install on the machine, clientmrinit.exe will run, see that the parentRouterAddress is "this" machine and convert it to a relay.  You can confirm this has happend by checking the registry keys are as those in the 14635 article.  E.g. ConnectionCache has gone from a client value of 10 to 20512.

6.  All clients at the site of Server B should also update from the same distribution point (or another configured with mrinit.conf in the same way) . Evidence that they are configured is they will point at ServerB as their "parentaddress" (HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\)

Hope it helps.

Regards,

Jak

jak - thank you for the detailed response.

I think I'm missing one point - the directions all seem to put the CID/Distribution point on Server 1. I want mine on Server2, with the relay.

I updated the CID on server1 and now when I point to it from the update policy those endpoints are successfully using server2 as a relay.  

But, I want that CID on server2.  I have a subscription for the update manager on server2, and that CID is being created there.  Ihad assumed that it would be copied from server1 (which is its source in the update manager  config) but that doesn't seem to work that way.

Would I need to update the mrinit.conf on server2 and then run configcid there?  Would that CID get overwritten if the same CID on server1 gets updated?  OR do these CIDs on different servers just share the same CID number, but are really unique?

(As a side note, a feature request would be to put this message relay stuff in the interface so we don't have to deal with it.)

thanks for your help!

Hi,

You should be running configcid against the "CID" on "ServerB" I.e. on the relay.

So if I have 2 computers SECServer and SUMRelayServer.

Install SEC on SECServer

This will create local CIDs, etc..

E.g. \\SECServer\sophosupdate\CIDs\S000\SAVSCFXP

Install SUM on SUMRelayServer.

Configure the SUM on SUMRelayServer using SEC to subscribe to packages.

Once downloaded you will have a CID on SUMRelayServer.

E.g. \\SUMRelayServer\sophosupdate\CIDs\S000\SAVSCFXP

Edit the CID on SUMRelayServer with the custom mrinit.conf.

Run config CID against it.e.g.

Configcid.exe \\SUMRelayServer\sophosupdate\CIDs\S000\SAVSCFXP

(should see that \rms\mrinit.conf) is added to the checksum file)

Configcid.exe is run from the management server SECServer computer as it needs access to a registry key on SECServer.

If this is a problem you can use the configcid.exe on SUMRelayServer but you will need to copy over the registry key as mentioned in the article.

Install SAV on SUMRelayServer by running setup.exe from:

\\SUMRelayServer\sophosupdate\CIDs\S000\SAVSCFXP\

It will then be a relay once RMS completes.

Install other computer at the site from:

\\SUMRelayServer\sophosupdate\CIDs\S000\SAVSCFXP

and they will message and update from SUMRelayServer

Regards,

Jak

Hi,

Sorry to dig up an old threat but I think this applies to myself as well.

Just want to see if I understand what was trying to be accomplished here.

Is my bag diagram sort of what was trying to be accomplished here?

We are currently in the midst of redoing our Sophos servers (starting all over from scratch) and I want to try and take the best approach. We have a setup similar to this.

I was reading the "Sophos Enterprise Console Advanced Startup Guide" Section 5.2 "Additional update manager installed on separate server".

I was then reading this KB mentioned earlier in this post.

Both I think accomplish different things if I am not mistaken?

I think we want to try and combine the two as it would be nice to have the clients talking and updating their to respective servers.

@jak does your last post more or less lay out the steps we would need to take?

Thank you,

Cheers

Hello toddh,

usually one would combine a SUM and a Message Relay.

It's not rocket science, Jak's description is complete as far as I can see. There's one more thing I want to mention, namely using aliases. I've touched on them in some threads.

Christian

Hi QC,

Thanks for your response.

I will look into aliases to see what they are and how they apply.

In jak's description, am I correct in assuming that up until the part where he says "Install SAV on SUMRelayServer by running setup.exe from...", is prepping the server to strictly be a secondary SUM. Then everything after is getting the secondary server ready to be a relay server?

Cheers

Hello toddh,

Install SAV on SUMRelayServer

this refers to the endpoint (AV) software. To install SUM: 2. Install SUM (Server B)  (Usually just run the setup.exe from the SUMInstallSet share).

As I'm still on SEC 5.2.1 I can't say though whether there are any significant changes with RMS 4.0, in particular regarding the placement of mrinit.conf. But guess it works as before as otherwise there'd be a reference in the articles.

Christian

Hi QC,

Thanks for your response.

I guess I will have to stumble through it to figure out exactly how to set it up properly.

Cheers

Hi,

I went on a hunt through the forums trying to find some references to aliases.

And you were right QC, that they are mentioned quite often.

I found this post in particular which I thought was interesting and you had also posted some links to some interesting KB's - link

And then there was also this link which was also very interesting.

Please correct me if I am wrong but the aliases are actually DNS names for the servers? So instead of using the default names that are placed into the mrinit file we would replace them with an alternate name and then create a DNS entry for that new name? This way if the server needs to change we just modify the DNS record?

Thank you,

Cheers

Hello toddh,

we just modify the DNS record

this should work - at least it's working here. Just make sure that the management server and relays correctly "recognize themselves". To make aliases work with UNC paths for download you might have to tweak the server's (networking security) settings. 

Christian