Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 6969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to point SUMs at new server.

AndrewF

Hi there

I have a problem that I'm hoping someone can help me with.

We have built a new server running SEC 5.2.1.197 to replace our old one running 4.7.0.13. We had to do this because the upgrade kept failing and the old server wasn't that well organised anyway. So starting fresh seemed like the better option. This was agreed upon with our Sophos Technical Specialist (who is on leave now so I can't get him to help...)

Anyway, the new server is great and we have tidied up our policies but the one thing that I am having problems with is the SUMs.

We are a retail business and we have about 400 stores across 2 countries. Each store has it's own SUM to cut down WAN traffic. I can't find a way to tell those SUMs to point to the new server.

The only way I've been able to do this is to VNC to the remote machine with SUM installed, uninstall Sophos Remote Management, uninstall SUM then reinstall SUM with the setup files from the new server. It only takes about 5 minutes but doing that over several hundred SUMs is going to kill me.

Is there an easier way to change the remote SUM configuration to point to a new server?

Thanks

Andrew

:46389


This thread was automatically locked due to age.
Parents
  • 0

    Hello Andrew,

    I don't actually know if they are also Message Relays

    as MRs don't appear from nowhere and can't be installed by accidence you should know (unless someone else did the initial install and didn't tell you). Please see Enterprise Console: configuring message relay computers as a start. For further articles search Support for 'message relay', the are also some threads on this board (e.g. Questions regarding the Relay Message Computer(s)).

     How I get them to point to the new server

    A litte bit about SUMs:

    They find out where to get their updates from as SUM (Sources) the same way they learn about the update location for the endpoint - the management server passes the settings (here Configuration and Policy for Endpoint) via RMS. Thus you could change their configuration from the old server - the same way you could change the Updating policy for all clients

    Even though SUM and all the endpoints would then download from the new location(s) they'd still see the old server as their management server. Now you can't install a SUM from SEC (and also not reinstall). But once SUM is installed it shares the RMS component with the Endpoint software. Thus reprotecting (i.e. reinstalling the Endpoint component from the console) a SUM should redirect it to the new server. It should also tell the new server that it is a SUM (although IIRC it doesn't send its configuration upstream). 

    In order to move over the clients you'd also have to reprotect them - this requires that SEC can discover them or that you can otherwise import them or that you can deploy an appropriate script to reinstall. Another way is a reinit script which reconfigures just the RMS component.

    These are the recommended ways. Not documented is yet another option which requires that the new server has been built with the old server's certificates (if you're not sure check the keys are the same in mrinit.conf in an old and a new CID). You could then use the method from the configuring message relay computers, namely putting and appropriate mrinit.conf (please see here for a brief explanation of the Addresses) into the new CIDs. As the customization of the \rms subdirectory is not propagated you'd have to configure several hundred CIDs though.

    Permit me some general thoughts: that you can "recycle" a SUM in 5 minutes suggests that WAN speed isn't a concern - is it the volume you want to cut down? Unless I overlooked something an endpoint reprotect should be your best option - of course provided it is possible. Dunno what your Sophos Technical Specialist thinks should be the best way. Personally I'd consider a full replacement of the old server - i.e. using the same name and if necessary IP as for the old one. You'd have to "roll back" the changed SUMs and also to redo anything you've put into the new database (see Changing domain name, computer name, or network type when the Enterprise Console is installed) though - but as you have access to an STS preserving the database might be an option. If you can seal off your new server and build it up to the point where it can take over the "switch" should take only minutes (but there'd be still enough work left as the SUMs need to be configured).

    Christian

    :46635
Reply
  • 0

    Hello Andrew,

    I don't actually know if they are also Message Relays

    as MRs don't appear from nowhere and can't be installed by accidence you should know (unless someone else did the initial install and didn't tell you). Please see Enterprise Console: configuring message relay computers as a start. For further articles search Support for 'message relay', the are also some threads on this board (e.g. Questions regarding the Relay Message Computer(s)).

     How I get them to point to the new server

    A litte bit about SUMs:

    They find out where to get their updates from as SUM (Sources) the same way they learn about the update location for the endpoint - the management server passes the settings (here Configuration and Policy for Endpoint) via RMS. Thus you could change their configuration from the old server - the same way you could change the Updating policy for all clients

    Even though SUM and all the endpoints would then download from the new location(s) they'd still see the old server as their management server. Now you can't install a SUM from SEC (and also not reinstall). But once SUM is installed it shares the RMS component with the Endpoint software. Thus reprotecting (i.e. reinstalling the Endpoint component from the console) a SUM should redirect it to the new server. It should also tell the new server that it is a SUM (although IIRC it doesn't send its configuration upstream). 

    In order to move over the clients you'd also have to reprotect them - this requires that SEC can discover them or that you can otherwise import them or that you can deploy an appropriate script to reinstall. Another way is a reinit script which reconfigures just the RMS component.

    These are the recommended ways. Not documented is yet another option which requires that the new server has been built with the old server's certificates (if you're not sure check the keys are the same in mrinit.conf in an old and a new CID). You could then use the method from the configuring message relay computers, namely putting and appropriate mrinit.conf (please see here for a brief explanation of the Addresses) into the new CIDs. As the customization of the \rms subdirectory is not propagated you'd have to configure several hundred CIDs though.

    Permit me some general thoughts: that you can "recycle" a SUM in 5 minutes suggests that WAN speed isn't a concern - is it the volume you want to cut down? Unless I overlooked something an endpoint reprotect should be your best option - of course provided it is possible. Dunno what your Sophos Technical Specialist thinks should be the best way. Personally I'd consider a full replacement of the old server - i.e. using the same name and if necessary IP as for the old one. You'd have to "roll back" the changed SUMs and also to redo anything you've put into the new database (see Changing domain name, computer name, or network type when the Enterprise Console is installed) though - but as you have access to an STS preserving the database might be an option. If you can seal off your new server and build it up to the point where it can take over the "switch" should take only minutes (but there'd be still enough work left as the SUMs need to be configured).

    Christian

    :46635
Children
No Data