Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 2353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console4/client9 - all PCs greyed out and won't report back

alanterrill

I recently upgraded my servers to Server 2008 r2 and was surprised to find that Sophos wouldn't run on it, so I ended up having to setup a windows 2003 virtual drive specifically for Sophos. However, this was 6 weeks agao and Sophos has not worked since. I did a backup and restore according to the instruction sheet, but although my main site was OK, communication to our second site was lost. All the pcs at the remote site showed up but showed 'awaiting  policy transfer' on every single PC. After four weeks of calls to Sophos, they couldn't resolve it, so I installed a PC at the remote site and loaded a second copy of Enterprise console there which then worked, although I can no longer see the whole domain from the main site.

Some PCs were still not reporting back at the main site either, so following a tech sheet I removed the console from the main site, cleared all the files and registry settings out and did a clean reinstall. I then imported all the pcs again and did a reprotect. Result? All pcs remain greyed out and report "fffffd -This computer is not yet managed. The computer is protected but has not yet reported back". I've phoned Sophos almost every day for 6 weeks now and they still can't come up with a solution. I'm getting very frustrated with them -has anyone else ahd this problem?  (It occurs on both XP and Windows 7 PCs).

:2937


This thread was automatically locked due to age.
  • 0

    Wow, that is truly a sad place to be.

    I suggest you contact your Sophos account manager. The account manager will go to bat for you in cases were the process to correct something is taking longer then you require. If you do not know who your account manager is call Sophos tech support to get the information.

    I have had very good results when working with my account manager to get things done. He has brought all the right people together each time to resolve difficult issues.

    :2943
  • 0

    Thanks -I was wondering who I could contact to get things moving, but I didn't know I had an account manager -I must find out who they are if I have this sort of trouble again.

    As it happens i did get a call from them this afternoon -from third or fourth level support and the guy solved the matter very quickly. In essence what was wrong was this: Sophos uses certificates to enforce some sort of security between the console and clients. This seems to be a string of text which hides in the mrinit.conf file. Now when I reinstalled the console it assigned itself a new certificate which was different to all the certificates on the existing clients. For reasons I don't understand when I reprotected the clients from the new console it didn't automatically dish out a new certificate. The clients got the update but couldn't report back as their certificates didn't match. Once we'd established that, it was only a matter of copying the mrinit.conf to a folder then running the configCID.exe from a command prompt, then reprotecting all the clients. For some reason all the tech sheets I was sent didn't mention this.

    So, my case is resolved but I'm not impressed with the length of time its taken them to solve it -I've sent log files from both server and client three times during this, and I'm also surprised that they won't log in remotely to have a look themselves. This would save them loads of time and all the other companies i deal with do this routinely now through programs like logmein.

    :2946
  • 0

    yeah your right, me too not impressed, theyre too slow, I was handling a project where I am to install 1200 machines all went good for the 1050 machines and got some problems with the remaining, for two weeks I have been working it side by sid with them, before they can give me a solution I have already did it, until now still im stuck with remaining computers. OMG.

    :2952
  • 0

    Hi alanterrill

    I'm getting the same error with clients not reporting back.

    "The clients got the update but couldn't report back as their certificates didn't match. Once we'd established that, it was only a matter of copying the mrinit.conf to a folder then running the configCID.exe from a command prompt, then reprotecting all the clients."

    Where did you copy the mrinit.conf file to? And where is the ConfigCID.exe file?  All this is done on the server side I presume?

    :8531
  • 0

    Hello j7m8o,

    Just to make sure this is really the cause of the clients not reporting back - the certificate problem should only arise if you re-installed SEC without exporting and importing them.  The error will be logged in the ...\Sophos\Remote Management System\3\Router\Logs\> on the client.

    You copy the mrinit.conf  from the ...\CIDs\S00n\SAVSCFXP\ folder to the rms\ subfolder. Configcid.exe is in the ...\Sophos\Enterprise Console\SUM\ folder.

    Christian

    :8535
  • 0

    HI,

    As a quick test the following should align between server and client:

    Server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\RouterKey

    Client:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys\CertificationIdentityKey

    Server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\ManagedAppKey

    Client:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys\ManagedApplication

    Server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\DelegatedManagerKey

    Client:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private\CertificationIdentityKey

    Server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\cac

    Client:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\cac

    These strings are transferred to the client in the files: Mrinit.conf and cac.pem by setup.exe and added to the clients registry by the executable: "C:\Program Files [(x86)]\Sophos\Remote Management System\ClientMRInit.exe".  This exe is run by the RMS MSI at install.  It expects to find the files cac.pem and mrinit.conf in the same directory. 

    I put some more information about RMS on this thread also:

    if anyone fancies a read.

    Regards,

    Jak

    :8563