Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 18787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console4.5/client9.5 - all PCs greyed out and won't report back, Help please!!

Sophosfan1

I had to reinstalled the console and it assigned itself a new certificate which was different to all the certificates on the existing clients. (I was unable to backup) when I reprotected the clients from the new console it does not automatically dish out a new certificate.

How do I distribute the new certificate?

Note: We have far too many computers to reinstall Sophos on. Plus many remote users :(

Cheers

:8665


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    Well I've put together a little vbscript.  Well it started out as little but as you go on there seems to be more things to check.  

    It will exit if it detects the following to key to be anything other than 10:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ConnectionCache.

    This should ensure that it only takes action on "client" routers, So it will not re-init the server or message relays should it be run on them by mistake.  I would advise against running on anything other than clients that are currently not working due to certificate issues.  

    It doesn't check that the client is already working so it will take the same steps regardless.  

    It will only run once on a client if ClientMRInit.exe returns success so as not to keep running on a machine if it's set as a start-up script for example.  It does this by creating a marker key:


    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\ReInit = 1

    If this is a 1 when the script runs it will exit.

    To configure you just need to set the variables:

    strLogPath                  = "C:\windows\temp\RMSReInit.log"
    This is the path of the log file the script creates.

    strMRInitLog                = "C:\windows\temp"  ' no trailing backslash
    This is the path where ClientMrinit.exe will log to
    strFilePathMrInit           = "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\mrinit.conf"
    This is the location of the new correct mrinit.conf

    strFilePathCac              = "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\cac.pem"

    This is the location of the new and correct cac.pem

    The paths to the correct mrinit.conf and cac.pem can be local paths or UNC paths so the correct new files can be placed anywhere accessible to the script. 

    Please try it on a couple of machine, ideally some 32 and 64 bit.  I've added a function in the script to adjust all registry and file paths to cope with that I hope.  To to that It reads:

    "HARDWARE\DESCRIPTION\System\CentralProcessor\0\identifier"

    and just looks for 32 or 64 in that value, this function could be updated if it proves unreliable.

    Other than that, the functions could be made a little more robust but I think it should be OK as is.  Hopefully there aren't too many wrinkles.  I've only run it once on a 64-bit Windows 7 machine (Note had to run as Administrator with UAC on)

    Next post has the code as it's too big to add to this one!, just copy into Notepad and save as "RMSReinit.vbs" or some such name.

    Regards,

    Jak

    UPDATE: I've updated the script to include the ability to add the config files mrinit.conf and cac.pem inline in the script by setting them as variables.  To do this, set the variable:


    blInline = true

    Then update the varibles strCac and strMrinit with your cac.pem and mrinit.conf strings. I've left mine in as an example as adding them inline is a bit of a pain with all of the quote marks. Leaving them in should be a guide as to where you need to edit and paste your strings. Note, you will need to edit these variables if you set blInline, my examples will not work for you.

    UPDATE: Added a -force switch to skip checks.

    E.g. 

    RMSReinit.vbs -force

    :8777
Reply
  • 0

    HI,

    Well I've put together a little vbscript.  Well it started out as little but as you go on there seems to be more things to check.  

    It will exit if it detects the following to key to be anything other than 10:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ConnectionCache.

    This should ensure that it only takes action on "client" routers, So it will not re-init the server or message relays should it be run on them by mistake.  I would advise against running on anything other than clients that are currently not working due to certificate issues.  

    It doesn't check that the client is already working so it will take the same steps regardless.  

    It will only run once on a client if ClientMRInit.exe returns success so as not to keep running on a machine if it's set as a start-up script for example.  It does this by creating a marker key:


    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\ReInit = 1

    If this is a 1 when the script runs it will exit.

    To configure you just need to set the variables:

    strLogPath                  = "C:\windows\temp\RMSReInit.log"
    This is the path of the log file the script creates.

    strMRInitLog                = "C:\windows\temp"  ' no trailing backslash
    This is the path where ClientMrinit.exe will log to
    strFilePathMrInit           = "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\mrinit.conf"
    This is the location of the new correct mrinit.conf

    strFilePathCac              = "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\cac.pem"

    This is the location of the new and correct cac.pem

    The paths to the correct mrinit.conf and cac.pem can be local paths or UNC paths so the correct new files can be placed anywhere accessible to the script. 

    Please try it on a couple of machine, ideally some 32 and 64 bit.  I've added a function in the script to adjust all registry and file paths to cope with that I hope.  To to that It reads:

    "HARDWARE\DESCRIPTION\System\CentralProcessor\0\identifier"

    and just looks for 32 or 64 in that value, this function could be updated if it proves unreliable.

    Other than that, the functions could be made a little more robust but I think it should be OK as is.  Hopefully there aren't too many wrinkles.  I've only run it once on a 64-bit Windows 7 machine (Note had to run as Administrator with UAC on)

    Next post has the code as it's too big to add to this one!, just copy into Notepad and save as "RMSReinit.vbs" or some such name.

    Regards,

    Jak

    UPDATE: I've updated the script to include the ability to add the config files mrinit.conf and cac.pem inline in the script by setting them as variables.  To do this, set the variable:


    blInline = true

    Then update the varibles strCac and strMrinit with your cac.pem and mrinit.conf strings. I've left mine in as an example as adding them inline is a bit of a pain with all of the quote marks. Leaving them in should be a guide as to where you need to edit and paste your strings. Note, you will need to edit these variables if you set blInline, my examples will not work for you.

    UPDATE: Added a -force switch to skip checks.

    E.g. 

    RMSReinit.vbs -force

    :8777
Children
No Data