Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

client connection status

SMI

Hi,

the manual of the SEC says that computers with the red cross are not reachable over the network.

So far so good. Anyhow I found some computers with a red cross which are reachable (ping) over the network.

We use SEC with Endoint Dataprotection Suite.

How about a symbol which implies not managed but connected to the network or in general a new column let's say "Network" telling the computer is connected or not. That would help me out very much.

Regards

Marcus

:34735


This thread was automatically locked due to age.
  • 0

    HI,

    I can provide a little more detail about a computers "connected" state and what it represents.

    To explain this I will use an example using the terms "Server Router" and "Client Router", which relates to the "Sophos Message Router" service (RouterNT.exe).  I'll assume the Server router is always running and is able to communicate to the Sophos Management Service in order to update the database and therefore what you see in the console.

    When a client starts up, the "Client Router" logs on to the "Server Router".  This act of logging on generates a EM-RouterLogon message, this finds its ways from the client, to server and when processed by the management service marks the computer as connected. The Server and Client router are now connected, RouterNT.exe to RouterNT.exe. 

    The client polls the server, effectively checking if the server has any messages for it every 15 minutes give or take a + and - time. This is the GetterInterval of the client.  

    If the client computer shuts down, the Sophos Message Router service stops and issues a EM-RouterLogoff message, this is passed up to the server and the management service shows the computer as disconnected.

    Now, as computers don't always shutdown cleanly and can drop connections, the logoff message isn't always sent/received.  So as not to report the incorrect status and effect the dashboard/filters for connected clients, there needs to be a timeout.  There are a couple in the system in different places.

    1. The Server Router keeps a check on if the client routers are checking in on their getter interval.  If the clients miss 2 getterintervals, which is a maximum of 30 minutes, the server router will log the client off and send a message to the management service to tell it to log them off in the database/console.  You can see this timeout in the router logs of the server.

    2. As a second method, the management service, runs a purge task every 24 hours.  As part of this purge task, if the LastMessageTime from a client is older than 24 hours, it will also disconnect the client.  

    Note: It is expected that a client will send a status message within a day, as each ide update generates a status message.  An Entity event (i.e. an alert) also updates the lastmessagetime.  If there are roughly 6 ides a day, you'd expect a status message every 4 hours or more.

    I hope this explains what you might be seeing.

    Regards,

    Jak

    :34743
  • 0

    Hi Jak,

    thanks for your detailed description. This is useful information. So now I understand how the connected status is processed for Sophos Endpoint Clients. But as far as I understand the "not connected, red cross" status only implies that the Sophos Endpoint is not connected to the Sophos Management and not the computer itself is disconnected from the network.

    I think it might be a very usefull information to know if the Sophos Enpoint is not connected (which might indicate a problem with Endpoint installation, the message router service on the client might be stopped...) plus the computer is connected (reachable by ping for example) or is disconnected from the network.

    This information would make my work a whole lot easier:).

    Regards

    Marcus

    :34791
  • 0

    Hello Marcus,

    connected (reachable by ping for example) [to] the network

    connected to the network has no unconditional meaning - and that you use an example suggests you are to some extent aware of this. Thus you'd have to define the meaning of network connected   in relation to "Sophos Endpoints".

    If you think this is finicky consider the following:

    • ICMP could be blocked anywhere on the path (including the client)
    • the client could be behind a router (or a virtual client) and thus not be reachable from the server
    • the client might be "outside" but using a message relay

    In these cases you will never be able to see the client as network connected unless it is RMS connected. In most cases you won't be able to use Protect computers if this is what you want to know. But you can't determine whether the client is disconnected because of some issue with RMS, some network issue or simply because it is turned off (as an aside - there is an extra piece of information which is not indicated by SEC, namely the fact that the client's RMS has contacted the server but the connection hasn't been established because of some error).

    Likewise a computer with for example Intel's AMT might respond to a ping (and also listen and respond to HTTP requests) even when no OS is loaded.

    There is no "natural" definition of network connected and consequently such a feature would not only have to be configurable to be of use but also come with an additional set of requirements - and even then there's be significant limitations. Furthermore to have a "potentially meaningless" column (to avoid this you'd have to be able reliably discern the cases connectivity issue vs. information not available) might violate SEC's design principles.

    Christian

    :34799
  • 0

    Hi Christian,

    thanks for your personal opinion.

    Being a network engineer I know what I am talking about.

    In our enviroment every single client no matter if it is a physical or a virtula client is reachable by ping. Even behind routers. It is compulsary that our clients are pingable. Ping is a essantial network connectivity test.

    Anyway there might be more possibilities to check network connectiviy.

    For me it is quiet painfull to figure out which clients are network connected and which clients are shown disconnected in the SEC but are connected/reachable by network. We have to do this manually (installation with 6000 clients).

    Regards

    Marcus

    :34873
  • 0

    Hello Marcus,

    Being a network engineer I know what I am talking about

    I didn't doubt this.

    In our environment every single client [...] is reachable by ping

    Thought as much as you mentioned ping. But then your devices likely don't respond if the are "off", do they?

    Anyway there might be more possibilities to check network connectivity

    Definitely there are - as said, the problem is a general, meaningful and reliable implementation of such a feature. Apart from this - do you have an estimate to how many clients this would apply? You said "some" (out of 6000) - of course you can't tell from SEC. Thinking about it - you could query the database for disconnected computers and feed them to a simple script.

    Christian       

    :34875