Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

client connection status

SMI

Hi,

the manual of the SEC says that computers with the red cross are not reachable over the network.

So far so good. Anyhow I found some computers with a red cross which are reachable (ping) over the network.

We use SEC with Endoint Dataprotection Suite.

How about a symbol which implies not managed but connected to the network or in general a new column let's say "Network" telling the computer is connected or not. That would help me out very much.

Regards

Marcus

:34735


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    I can provide a little more detail about a computers "connected" state and what it represents.

    To explain this I will use an example using the terms "Server Router" and "Client Router", which relates to the "Sophos Message Router" service (RouterNT.exe).  I'll assume the Server router is always running and is able to communicate to the Sophos Management Service in order to update the database and therefore what you see in the console.

    When a client starts up, the "Client Router" logs on to the "Server Router".  This act of logging on generates a EM-RouterLogon message, this finds its ways from the client, to server and when processed by the management service marks the computer as connected. The Server and Client router are now connected, RouterNT.exe to RouterNT.exe. 

    The client polls the server, effectively checking if the server has any messages for it every 15 minutes give or take a + and - time. This is the GetterInterval of the client.  

    If the client computer shuts down, the Sophos Message Router service stops and issues a EM-RouterLogoff message, this is passed up to the server and the management service shows the computer as disconnected.

    Now, as computers don't always shutdown cleanly and can drop connections, the logoff message isn't always sent/received.  So as not to report the incorrect status and effect the dashboard/filters for connected clients, there needs to be a timeout.  There are a couple in the system in different places.

    1. The Server Router keeps a check on if the client routers are checking in on their getter interval.  If the clients miss 2 getterintervals, which is a maximum of 30 minutes, the server router will log the client off and send a message to the management service to tell it to log them off in the database/console.  You can see this timeout in the router logs of the server.

    2. As a second method, the management service, runs a purge task every 24 hours.  As part of this purge task, if the LastMessageTime from a client is older than 24 hours, it will also disconnect the client.  

    Note: It is expected that a client will send a status message within a day, as each ide update generates a status message.  An Entity event (i.e. an alert) also updates the lastmessagetime.  If there are roughly 6 ides a day, you'd expect a status message every 4 hours or more.

    I hope this explains what you might be seeing.

    Regards,

    Jak

    :34743
Reply
  • 0

    HI,

    I can provide a little more detail about a computers "connected" state and what it represents.

    To explain this I will use an example using the terms "Server Router" and "Client Router", which relates to the "Sophos Message Router" service (RouterNT.exe).  I'll assume the Server router is always running and is able to communicate to the Sophos Management Service in order to update the database and therefore what you see in the console.

    When a client starts up, the "Client Router" logs on to the "Server Router".  This act of logging on generates a EM-RouterLogon message, this finds its ways from the client, to server and when processed by the management service marks the computer as connected. The Server and Client router are now connected, RouterNT.exe to RouterNT.exe. 

    The client polls the server, effectively checking if the server has any messages for it every 15 minutes give or take a + and - time. This is the GetterInterval of the client.  

    If the client computer shuts down, the Sophos Message Router service stops and issues a EM-RouterLogoff message, this is passed up to the server and the management service shows the computer as disconnected.

    Now, as computers don't always shutdown cleanly and can drop connections, the logoff message isn't always sent/received.  So as not to report the incorrect status and effect the dashboard/filters for connected clients, there needs to be a timeout.  There are a couple in the system in different places.

    1. The Server Router keeps a check on if the client routers are checking in on their getter interval.  If the clients miss 2 getterintervals, which is a maximum of 30 minutes, the server router will log the client off and send a message to the management service to tell it to log them off in the database/console.  You can see this timeout in the router logs of the server.

    2. As a second method, the management service, runs a purge task every 24 hours.  As part of this purge task, if the LastMessageTime from a client is older than 24 hours, it will also disconnect the client.  

    Note: It is expected that a client will send a status message within a day, as each ide update generates a status message.  An Entity event (i.e. an alert) also updates the lastmessagetime.  If there are roughly 6 ides a day, you'd expect a status message every 4 hours or more.

    I hope this explains what you might be seeing.

    Regards,

    Jak

    :34743
Children
No Data