Enterprise Console 5 Server migration problems

Hi,

The configure updating policy error is due to a mismatched SQL collation.  The collation of the database needs to be the same on both servers.  I suspect, that the collation is different maybe because the locale has changed from server to server.  

You will need to uninstall the SQL instance on the new server and ensure that the SQL instance is created with the same collation.

I would suggest it is probably easier to start again on the new server and check the collation on the original server first.  This command will do:

sqlcmd -E -S .\sophos -Q "SELECT DATABASEPROPERTYEX('SOPHOS50', 'Collation') SQLCollation;" > 1.txt

or install SQL server Management Studio on a machine and connect to the instance to check it.

Then on the new server, manually run the installer of SQL Express, you may as well install SQL 2008 R2 Express, you can then choose the same collation during install.  You can get it from here:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3743
Maybe create the same named SQL instance (the default is SOPHOS). 

As for the account problem, I assume the account specified in the logon tab of the services can logon to the machine?  Maybe come back to this after retrying the migration.

Regards,

Jak

I ran that command on the old server.

Here is the contents of 1.txt

SQLCollation 

------SQL_Latin1_General_CP1_CI_AS     

(1 rows affected)

Now what?

You need to: uninstall the management software off the new server including the Sophos SQL instance.  This can all be done from "Programs and Features"/"Add or Remove Programs".   I'd probably suggest rebooting the computer once done.

I would then check that the locale of the machine is as you require as I suspect the locale of this machine is different from that of the original server which has led to the collation change.

Once rebooted I would manually install a new SOPHOS named SQL instance of SQL Server 2008 R2 Express (may as well use the latest version of SQL rather than SQL 2008 SP2 that comes with the installer) and choose explicitly the collation  "SQL_Latin1_General_CP1_CI_AS " during the install, this way both instances, new and old should be the same.  You can then pretty much follow the migration as before.

Hope it helps.

Regards,

Jak

Thank you Jak. 

You were right about the collation problem and your advice sorted out the issue. I was also able to start the sophos services after I reset the local passwords for each service.

Unfortunately I now have a different issue.  I've completed the migration steps and set up the updating policy which is running correctly.  I attempted to redirect one of the endpoints to the new EC and right clicked it and chose protect.  The sophos software reinstalled on the endpoint and I can see that the primary updating location has changed to reflect the new server.  However the listing in enterprise console has not updated.  There is a yellow down arrow beside the endpoint name and when I look at computer details the primary update server is the old enterprise console servername and the last message received date indicates that the information has not been updated since I shut down the old enterprise console.

I took a look at some of the log files

 The router log file contains the following (cor-it-jm is the endpoint COR-SVR-PRNT is the server with Enterprise Console installed)

24.04.2012 14:31:45 0650 I Routing to Router$cor-it-jm:27006: id=0396AB41, origin=Router$COR-SVR-PRNT.EM, dest=Router$cor-it-jm:27006.Agent, type=EM-SetConfiguration

There are lots of msg files in the envelopes folder

The sophos-management-services log file contains the following extract

{Sophos.Management.Services.Sddma.AuthoritativeServerSelector.RefreshCandidateAuthoritativeServers} ==> Begin loading update hierarchy.
2012-04-24 14:38:16,212 [7] INFO  {Sophos.Management.Services.Sddma.AuthoritativeServerSelector.RefreshCandidateAuthoritativeServers} ==> End loading update hierarchy. Took 0ms.
2012-04-24 14:38:16,212 [7] INFO  {Sophos.Management.Services.Sddma.StatusMonitor.HandleStatus} ==> Accepting currency data as server is top-level.
2012-04-24 14:38:16,227 [7] INFO  {Sophos.Management.Services.Sddma.StatusMonitor.ExtractCurrencyData} ==> Found currency entity for SAVEEXP 10.0.3 VDL4.76G.
2012-04-24 14:38:16,243 [7] INFO  {Sophos.Management.Services.Sddma.ServerFailureHandler.ClearOutstandingErrors} ==> Clearing outstanding updating errors for server COR-SVR-PRNT.
2012-04-24 14:38:16,243 [7] INFO  {Sophos.Management.Services.Sddma.StatusMonitor.IsServerRebootPending} ==> Checking if a reboot required alert is pending against the update manager on COR-SVR-PRNT.
2012-04-24 14:38:16,243 [7] INFO  {Sophos.Management.Services.Sddma.StatusMonitor.IsServerRebootPending} ==> There is no reboot request pending against the update manager on COR-SVR-PRNT.
2012-04-24 14:38:16,243 [7] INFO  {Sophos.Management.Services.Sddma.StatusMonitor.HandleStatus} ==> Migration is not enabled
2012-04-24 14:38:16,243 [7] INFO  {Sophos.Management.Services.Patch.MessageReceiver.StatusChanged} ==> Received null status from Router$COR-SVR-PRNT
2012-04-24 14:38:20,502 [13] INFO  {Sophos.Management.Services.Sddma.ServerDataProvider.GetData} ==> Processing request for server data.
2012-04-24 14:38:20,502 [13] INFO  {Sophos.Management.Services.Sddma.ServerDataProvider.GetData} ==> Returning server data string 134 chars long.
2012-04-24 14:38:47,880 [14] INFO  {Sophos.Management.Services.ClientServicesCore.Initialise} ==> First use of this service core - initializing
2012-04-24 14:45:58,036 [15] INFO  {Sophos.Management.Services.ClientServicesCore.Initialise} ==> First use of this service core - initializing
2012-04-24 14:47:26,176 [15] INFO  {Sophos.Management.Services.ClientServicesCore.Initialise} ==> First use of this service core - initializing

And finally an extract from the

ProgramData\Sophos\Sophos Endpoint Management\5\log\Msgn-20120424-120306.log

24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 93762129.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 127316561 of type EM-RouterLogoff from Router$COR-SVR-PRNT.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 127316561.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 160870993 of type EM-RouterLogoff from Router$COR-SVR-PRNT.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 160870993.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 194425425 of type EM-RouterLogoff from Router$COR-SVR-PRNT.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 194425425.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 227979857 of type EM-RouterLogoff from Router$COR-SVR-PRNT.
24.04.2012 15:01:53 0154 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 227979857.

Any ideas?

Hi,

Glad to hear you got the error out of the way,

Is the Sophos Message Router on the failing client pointing at the new server?  To check on the client, take a look at the value:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router \ParentAddress

Look right?

I would suggest creating a VBS file using this tool mentioned here:

http://www.sophos.com/support/knowledgebase/article/116737.html

Essentially you choose the cac.pem and mrinit.conf files from the new server in the tool and it will create you a vbs file.  If you run this on the client (as an admin), it will "reset" the machine interms of RMS.  it will stick in the correct SEC group so you don't have to worry about doing anything on the server.

I assume that re-protecting new clients from the new server works, it's just re-protecting clients that were talking to the old server that isn't working?  Out of interest, do these client have a "mrinit.conf.orig" file in the "\proigram files [(x86)]\sophos\remote management system\" directory as that could be the cause?

Regards,

Jak 

Thanks Jak

I had a look at those and all settings look correct.

Yesterday I found that by switching off windows firewall on my 64bit server with Enterprise console 5 installed everything started to work as it should. 

The firewall appears to blocking messages between the client machines and the server. Obviously I don't want to leave it off so I need to add exceptions to the firewall so that Sophos can work.

Could you advise what exceptions should be added to the firewall?

Hello corkdood,

please see Summary of port configurations in Sophos applications and related articles (and in case you have to justify the exceptions Explanation of Sophos Endpoint Security and Control exceptions required for PCI compliance). Feel free to ask if you have further questions.

Christian

Thanks Christian

I found a useful batchfile on another forum to add exceptions to Windows firewall for Sophos Enterprise Console.  Its fixed my problems anyway so other users may benefit too.

http://www.edugeek.net/forums/internet-related-filtering-firewall/93858-sophos-enterprise-console-being-blocked-windows-firewall-server.html

Thanks for all of your assistance. Sophos is fully functional now