Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 8966 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Message Relay function

Azwan

Hi All,

As per subject above appreciate if someone can guide or explanation regarding message relay e.g message relay frequent udate or how it relay endpoint message once receive. 

Reason is customer informed that  console status didn't tally/reported back to console, example trying to performed device exemption on console once user plugin USB device and blocked however consolde didn't receive the message .

Restarting services below are also didn't have any effect when try to exempt device as mention above. Thanks

-----------------------------------------

Stop the "Agent" service
Stop the "Sophos Message Router" service

C:\ProgramData\Sophos\Remote Management System\3\Router\Envelopes
Delete all msg files present

C:\ProgramData\Sophos\Remote Management System\3\Router
Delete 'table_router.txt'

Start the "Agent" service
Start the "Sophos Message Router" service

---------------------------------------------------------

Console:

Windows Win2008

Sophos Enterprise Console v5

MSSQL 2008 R2

8192-8193,8194 open

Relay server:

Windows 2003

8192-8193,8194 open

:26995


This thread was automatically locked due to age.
  • 0

    Hello Azwan,

    does it affect only one client or are there issues with all clients "behind" the relay?

    As it is not clear where the problem could be located (and what's working and what not) I'll try to outline what to check:

    Is the Last message time (under Computer Details) of the relay current? You could check that reports are received immediately by triggering an alert on the relay using EICAR

    If the alert isn't displayed after a few seconds then the problems is the relay communicating with SEC

    If the above works as expected do the same for the client. If you see the alert then it's probably the downstream path which doesn't work (SEC should be able to connect to the relay's 8194 and the relay in turn to the client's 8194 port)

    If the upstream communication fails please view the Network Communications Report (on both the relay and the client) whether it displays the correct upstream parent.

    Christian

    :26999
  • 0


    This issue affect on few pc and I also suspect message was stuck at relay server, however as i mention  C:\ProgramData\Sophos\Remote Management System\3\Router\Envelopes" is empty and PC was log to parent server @console if view from router logs. Thanks

    :27005
  • 0

    Hello Azwan,

    PC was log to parent server @console if view from router logs

    so PC refers to one of the clients which should use the relay - does the Network Communications Report show the console as parent?

    Christian

    :27007
  • 0

    Hi Christian,

    Endpoint Communication report shows relay server as parent . Thanks

    :27009
  • 0

    Good. Before combing the logs I'd verify that an alert created on the client is passed to the console in a timely manner and that a request similarly travels in the opposite direction. My favourite - assuming the clients complies with the AV policy - is turning on-access scanning off using the local GUI. This should be reflected in the console shortly after. If not, there's a delay in the upstream communication. Once you see Differs from policy request compliance with AV policy - shouldn't take too long until the effect is seen on the client and within a short time in the console (the interval depends on the traffic but should usually be less than a minute). If this doesn't work as described - at which point does it fail (e.g. a few minutes after requesting policy compliance the client still hasn't on-access turned on)?

    Christian

    :27011
  • 0

    Hi Christian,

    I suppose issue is related with upstream delay in communication, I have try steps as suggested before and no problem found as mention the process only took less than a minute to comply. Thanks

    :27013
  • 0

    Hello Azwan,

    if I didn't forget something then inferring from these results device control events should also be forwarded to the console. Note that a message can be delayed at any point and is kept for some time when it can't be passed on (which might also be on the management server which could have received it via RMS from the relay but not yet passed it on the EM) - but if you clear the envelopes folder the unsent messages are lost (it is store-and-forward not end-to-end) and you'd have to recreate the event to work on it.

    Christian

    :27017
  • 0

    Hi Christian,

    Noted...

    " (which might also be on the management server which could have received it via RMS from the relay but not yet passed it on the EM) " 

    Does this process involved with DB and how long does it takes to process the message once receive from relay server.

    Assumed that i didn't do anything or troubleshooting and endpoint message was successfully relay from relay server?.

    Thanks

    :27019
  • 0

    Hello Azwan,

    process involved with DB

    as the last step in the communication the message has to be processed and written to the appropriate table(s) in the database. Normally you shouldn't notice a delay here unless there is significant database activity. In this case you'd likely experience additional symptoms like a high number of clients out of date, parts of the console (computer list, opening a client's details, event viewer) slow or unresponsive and/or a long delay when trying to start the console.  

    How many clients does the console manage?

    Christian

    :27021
  • 0

    Hi Christian,

    Total managed is 5000+

    :27023