Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 10156 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protected computers still showing as greyed out in Enterprise console

SN

Hi

I'm having a problem where by computers i have protected through the enterprise console are not showing as protected even though the sophos client installed correctly and updates without problems.

Basically the same computers were protected and showed fine when installed with win XP.  I have recently upgraded all the desktops to Win 7 and protected them from console but they do not show as protected. 

On some of the computers i had to manually run the sophos install from task scheduler.  The machines have the same SID from when they had XP installed and Sophos is gathering information from AD.  Server is domain controller running win 2k8 R2 SP 1 and enterprise console 4.5.

I would really appreciate some help on this.   Thanks

:12209


This thread was automatically locked due to age.
  • 0

    HI,

    So the machine was managed fine in SEC as XP, it was upgraded to Windows 7 and it stll has the same computername?


    The computer record must still exist in SEC for the machine, are you saying that the details for the record are those of the old XP machine and haven't been updated to reflect the now Win 7 machine details, e.g. OS, SAV details, etc?

    Asa quick check that will not cause any problems on one of the clients try the following:

    1. Stop the Sophos Message Router service


    2. Stop the Sophos Management Agent service

    3. Open Regedit and navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ParentAddress
    Does the parent address value reflect the management server ok?
    I was thinking that maybe the mrinit.conf file where the machine was reprotected from could have been incorrect.

    If so leave as is.
    4.  Still in Regedit, navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private 
    and delete the pkc and pkp values.

    5. Also delete the pkc and pkp value under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private

    These values are the certificates of the router and agent.  

    Note: If they don't already exist that is your problem.

    6.Ensure that port 8194 TCP incoming is open on the client firewall.  If you're using Sophos Client Firewall that will automatically let through the traffic.

    7.  Ensure that on the management server the services:
    Sophos Message Router
    Sophos Certification Manager 
    Sophos Management Service
    are started, also ensure all other service of Sophos are running but those above are most significant.

    8. On the client start the Sophos Message Router Service.
    Within a couple of seconds you should see the pkc and pkp value return under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private 

    This is evidence the router has obtained its certificate. 

    9. Still on the client, once the router has its certificate start the Sophos Management Agent Service.
    In a few seconds, you should see the pkc and pkp values return under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private

    This is the agent getting its certificate.  At this point the client should be able to message the server and should then send a status message.

    Does that help, if not which stages did or didn't work?

    If you're still not getting information about the products, I.e. SAV, SCF, AutoUpdate, on the client, check the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Adapters
    under this key there should be a key for each product, and within it a path to the dll that talks to each component on behalf of the Sophos Agent service.

    Regards,

    Jak

    :12215
  • 0

    Hi Jak, thank you for the detailed reply.

    8. On the client start the Sophos Message Router Service.
    Within a couple of seconds you should see the pkc and pkp value return under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Mes

    saging System\Router\Private

    The above entry in the registry does not exist nor does it create when i start the sophos client services.  I have set up a group policy allowing traffic TCP 8192-8194 as per http://www.sophos.com/support/knowledgebase/article/111180.html

    I also disabled the win firewall on the client machine and this still did not create any entry in the registry for pkc and pkp

    Could the problem have started when i protected the machines because i deleted the machines from the enterprise console after i upgraded because the entry in the console was showing them as still protected and did not recognise them as clean installs?

    Also on the client machine i am not seeing any service called "Sophos Management Agent" the closest being "Sophos Agent"

    Open Regedit and navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\M

    essaging System\Router\ParentAddress
    Does the parent address value reflect the management server ok?

    It picks up the correct management server and the client also updates from the server fine.

    Thanks in advance for your help

    :12219
  • 0

    Hello SN,

    Sophos Agent is the name.

    Take a look at the router logs in %ProgramData%\Sophos\Remote Management System\3\Router\Logs. From what you said you should see the client unsuccessfully attempting to register with the server (can't tell what exactly you'll see as this depends on the potential problem). Please post a snippet here.

    Christian

    :12223
  • 0

    Hi Christian thanks for the reply

    In the log i get the same error repeated which is as follows; (omitted data in **)

    21.04.2011 13:35:07 0A24 I Getting parent router IOR from *server IP*
    21.04.2011 13:35:30 0A24 I Getting parent router IOR from *server MAC*
    21.04.2011 13:35:30 0A24 E ACE_INET_Addr::ACE_INET_Addr: *server MAC*: The requested name is valid, but no data of the requested type was found.
    21.04.2011 13:35:30 0A24 W Parent address unknown: The requested name is valid, but no data of the requested type was found.  (11004)
    21.04.2011 13:35:30 0A24 I Getting parent router IOR from *server.domain: port*
    21.04.2011 13:35:53 0A24 I Getting parent router IOR from *server: port*
    21.04.2011 13:36:16 0A24 E Failed to get parent router IOR
    21.04.2011 13:36:16 0A24 E Failed to get certificate, retrying in 600 seconds

    :12225
  • 0

    Figured it out, the firewall on the server was preventing the response from the clients.  As soon as i disabled the firewall the client machines received their pkc and pkp values in the registry.

    Thanks for all your help

    :12227
  • 0

    Thanks for your final results :smileyhappy:

    Some comments in case someone else stumbles over this thread:

    Getting parent router IOR from *server MAC*

    It's not a MAC but the IPv6 address. The four Getting parent router IOR ... lines show that the client's RMS is attempting to connect to the server's 8192 port to get the IOR (and subsequently the certificate) using in this order: IPv4, IPv6, FQDN and NetBIOS name to locate the server. This corresponds to the values in mrinit.conf (note that not all are required - for  more details please see Remote Management System: significant files and registry entries on the client computer).

    As you saw the client wasn't getting any response from the server. Of course this doesn't tell you the precise cause but it should put you on the right path. If you telnet to the server's 8192 port (using the same addresse(s)/name(s) as RMS it should return the IOR string and close the connection. This can help in determining the exact cause.

    Christian

    :12231
  • 0

    I wanted to add to this thread because I had the same symptoms, but the fix was slightly different.

    We have always opened the ports in the firewall of 2008 servers by using the following batch file:

    netsh firewall add portopening TCP 8192 "Sophos Management"
netsh firewall add portopening TCP 8193 "Sophos Management"
netsh firewall add portopening TCP 8194 "Sophos Management"
netsh firewall add portopening TCP 8081 "Sophos quarantine digest"

    I recently did a migration from a SBS2003 to SBS2011.  When I ran the above commands on the SBS2011, it mentioned that the 'netsh firewall' command has been deprecated and to use the 'netsh advfirewall firewall' command instead.  However, it said the commands completed successfully, so I didn't give it much thought.  Everything looked fine in the Sophos console.

    A couple days go by and I check back on the Server, and all clients are shown as disconnected.  D'oh! 

    Long story short, after much troubleshooting including the steps in this thread, I took another look at the batch file we used to open the firewall.  Here is the correct batch file for the newer firewall commands:

    netsh advfirewall firewall add rule name="Sophos Management 1" dir=in action=allow protocol=TCP localport=8192
netsh advfirewall firewall add rule name="Sophos Management 2" dir=in action=allow protocol=TCP localport=8193
netsh advfirewall firewall add rule name="Sophos Management 3" dir=in action=allow protocol=TCP localport=8194
netsh advfirewall firewall add rule name="Sophos Quarantine Digest" dir=in action=allow protocol=TCP localport=8081

    I deleted the existing Sophos records in the firewall, and ran the newer batch file.  The console came to life almost immediately.

    Hope this helps someone else down the road!

    :14311