Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 9297 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non-domain computers reporting to SEC

ChickGeekHCCC

We have several endpoints which are not part of our domain, but do exist on another part of our network. We would like to have them update from our main Sophos server ("sophserv") as well as be managed by same. (Yes, all references will be sanitized lol.)

The other network is NAT'd to external addresses, and uses an external DNS. We have addressed this issue by adding in appropriate DNS entries. So, when on the other network, you can now ping the SEC by the name "sophserv.mycollege.edu". 

I have done some reading on the forums about this issue. I believe our issue is with the mrinit.conf file which is being handed out by the "sophserv" server. When the server was initially set up, it wrote the following lines into mrinit.conf:

 "MRParentAddress"="internal.non-routable.address,sophserv.internal.dns,sophserv"
"ParentRouterAddress"="internal.non-routable.address,sophserv.internal.dns,sophserv"

Unfortunately, none of those addresses will resolve externally from the "external" network. I've read about editing the registry on the client to use the -ORBDottedDecimalAddresses 0 and &hostname_in_ior=sophserv.mycollege.edu but it did not work.

I've also read:

/search?q= 42159

/search?q= 3840

I guess what I need to do is to set up a custom CID so I can have a testing area WITHOUT affecting production. (Actually, if this were the best approach, I'm good with these machines having their own "space".) Am I on the right track? I've been looking on how to create a custom CID (rights, etc) but haven't found a good article. Next, what would the steps be? For example:

1) create custom CID w/custom mrinit

2) create package referencing custom CID in #1

3) deploy package to test systems

4) test

I hope this was clear enough - if you have any questions or need clarification, please let me know.

:58122


This thread was automatically locked due to age.
Parents
  • 0

    Hello Michelle,

    update from our main Sophos server

    using UNC or HTTP? Either way you're probably using an updating policy with the "internal" names.

    editing the registry on the client

    it's for the relay (if you use one) or the management server. Sophos recommends a relay (which usually also hosts a SUM where your external endpoints get their updates from. The key has no effect on an endpoint.

    Here's how it works:

    • an endpoint walks the ParentRouterAddresses trying to connect to port 8192
    • if the connection succeeds it expects an IOR as response (telnet to your servers port 8192 to see it)
    • the contents of the IOR (which are determined by the above key) direct the endpoint to one or more addresses (and the port, which is normally 8194) for the actual router

    If you are NATting the server you must make sure that at least one address/name returned in the IOR can be resolved and reached by your external endpoints. While it's likely possible (using the mentioned key) to return both an internal and external address it complicates things, degrades performance, and is prone to errors.  

    a custom CID

    is probably the easiest part. You can either add a share with the Distribution tab in Configure update manager, use an additional SUM, or add a subscription. The latter two inherit the rights from the ...\Update Manager\Update Manager\ folder, for the former you can simply add a folder under Update Manager (while this is not recommended it works - note that SEC will append \CIDs\Snnn\SAVSCFXP).

    Edit mrinit.conf and also put it in the RMS subdirectory.

    Christian

    P.S.: think now of any questions you could have - I wont be here the next three weeks :smileywink:

    :58143
Reply
  • 0

    Hello Michelle,

    update from our main Sophos server

    using UNC or HTTP? Either way you're probably using an updating policy with the "internal" names.

    editing the registry on the client

    it's for the relay (if you use one) or the management server. Sophos recommends a relay (which usually also hosts a SUM where your external endpoints get their updates from. The key has no effect on an endpoint.

    Here's how it works:

    • an endpoint walks the ParentRouterAddresses trying to connect to port 8192
    • if the connection succeeds it expects an IOR as response (telnet to your servers port 8192 to see it)
    • the contents of the IOR (which are determined by the above key) direct the endpoint to one or more addresses (and the port, which is normally 8194) for the actual router

    If you are NATting the server you must make sure that at least one address/name returned in the IOR can be resolved and reached by your external endpoints. While it's likely possible (using the mentioned key) to return both an internal and external address it complicates things, degrades performance, and is prone to errors.  

    a custom CID

    is probably the easiest part. You can either add a share with the Distribution tab in Configure update manager, use an additional SUM, or add a subscription. The latter two inherit the rights from the ...\Update Manager\Update Manager\ folder, for the former you can simply add a folder under Update Manager (while this is not recommended it works - note that SEC will append \CIDs\Snnn\SAVSCFXP).

    Edit mrinit.conf and also put it in the RMS subdirectory.

    Christian

    P.S.: think now of any questions you could have - I wont be here the next three weeks :smileywink:

    :58143
Children
No Data