Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 3363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EndPoints - how to update the Updating after Enterprise Console Reinstall

BloodBaz

Hello,

I have just reinstalled Enterprise Console (now using 5.2.1) after I have had my license upgraded from Sophos Security Suite SBE to Sophos Endpoint Protection - Business.  I am running Windows Server 2012 VMs and a mix of Windows 7 and 8 clients.

As I recreated user accounts along recommended practises, my "Update Manager Account"  is now <mydomain>\SophosUpdateMgr.   However, my clients are still running Sophos AV with Updating details of the old (now deleted) account.  

As a result they cannot update themselves, nor can I correct the credentails manually on the clients as the Configuration > Updating dialog box (Primary location) has the settings "greyed out".  Chicken and egg!

Q1) How should I get my Winodws Clients to use the new Username/Password?

Q2) Should I just rerun the AV from \\myserver\SophosUpdate\CIDs\S000\SAVSCFXP\setup.exe ?

Q3) If so, will this include the new updating policy?

Thanks,

Chris

:42135


This thread was automatically locked due to age.
  • 0

    Are the clients showing up as connected/online and being managed through this new enterprise console?  If not, I'd assume either the Enterprise Console server is new, or the certificate changed, which is causing the clients to not check in.

    Path of least resistance may be to do a discovery of the machines, and then "protect" from the enterprise console itself.  This should basically do a re-install of all necessary components, including RMS, and have the machines appear in the new console.  After which, you can drag them to groups that have policies associated - if you don't install to these groups directly.

    :42167
  • 0

    Thanks drose23 for your reply.

    Are the clients showing up as connected/online and being managed through this new enterprise console?

    No, they did not show up as connected/online as the mismatch credentials meant they couldn't comminucate in either direction

    Path of least resistance may be to do a discovery of the machines, and then "protect" from the enterprise console itself.

    Tried that 100 (!) times but discovering wasn't a problem but "connecting" them was.

    I spoke to Technical Support and the solution was as follows:

    On each endpoint:

    1) Edit the file C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg (admin UAC required)

    2) Change AllowLocalConfig = 0 to AllowLocalConfig = 1. This will make Configure > Updating editable

    3) In SAV, go to  Configure > Updating editable and update the user account and password.  The user account will now also the EndPoint to comminicate via AutoUpdate.

    4) Do an "Update Now" and all software updates, ides, policy will be reapplied.

    Thanks.

    :42169
  • 0

    Hi BloodBaz,

    Glad you got a resolution to your problem. And thanks for posting the response you got direct from Support. That's a big help to the community as a whole.

    Cheers,

    spike.

    :42207
  • 0

    Hello Chris,

    while your problem has been solved I have some reservations as IMO not all that has been said here is correct. To make sure - we are talking about Sophos Enterprise Console, right?

    they did not show up as connected/online as the mismatch credentials meant they couldn't communicate

    RMS (that's the "communication" component) is independent of the updating policy (and the credentials). RMS doesn't an account to access the management server. That a client can't update (i.e. can't access the share on the server) does not mean it can't communicate - but maybe I'm misunderstanding you.

    You did not tell the details of the migration so the rest is based on guesswork.

    On each endpoint

    Works if you have only a few - consider an installation with several 1000 endpoints, more than just a pain, but anyway ...

    Do an "Update Now" and all software updates, ides, policy will be reapplied

    It will update but (unless you have put a policy in the CID - which is very unlikely) it will not (re-)apply the policies. If communication resumes the clients should show differs from policy (not because of location or credentials but because of AllowLocalConfig) - is this the case?

    If you did not change the server's identity (name, IP as well as its certificate) then the clients should have reported to the server and you should have been able to change the policy from there.

    discovering wasn't a problem but "connecting" them was

    If you are talking about being unable to successfully Protect computers - there are several pre-requisites (won't detail them here) but anyway, you have to explicitly enter the account to be used for the install in the wizard (and this is usually not SophosUpdateMgr). If it gets as far as doing the initial install of AutoUpdate it will set the credentials from the policy (and not use the ones that were in the client's config).

    If the server's identity has changed, then configuring updating on the clients will enable them to update but not to communicate (RMS) with the server.

    Christian

    :42243