Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 915 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows XP none domain computers not getting firewall policy or appearing in console

Bryant

I am trying to deploy ESC to our windows XP clients that are on other domains, but not the same as the sophos server (process of converting to a single domain from 11).  All the domain Windows 7 computers install from script fine, but the XP stations install from the script fine, but then do not work becuase they never update the firewall policy or appear in the console.  I have tried disabling the firewall on the update server and on the XP station, but no luck.  We are running 9.7 and 4.7 on console.

Any thoughts?

:21435


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    Things to check if the endpoint software is installed but the machine doesn't appear as managed are:

    1. The Sophos services on the server are all started.  E.g. Certification Manager, Message Router, Management agent.

    2. The Router and Agent of the client are started, RMS is installed.

    3. The parent address of the client machines that are unmanaged:
    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router \ParentAddress 

    This needs to be an address that the client can use to find the management server.

    Note: If the management server has a static IP, it will be [ip], [fqdn], [netbios] and are tried in order.  If the management server was DHCP, it will just be fqdn and netbiois.  

    4. The ports TCP 8192 and 8194 on the server are available to the client, can test this with Telnet

    telnet [server] 8192

    telnet [server] 8194

    Note: both should connect, only 8192 will display a response.

    5. The port TCP 8194 is open on the client.  Not essential but will speed up downstream messages.

    With all that working, the client should receive 2 certificates, one for the agent and one for the router.  You can tell if they have them by the presence of the following keys on the client:

    Router:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private \pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private \pkp

    Agent:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private \pkc 

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private \pkp

    The client should get the router first, once that has connected the agent should follow.  

    The Router logs on the client and router would then be the next place to look in order to trace the certificate requests from the client to the server and back again.

    Otherthings to check are that the identity keys are all in order regarding the values on the client and those on the server as they need to align.  There is no reason they shouldn't but if you wish to check.  On the server-side the important values regarding certification are held here: 
     

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ DelegatedManagerKey

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ ManagedAppKey

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ RouterKey  

    All these values need to be the same on the clients (stored in different registry locations).   They are essentially passed to the clients in the files cac.pem (the cac value) and mrinit.conf (the 3 indentity keys).  The clients download these files (setup.exe copies them over at install) from the distribution locations (CIDs), they are in the root of deployment share, e.g. \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\ cac.pem and mrinit.conf. Note: All cac.pem files throughout the system should be the same and all mrinit.conf files in the system should have the same 3 identity keys. 

    When the RMS package on the client is installed, an application called ClientMRInit.exe runs, reads in the above files from the local clients copy now in "\program files\sophos\remote management system\", and puts the same values in the registry on the client in the following localtions: 

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System \cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys \CertificationIdentityKey

    This is the same as the "RouterKey " in the servers CertAuthStore. 

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys \ManagedApplication

    This is the same as the "ManagedAppKey"  in the servers CertAuthStor e.

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private \CertificationIdentityKey

    This is the same as the "DelegatedManagerKey " in the servers CertAuthStor e.

    Hope this helps.

    Regards,

    Jak

    :21437
Reply
  • 0

    HI,

    Things to check if the endpoint software is installed but the machine doesn't appear as managed are:

    1. The Sophos services on the server are all started.  E.g. Certification Manager, Message Router, Management agent.

    2. The Router and Agent of the client are started, RMS is installed.

    3. The parent address of the client machines that are unmanaged:
    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router \ParentAddress 

    This needs to be an address that the client can use to find the management server.

    Note: If the management server has a static IP, it will be [ip], [fqdn], [netbios] and are tried in order.  If the management server was DHCP, it will just be fqdn and netbiois.  

    4. The ports TCP 8192 and 8194 on the server are available to the client, can test this with Telnet

    telnet [server] 8192

    telnet [server] 8194

    Note: both should connect, only 8192 will display a response.

    5. The port TCP 8194 is open on the client.  Not essential but will speed up downstream messages.

    With all that working, the client should receive 2 certificates, one for the agent and one for the router.  You can tell if they have them by the presence of the following keys on the client:

    Router:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private \pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private \pkp

    Agent:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private \pkc 

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private \pkp

    The client should get the router first, once that has connected the agent should follow.  

    The Router logs on the client and router would then be the next place to look in order to trace the certificate requests from the client to the server and back again.

    Otherthings to check are that the identity keys are all in order regarding the values on the client and those on the server as they need to align.  There is no reason they shouldn't but if you wish to check.  On the server-side the important values regarding certification are held here: 
     

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ DelegatedManagerKey

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ ManagedAppKey

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore\ RouterKey  

    All these values need to be the same on the clients (stored in different registry locations).   They are essentially passed to the clients in the files cac.pem (the cac value) and mrinit.conf (the 3 indentity keys).  The clients download these files (setup.exe copies them over at install) from the distribution locations (CIDs), they are in the root of deployment share, e.g. \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\ cac.pem and mrinit.conf. Note: All cac.pem files throughout the system should be the same and all mrinit.conf files in the system should have the same 3 identity keys. 

    When the RMS package on the client is installed, an application called ClientMRInit.exe runs, reads in the above files from the local clients copy now in "\program files\sophos\remote management system\", and puts the same values in the registry on the client in the following localtions: 

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System \cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys \CertificationIdentityKey

    This is the same as the "RouterKey " in the servers CertAuthStore. 

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys \ManagedApplication

    This is the same as the "ManagedAppKey"  in the servers CertAuthStor e.

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private \CertificationIdentityKey

    This is the same as the "DelegatedManagerKey " in the servers CertAuthStor e.

    Hope this helps.

    Regards,

    Jak

    :21437
Children
No Data