Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 20900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem reinstalling Sophos Management Server...

Terry_S

Hi,

I had a few issues recently during a sophos migration from one server to another. Long story short, I've uninstalled the Sophos Management Server portion as per a KB Article and when I go to reinstall the component, I get prompted to import the Existing master security officer certificate. We've never actually used Safeguard (which I assume this is for), and I don't get a prompt beforehand to choose whether to use encryption like before. I assume there is a settings or registry key that thinks safeguard is installed, any ideas where I can find this ?

Thanks

Terry

:46691


This thread was automatically locked due to age.
  • 0

    Hello Terry,

    I get prompted to import the Existing MSO certificate

    and the installer doesn't let you proceed, right?

    I don't get a prompt beforehand to choose whether to use encryption like before

    You replied with Do not manage encryption then? I don't think so.

    While I didn't recreate the reinstall scenario I've tried to find out (don't say I have too much time on my hands) what Setup.exe might check and how it behaves. Consider a full migration - you install the database first, then import some keys (not related to encryption) and then run the Server and Console installs. Chapter 9 is a little bit vague in saying a) Accept the defaults wherever possible and e) If you have the license and been using Sophos Encryption [...] you will be prompted  for the master security officer certificate. You indeed get the prompt because the defaults assume Encryption/Existing installations. But - you get two prompts before that. As far as I could find out you do not get the prompt when they key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7FE6997C4C29E1E499172405689E2B61 exists. If it's indeed there then why it is left behind after an uninstall I don't know.     

    Christian

    :46699
  • 0

    Hi Christian

    Thanks for your reply. In answer to your questions.

    I get prompted to import the Existing MSO certificate

    and the installer doesn't let you proceed, right?

    Exactly

    I don't get a prompt beforehand to choose whether to use encryption like before

    You replied with Do not manage encryption then? I don't think so.

    No, there's no prompt.

    I think when it was originally installed, I clicked use encryption, then realised I didn't have that and went back a screen and changed it to don’’’’t use encryption.

    I checked for that registry key, but it wasn’’’’t there. Any more ideas ?

    Thanks

    Terry

    :46715
  • 0

    Hello Terry,

    should have asked which SEC version you're using. Seems to be 5.1which as far as I can see doesn't check for this key. Looks like the Manage prompt depends on the absence of 65125127BEA575F429E31D53290F1A5D (same path as before). The issue you encounter might explain the additional check in 5.2.

    HTH

    Christian

    :46723
  • 0

    Hi Christian,

    I'm using 5.21r2. I checked for that reg key but didn't find anything. I also searched the registry for any 'safeguard' and found about another 4 which I cleared. I'm still getting the prompt unfortunately. Could it be something in the Sophos Database indicating Safeguard is installed ?

    Thanks

    Terry

    :46777
  • 0

    Hello Terry,

    sorry that I could be of no help so far. Perhaps instead of fooling around I should have suggested that you call Support. 

    Could it be something in the Sophos Database

    I don't know but I don't think so - otherwise you wouldn't get the Manage prompt for a server to server migration (where you import the databases before installing the management server). Well, I've one more suggestion - start Process Monitor before running Setup.exe, Filter: Include process is Setup.exe, Include Path contains Encryption. The 10th line or so should be HKCR\Installer\Features\F3D6639E90DE1D24ABFFE12F3EFBA873\Encryption and setup will display the Welcome screen.  Stop capturing and highlight the HKCR line, from the Filter/Filter... dialog uncheck Path contains encryption. It should look like this: Enc.gif

    It extracts the compressed list (Darwin Descriptors) of Components from the Features\Encryption key and then looks for the Component keys. As far as I could see any NAME NOT FOUND will terminate the check and result in the Manage prompt to be presented later when you proceed with the setup.

    Otherwise I have run out of ideas :smileysad:

    Christian

    :46799
  • 0

    Hi Christian,

    No problem at all, you've been far more help than Sophos Support (Australia). I tried running process monitor, but I don't get any encryption values come up on the search. I've doubled checked the settings in case it was an error at my end, but that was all fine. I've attached a file showing the result (excluding the encryption filter because nothing comes up), and including a filter for HKCR\installer

    Thanks,

    Terry

    :46863
  • 0

    Hello Terry,

    it would have been a surprise if any key with encryption would have come up - as far as the modify/upgrade logic seems to go you are directly taken to the import page only when all the keys are present. I've tested with the management server installed and apparently setup.exe takes a slightly different path when installing (dunno if makes yet another difference if any of the other components is already there). I'll see if I can get one of the servers cloned so that I can uninstall the management server (BTW did this remove SUM as well, look like?). I wonder if there's a hint in the bootstrapper log (in %ProgramData%\Sophos\Management Installer\) - could you perhaps post it (after editing sensitive information)?

    Christian

    :46891
  • 0

    Hi Christian,

    I've attached the bootstrapper log file. I uninstalled everything Sophos tonight and attempted to remigrate it (i had all the original backup files), I've installed and imported the database first - which works fine -, but on the next installer I get the same prompt for encryption cert. After having a look through the bootstrapper I can see the encryption section is entering migration mode.

    Thanks for your help

    Terry

    :46907
  • 0

    Hello Terry,

    you left the computername in the log :smileywink:

    Just curious - has it to be a DC, no "other" server available?

    Unfortunately the installer doesn't tell us why it thinks it has to enter the migration page (at least I didn't spot anything that would give a clue). The clone is not yet ready so I don't have any news right now. Just to make sure - the installation you are migrating from is also 5.2R2 and you have exported/imported the database and keys?

    Christian

    :46909
  • 0

    Hello Terry,

    got the clone.

    To make it short - the Manage prompt is bypassed and the certificate is requested when the Encryption database has been "seeded", i.e. when the certificates have been created on a previous run. It looks like this applies also to an imported database so the run might be long past and done on the old server.

    Anyway, as you don't need the database it should be safe to reinit just the SOPHOSENC52 database. There's a script InstallEncryptionDB.bat  in C:\sec_521r2\ServerInstaller\DB\Encryption\. Run it from an elevated cmd window. Usual disclaimers apply.

    HTH

    Christian

    :46937