Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 2575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise Console on XP SP3 in workgroup want to manage computers in workgroup and domain

newco

Hello,

Our customer has installed Sophos Enterprise Console 5.1.0.1839 on a Windows XP SP3 Pro machine. The machine is in a workgroup. The Windwos firewall is turned off. There is also installed Endpoint Security and Control 10.0.

Everything works fine, but...

We want to manage computer in the same workgroup and in a domain too. The endpoint is installed fine on the computers and they can download the updates. They are also XP SP3 Professionals. On the Windows firewall TCP ports 8192, 8193 and 8194 are open. Simple file sharing is off. Everything is set fine. The clients can telnet to the console computer and the console can telnet to the clients.

The only problem is that they can't report back to the console. For a few hours there is a yellow down-arrow, and then it says that the computer is protected but has not yet reported back.

There is a computer in the same workgroup as the management console (previously it was in a domain, but was removed). The Windows firewall is turned off on both computers and no Sophos firewall is installed. Still the client doesn't  report back, but every setting is set as it should be. We are trying now for days but can't get it work. We reinstalled the client from the console multiple times but still nothing.

Can someone please help?

:28977


This thread was automatically locked due to age.
  • 0

    Hi,

    The indication that a client has what it needs to communicate are the certificates it obtains from the server.  On the client the local agent service "Sophos Agent" and router service "Sophos Message Router" request them from the server.

    The router gets its first and then gets the agents.

    The router certs are:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private\pkp

    The agent certs are:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private\pkc

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private\pkp

    So on an unmanaged client, do any of the above exist?

    Other things to check on the client is the ParentAddress registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ParentAddress

    Can the client resolve the management server using these values, it tries them all in turn?

    Can you telnet port 8192 and 8194 of the management server using the parent address value?

    Maybe if you can paste here the lines from a Router log on the client that would also help.

    Regards,

    Jak

    :28983
  • 0

    Hi jak,

    Thank you for replying!

    The mentioned registry keys exist on the unmanaged client, except for HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Private\pkc, this key does not exists.
    The client can resolve the management server.

    "Can you telnet port 8192 and 8194 of the management server using the parent address value?"

    When I telnet 8192 then I get back the IOR. But with 8194 I only get a "blank screen".

    Now I checked the HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ParentAddress registry key on the server and it was empty. Is this normal? I entered the same values that are on the client ("localhost,servername"), but still nothing.

    The following Router log entry is repeated in every 30 seconds:

    31.08.2012 15:21:36 0E8C I Getting parent router IOR from localhost:8192
    31.08.2012 15:21:36 0E8C I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000d00000031302e362e3138302e313937000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001da8e00004f4154010000001400000001da8e0001000100000000000901010000000000140000000800000001daa60086000220
    31.08.2012 15:21:36 0E8C I Successfully validated parent router's IOR
    31.08.2012 15:21:36 0E8C I Accessing parent
    31.08.2012 15:21:36 0E8C E ParentLogon::RegisterParent: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/NO_PERMISSION:1.0'
    Unknown vendor minor code id (0), minor code = 0, completed = NO

    Thanks for your help!

    :29023
  • 0

    Hi,

    The server parentaddress value should be empty as the router on the server has no parent, it's the end of the line if you like.

    So that suggests, the router has its PKC and PKP, but the agent doesn't.  it is the agent on the client that needs to obtain its certificate.  The router requests this.

    When I telnet 8192 then I get back the IOR. But with 8194 I only get a "blank screen".

    That is expected, only 8192 gives you output.

    31.08.2012 15:21:36 0E8C I Getting parent router IOR from localhost:8192
31.08.2012 15:21:36 0E8C I Received parent router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000d00000031302e362e3138302e313937000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001da8e00004f4154010000001400000001da8e0001000100000000000901010000000000140000000800000001daa60086000220
31.08.2012 15:21:36 0E8C I Successfully validated parent router's IOR
31.08.2012 15:21:36 0E8C I Accessing parent

     Is a bit odd, 

    I Getting parent router IOR from localhost:8192

    I don't understand why that would be in a router log on the client.  It should have:

     I Getting parent router IOR from [SECSERVERADDRESS]:8192

    Was this router log from the client, if so, what is in the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ParentAddress ?

    on a client, it should be:

    serverip, fqdn, netbios

    if the server has a static IP

    or just

    fqdn, netbios

    if it is DHCP.

    Regards,

    Jak

    :29027
  • 0

    The router log is from the client. The HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ParentAddress key's value is: "localhost,CZCN7415N01" (that's the name of the "server", which is an XP).
    It seems that somehow this registry key was installed badly?

    :29029
  • 0

    HI,

    When the server component (management server) is installed, it creates a file called mrinit.conf in Enterprise Console directory.  Within it should be the configuration settings that all the routers will eventually get.  This file gets copied into CIDs and a number of places on the server.

    I suspect when the installer exe ran as part of the installer on the server it resolved the computer name to localhost and added that in as the FQDN to that file.

    I would suggest, locate all mrinit.conf files on the SEC server, there will be a few (depends on the number of subscriptsion/CIDs you have), and change them to have the correct values for MRParentAddress and ParentRouterAddress.  The values for these 2 lines should be the same when you're not using message relays.

    So if your SEC server has a static IP, they should read

    IP,FQDN,NetBIOS

    If it is DHCP

    FQDN,NetBIOS

    This is essentially the addresses that get put into the parentaddress field on all the clients, as during the install of the client it pulls down mrinit.conf from the CID.

    Once you have updated, the files, if you re-protect the failing computer, hopefully you should see the updated mrinit.conf get copied to the client in the \program files\Remote management system\ directory.  ClientMRInit.exe on the client will run as part of the RMS installer and the registry key will be corrected.

    For any clients in this state, you could just correct the mrinit.conf file in the program files directory on the client and set the registry.  The file is used if RMS updates, so it is neccessary to do this, even though the registry is the only value used at runtime.

    Regards,

    Jak

    :29033
  • 0

    Yay! Thank you, correcting the mrinit.conf file solved the problem! You are the best! :)

    :29035