Scenario: Currently have a Sophos Update Manager on the DMZ that all the DMZ servers get there updates from The situation is that I need all the DMZ servers to report back to the Sophos Enterprise Console for reporting The ports are open on the DMZ for 8192 and 8194 back to the Sophos Update Manager on the DMZ server but it needs to report back internally to the Sophos Enteprise Console in our internal network My thoughts are that we need to create the Sophos Update Manager on the DMZ server as a Message Relay Server so it can report back to the Sophos Enterprise Console. From the DMZ server back to the Sophos Enterprise Console server the ports are already open for 8192 and 8194 Do I need to create a message relay server on the SUM DMZ server? If so, how do I do that? After I believe that we need to change the registry values, if we need to create a message relay server on the DMZ Change registry values on the message relay From reading the sophos article below, I need to change the registry values on the Message Relay server Article 50832 Message relay server (DMZ) = 10.x.x.x; WORKGROUP and on the DMZ Sophos Internal Management Server - IP Address = 172.16.xx.xx; Computer Name = SophosMgmtServer; Apart of the Domain. Example from the Sophos Website of the registry a) To immediately affect the service: Modify the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath to the following (all one line): "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194 &hostname_in_ior=MR.domain.com Restart the Message Router service on the message relay. b) To make the change persistent when an RMS update/reinstall occurs: Modify the key HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ServiceArgs to the following (all one line): -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194 &hostname_in_ior=MR.domain.com Not really sure what the values mean, If I could get some help to enter the values in red This is what I think may need to be change but not reallty sure? If anyone could confirm? -ORBDottedDecimalAddresses 0 &hostname_in_ior=SophosMgmtServer Change the mrinit.conf on the DMZ servers Example on the sophos website: MRParentAddress"="192.168.0.3,[Console-FQDN],[Console-HOSTNAME]" "ParentRouterAddress"="MR.domain.com" Example what I think needs to be done, in my environment MRParentAddress"="172.16.x.x,[Console-FQDN],[Console-HOSTNAME]" "ParentRouterAddress"="10.x.x.x" If anyone could help out that would be great - thanks :56795

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message Relays on a DMZ

Scenario:

Currently have a Sophos Update Manager on the DMZ that all the DMZ servers get there updates from

The situation is that I need all the DMZ servers to report back to the Sophos Enterprise Console for reporting

The ports are open on the DMZ for 8192 and 8194 back to the Sophos Update Manager on the DMZ server but it needs to report back internally to the Sophos Enteprise Console in our internal network

My thoughts are that we need to create the Sophos Update Manager on the DMZ server as a Message Relay Server so it can report back to the Sophos Enterprise Console. From the DMZ server back to the Sophos Enterprise Console server the ports are already open for 8192 and 8194

Do I need to create a message relay server on the SUM DMZ server? If so, how do I do that?

After I believe that we need to change the registry values, if we need to create a message relay server on the DMZ

Change registry values on the message relay

From reading the sophos article below, I need to change the registry values on the Message Relay server

Article 50832

Message relay server (DMZ) = 10.x.x.x; WORKGROUP and on the DMZ

Sophos Internal Management Server - IP Address = 172.16.xx.xx; Computer Name = SophosMgmtServer; Apart of the Domain.

Example from the Sophos Website of the registry

a) To immediately affect the service:

Modify the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath
to the following (all one line):

"C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=MR.domain.com

Restart the Message Router service on the message relay.

b) To make the change persistent when an RMS update/reinstall occurs:

Modify the key HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ServiceArgs to the following (all one line):
-ORBDottedDecimalAddresses 0 -ORBListenEndpoints iiop://:8193/ssl_port=8194&hostname_in_ior=MR.domain.com

Not really sure what the values mean, If I could get some help to enter the values in red

This is what I think may need to be change but not reallty sure? If anyone could confirm?

-ORBDottedDecimalAddresses 0

&hostname_in_ior=SophosMgmtServer

Change the mrinit.conf on the DMZ servers

Example on the sophos website:

MRParentAddress"="192.168.0.3,[Console-FQDN],[Console-HOSTNAME]"
"ParentRouterAddress"="MR.domain.com"

Example what I think needs to be done, in my environment

MRParentAddress"="172.16.x.x,[Console-FQDN],[Console-HOSTNAME]"
"ParentRouterAddress"="10.x.x.x"

If anyone could help out that would be great - thanks

This thread was automatically locked due to age.

0 Vikas over 10 years ago

Hi slee,
If you already have a SUM in DMZ(10.X.X.X) and 8192 & 8194 ports are opened towards Internal network(172.16.x.x.), you should be able to see the Update Managers list in the Update Managers List View. Are you able to see?
Did you install the SUM via the \\SEC-Server\SumInstallSet ?
In my opinion, after an installation of SUM from the above mentioned directory. The SUM is shown in your SEC. After right clicking and Updating the SUM so that it populates the CIDs, you edit the corresponding mrinit.conf as explained in 1.2, 14635.

As you're going with the second scenario in 50832, &hostname_in_ior=MR.domain.com, as the IP address is a private IP and non routable over the internet, we will need to specify the FQDN which can be resolved by both the external clients(needs to be forwarded by Firewall towards DMZ) and internal clients.
MR.domain.com - FQDN of your Message Relay Server. Test-Relay.ACME.com (for eg)
Any further comments from fellow members here are utmost welcome.

-Vikas
:56798
Cancel
Vote Up 0 Vote Down

Cancel
0 slee over 10 years ago

I've checked the update manager on the enterprise console and found that the DMZ SUM server received the following error message: Software delivery failed. Under the sources its pointing to do the primary SUM server but under the username and password - it still has the domain username and password, would I need to change it to the DMZ SUM username and password as its the DMZ SUM server is a workgroup and not apart of the network? I assume after I get these working it should report back correctly?
:56801
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago

Hello slee,
Software delivery failed
belongs to the SUM component which you manage from the Update managers view. - do not confuse it with the Endpoint component managed from the Endpoints view with a group Updating policy.
The Sources tab tells SUM where to get the "raw" updates from, potentially different versions and for different platforms. The Source could be any valid source but usually it's either your main SUM or Sophos. Thus in your case the credentials must be valid for accessing the primary SUM.
Software delivery failed
can have a number of causes. If it doesn't magically resolve itself start with the Update managers view, right-click and select View Update Manager Details. This should describe the error in more detail. Perhaps this is not sufficient and the next step would be checking the logs with Logviewer (while the 80040401 article does not apply it should give you an idea how to do this).
Christian
:56802
Cancel
Vote Up 0 Vote Down

Cancel
0 Vikas over 10 years ago

The first place to check what exactly the problem is while the DMZ SUM is updating from internal SEC would be SUM Trace Logs. You can find them in DMZ's \ProgramData\Sophos\Update Manager\Logs
Check for any error codes and then subsequently any KB articles relating to it.
Also, the username and password which you mention must be able to access the main share. You can manually try to access \\SEC-Server\SophosUpdate (or whatever UNC path has been mentioned in the Primary Update Location)
Please post your results after checking on your end.
:56803
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago

Hello slee and Vikas,
\\SEC-Server\SumInstallSet
please note that there have been changes with RMS on a SUM and the applicable "base" article is Deploying a message relay and SUM installation via the SUM bootstrap executable setup.exe. RMS does not reconfigure itself when on a SUM - perhaps the rationale is that you do not inadvertently lose the ability to manage the SUM.
If I understand correctly you don't have to go through the steps in 50832 - 50832 applies to a setup where you relay external endpoints through the DMZ, i.e. WAN endpoint -> DMZ relay -> SEC. Your setup is "all-internal", the endpoints (servers) know your soon-to-be-relay SUM by name and address, the SUM in turn knows how to reach the management server. IMO no need to fiddle with these registry keys.
There's a catch though - as said, you can't reconfigure RMS. Thus you'd have to reinstall SUM per the article above, the SUM installer refuses to do its work when it finds RMS installed so ... There might be a way to turn it into a relay on the fly, it's unofficial and thus I'd rather not post it here. You can PM me (make sure you turn on PM).
Christian
:56805
Cancel
Vote Up 0 Vote Down

Cancel
0 Vikas over 10 years ago

Hi Christian,
Ah yes.
According to slee, the DMZ SUM is only used to update the DMZ Servers. He wants to see those servers on his SEC.
So, I think relays are out of the question. You might not need to configure a relay after all. Those servers can directly talk to SEC if the routing between DMZ and Internal network is allowed.
1. Creation of a Group which includes DMZ SUM Server and all the Servers which will update from it.
2. Creating an updating policy which includes the Distribution Point (\\DMZ-SUM\SophosUpdate\)
3. A Re protection of a server to check.. maybe to check if it's reporting correctly.
Please correct wherever I might be wrong.
:56807
Cancel
Vote Up 0 Vote Down

Cancel
0 slee over 10 years ago

Just more background to the scenario
When the SUM server for the DMZ was built it was built on the domain then taken out as a workgroup back out to the DMZ
When you try to update the DMZ SUM server, you get the following error message:
Error - Failed to check update source status: 'Could not add connection to server \\server\sophosupdate\ with username 'domain\acccountname'. The error code is 53. The password would be correct but because the DMZ is a workgroup is in a workgroup and the SEC Management is on the domain, I would assume that's why we can't get it working?
I've turned on my private message to
:56840
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago

Hello slee,
do I understand you correctly that the SUM stopped updating after it was moved to the DMZ and unjoined from the domain? Was/is the SophosUpdateMgr account a local account?
Anyway, try to browse to the \\server\sophosupdate\ share using the domain\accountname credentials. With the standard security settings in the domain this normally works. If it doesn't the firewall would be the prime suspect (when you opened 8192 and 8194 did you also open the ports for SMB?).
Once updating works you should edit and place mrinit conf as needed (personally I'd not use just the IP, note that all values are tried but it's sufficient that one matches). Please see also Using ConfigCID.exe to implement XML configuration file changes.
Christian
:56841
Cancel
Vote Up 0 Vote Down

Cancel
0 slee over 10 years ago

Thanks QC - It has been resolved
:56903
Cancel
Vote Up 0 Vote Down

Cancel