Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 4075 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managing computers from SEC remotely

constantin3

Hi there,

I was wondering if there is a way to manage remote computers that are not part of a domain in SEC? I have set up a sophor-mr server for remote clients to access updates which works fine. What I'd like to see in the EC is the list of remote computers so we can verify they are up to date.

Although I have searched the forums, I haven't found a definite guide (though that might just be me not reading correctly).

Using server 5.0 and client 10.0.

Any help would be appreciated,

Stephen

:23401


This thread was automatically locked due to age.
  • 0

    Hello Stephen,

    a guide can be found in Enterprise Console: configuring message relay computers.

    You don't need a message relay if the clients can access ports 8192 and 8194 on the server (and ideally the server 8194 on the clients) but it general a message rely is the better solution. For this you have to configure the CID on the sophos-mr server accordingly.

    Note that the "new" features (Patch Assessment, Web Control and - soon to come - Encryption) require port 80 (or some other port) on the server to be reachable (see FAQs and Why is port 80 required ...).

    HTH

    Christian

    :23403
  • 0

    Hi Christian,

    Thanks for that.

    We have created a NAT rule on our firewall so that the clients can contact the sophos-mr server to aquire updates. Its just in relataion to the management through the enterprise console that is the tricky part I'm finding.

    The sophos-mr server has been set up with a share for distributing updates from the main sophos management server. Do I need to set up the sophos-mr server as an update manager? I'm just thinking in relation to the editing of the mrinit.conf, does that need to happen on the sophos management server or the sophos-mr server?

    Thanks for your help,

    Stephen

    :23405
  • 0

    Hello Stephen,

    personally I'd set up a SUM instead of "just" hosting a share but it is not necessary that a message relay is also a SUM.

    Each CID ("distribution point") can be configured individually. Your current configuration contains at least two shares one being \\sophos-mr\SophosUpdate (or whatever name you use). You'd place the modified mrinit.conf there (...\CIDs\S000\SAVSCFXP), run ConfigCID.exe and reprotect sophos-mr. Clients should pick up the changes with the next update and reconfigure themselves to use sophos-mr as realy to the management server.  Of course the clients must be able to connect to ports 8192 and 8194 on sophos-mr (which in turn ideally can connect to the clients' port 8194).

    Do you have different updating policies for your remote clients (i.e. do they specify \\sophos-mr instead of the management server)? 

    It just looks tricky on the first glance :smileyhappy:

    Christian

    :23407
  • 0

    Hi Christian,

    We only want the remote clients (not on the network or in the domain) to use the sophos-mr server - from what you're saying, that would work yes?

    Also, just following the guide you gave me earlier, when I add the sophos-mr server to the Enterprise Console, it stays greyed out with the yellow arrow beside it - even though the client installs fine on the box. Any idea why it doesn't display as managed?

    :23409
  • 0
    Hello Stephen,

    make sure sophos-mr can connect to 8192 and 8194 on the server, that's what RMS needs to report to the console. And the oppisite directoon should also be available - while this is not a requirement it enables a "push" from the server (e.g. changed policies or a scan request). You did not manage sophos-mr yet?

    You need an updating policy which states sophos-mr as update location (all other policies would use - say - sophos-sec) assigned to one or more groups. Configure the CID and make sure sophos-mr is correctly set up. All clients updating from this location will use the relay and subsequently appear in SEC. You then move them to the appropriate group.

    Christian
    :23413