Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How long does it take to comply with policy?

nduda78

System reports "Differs from policy" since it was offline when changes happened. When you right click a system and tell it to comply with one or all policies, how long should this take? The system is online, connectivity is fine...etc. I feel like this gets queued up when other systems are always "Awaiting policy transfer"

:19899


This thread was automatically locked due to age.
Parents
  • 0

    As Christian says, it should be quick.  

    The message should be sent instantly if the client router is logged on to the parent router.  The agent applies the new config to the component in question, e.g. SAV, SCF, SAU, which maybe maybe 2 seconds, the Sophos Agent (ManagementAgentNT.exe) then waits 20 seconds before sending back a status with the policy compliance state.  With no queue on the server router (to hinder either outgoing or incoming messages), this message should be passed on to the management service, into the database and reflected in SEC.  So when all is well, a set config state to same as policy should take 30 seconds max.

    As a bit of background information which may be relevant: The client's message router (RouterNT.exe) always initiates the logon to the parent message router; once the connection is established, providing the client can be accessed on port 8194 by the server, the server should be able to push messages to the client.  If the message router on the server can't connect to port 8194 on the client, then the message will delivery to the client will be delayed by up to 15 mins as this is the polling interval for new messages.

    The other thing to bare in mind, is that if you send a message to a offline machine, the message will be queued on the server in the envelopes directory.  SetConfig and Do-action messages, have a time to live (TTL) of 4 days, so if the client hasn't picked up the message in 4 days, the message will be removed from the evenlopes directory on the server.  This saves a massive build up of messages over time.  

    If you don't feel that is sufficient, these TTLs can be modified with registry keys on the management server, they are:

    HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingDoActionTimeout

    HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingSetConfigurationTimeout

    These two DWORD values are read by the management service when it attempts to create the messages but don't exist by default.


    They appear to override the default TTL for a message. So to change the default TTL on a set-config message you could create the above MessagingSetConfigurationTimeout DWORD key, The value is in seconds.  The downside is that the envelopes directory is more likely to fill if you perform set configurations to machines that are unable to receive the message as the TTL value is higher. 

    Hope that helps.

    Jak

     

    :19989
Reply
  • 0

    As Christian says, it should be quick.  

    The message should be sent instantly if the client router is logged on to the parent router.  The agent applies the new config to the component in question, e.g. SAV, SCF, SAU, which maybe maybe 2 seconds, the Sophos Agent (ManagementAgentNT.exe) then waits 20 seconds before sending back a status with the policy compliance state.  With no queue on the server router (to hinder either outgoing or incoming messages), this message should be passed on to the management service, into the database and reflected in SEC.  So when all is well, a set config state to same as policy should take 30 seconds max.

    As a bit of background information which may be relevant: The client's message router (RouterNT.exe) always initiates the logon to the parent message router; once the connection is established, providing the client can be accessed on port 8194 by the server, the server should be able to push messages to the client.  If the message router on the server can't connect to port 8194 on the client, then the message will delivery to the client will be delayed by up to 15 mins as this is the polling interval for new messages.

    The other thing to bare in mind, is that if you send a message to a offline machine, the message will be queued on the server in the envelopes directory.  SetConfig and Do-action messages, have a time to live (TTL) of 4 days, so if the client hasn't picked up the message in 4 days, the message will be removed from the evenlopes directory on the server.  This saves a massive build up of messages over time.  

    If you don't feel that is sufficient, these TTLs can be modified with registry keys on the management server, they are:

    HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingDoActionTimeout

    HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\MessagingSetConfigurationTimeout

    These two DWORD values are read by the management service when it attempts to create the messages but don't exist by default.


    They appear to override the default TTL for a message. So to change the default TTL on a set-config message you could create the above MessagingSetConfigurationTimeout DWORD key, The value is in seconds.  The downside is that the envelopes directory is more likely to fill if you perform set configurations to machines that are unable to receive the message as the TTL value is higher. 

    Hope that helps.

    Jak

     

    :19989
Children
No Data