Moving to a new Sophos server

Hi,

I would start in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router

ParentAddress

Is that the old or new server?

In addition to that, do the following keys exist?

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private

pkc and pkp

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private

pkc and pkp

Regards,

Jak

Hi Jak,

Sorry for the delay. The ParentAddress is pointing to the new Sophos master server.

And both of sets of the keys exist for:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private

pkc and pkp

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private

pkc and pkp

-Colleen

That's good.  Can you do as follows on the endpoint:

1. Stop the Sophos Agent service

2. Stop the Sophos Message Router service

3. Start the Sophos Message Router service

4. Start the Sophos Agent Service

5. wait 30 seconds.

6. Obtain the latest router and agent logs from:

• C:\ProgramData\Sophos\Remote Management System\3\agent\logs\
• C:\ProgramData\Sophos\Remote Management System\3\router\logs\

Paste the contents of both here.  They shouldn't be that long if they have been runnong for 30 seconds.

Regards,

Jak

Here's the contents of the Agent's Log:

02.07.2013 15:38:39 1374 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Agent/Logs/Agent-20130702-193839.log 02.07.2013 15:38:39 1374 I Sophos Management Agent 3.4.1.3411 starting... 02.07.2013 15:38:40 115C I SAUAdapter - SAU IPCBase::IPCBase: Initialising shared memory A32951C539924a12B3C8F2FDA5A268E4 02.07.2013 15:38:40 1280 I SAUAdapter - SAU AdapterImpl: Notifying agent of configuration change 02.07.2013 15:38:40 1280 I SAUAdapter - SAU AdapterImpl: Notifying agent of status change: <?xml version="1.0" encoding="utf-8" ?><status xmlns="com.sophos\mansys\status" type="sau"><CompRes xmlns="com.sophos\msys\csc" Res="NoRef" policyType="1" /><autoUpdate xmlns="http://www.sophos.com/xml/mansys/AutoUpdateStatus.xsd"><endpoint id="b2887a62-6f8c-48af-9e99-bf665e3b7a67" /></autoUpdate></status> 02.07.2013 15:38:40 115C I SAUAdapter - SAU Intelligent updating using port 51235 02.07.2013 15:38:40 1358 I SAUAdapter - SAU IPCListener::Wait started 02.07.2013 15:38:40 1358 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages 02.07.2013 15:38:40 115C I SAUAdapter - SAU Returning Adapter: 00ACE1F0 02.07.2013 15:38:40 115C I SAUAdapter - SAU RegisterStateObserver : 00ACD060 02.07.2013 15:38:40 115C I SAUAdapter - SAU RegisterConfigStateObserver : 00ACD064 02.07.2013 15:38:40 115C I SAUAdapter - SAU RegisterEventObserver : 00ACD088 02.07.2013 15:38:40 115C I ALC adapter loaded 02.07.2013 15:38:40 115C I SAV adapter loaded 02.07.2013 15:38:40 121C I Got EM-ClientLogoff message from Router$server5:72699 02.07.2013 15:38:40 10D0 I Connected to router... 02.07.2013 15:38:40 12A4 I Got EM-ClientLogon message from Router$server5:72699 02.07.2013 15:38:40 119C I Running SetAdapterStatusJob for adapter ALC 02.07.2013 15:38:40 119C I SAUAdapter - SAU AdapterImpl::GetStatus called 02.07.2013 15:38:40 119C I SAUAdapter - SAU AdapterImpl::GetConfiguration called 02.07.2013 15:38:40 119C I Running SetAdapterStatusJob for adapter SAV 02.07.2013 15:38:40 119C E SetAdapterStatusJob::Process() caught IMEAdapterException: Error generating config XML from SAV 02.07.2013 15:38:40 115C I SWC adapter loaded 02.07.2013 15:38:40 119C I Running SetAdapterStatusJob for adapter SWC 02.07.2013 15:38:40 12A4 I Got EM-NotifyClientUpdates-Reply message from Router$server5:72699 02.07.2013 15:38:40 12A4 I Got EM-GetClientStatus-Reply message from Router$server5:72699 02.07.2013 15:38:42 0F14 I SAV state observer notified that SAV is running 02.07.2013 15:38:42 0F14 I SAV state observer received a status: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<status xmlns="http://www.sophos.com/EE/EESavStatus"><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Diff" RevID="{254A1D5D-E28D-4C7B-9F28-A299C45FC7B1}" policyType="2"/><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="FactoryDefault" policyType="7"/><ac:onAccess xmlns:ac="com.sophos\mansys\applicationcontrol" value="0"/><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="FactoryDefault" policyType="19"/><tp:tamperProtectionStatus xmlns:tp="http://www.sophos.com/xml/msys/tamperprotectionstatus.xsd" scanningState="off"/><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="FactoryDefault" policyType="15"/><dat:dataControlStatus xmlns:dat="http://www.sophos.com/xml/msys/datacontrol.xsd" scanningState="off"/><csc:CompRes xmlns:csc="com.sophos\msys\csc" Res="Same" RevID="FactoryDefault" policyType="16"/><dev:deviceControlStatus xmlns:dev="http://www.sophos.com/xml/msys/devicecontrol.xsd" scanningState="off"/><entity><productId>SAVEEXP</productId><product-version>10.0.10 VDL4.90G</product-version><entityInfo>SAVXP.10.0.10 VDL4.90G</entityInfo></entity><vdl-info><virus-engine-version>3.43.0</virus-engine-version><virus-data-version>4.90G</virus-data-version><idelist><ide>201327-c.ide</ide><ide>aduska-c.ide</ide><ide>age-abkf.ide</ide><ide>age-abkp.ide</ide><ide>age-abnv.ide</ide><ide>age-abpl.ide</ide><ide>age-abqa.ide</ide><ide>age-abqt.ide</ide><ide>age-absu.ide</ide><ide>age-abtb.ide</ide><ide>age-abtj.ide</ide><ide>age-abto.ide</ide><ide>age-abtv.ide</ide><ide>age-abun.ide</ide><ide>age-abvk.ide</ide><ide>age-abvs.ide</ide><ide>age-abwu.ide</ide><ide>age-abxa.ide</ide><ide>age-abxq.ide</ide><ide>age-abxu.ide</ide><ide>age-abxy.ide</ide><ide>age-abzi.ide</ide><ide>age-abzm.ide</ide><ide>age-acap.ide</ide><ide>age-acaq.ide</ide><ide>age-acbi.ide</ide><ide>age-acbm.ide</ide><ide>age-acbq.ide</ide><ide>age-acca.ide</ide><ide>age-acck.ide</ide><ide>age-accq.ide</ide><ide>age-accs.ide</ide><ide>age-accy.ide</ide><ide>age-acdc.ide</ide><ide>age-acdk.ide</ide><ide>age-acdv.ide</ide><ide>age-acdw.ide</ide><ide>age-aceb.ide</ide><ide>age-acer.ide</ide><ide>age-aces.ide</ide><ide>age-acey.ide</ide><ide>age-acge.ide</ide><ide>age-acgg.ide</ide><ide>age-achm.ide</ide><ide>age-achr.ide</ide><ide>age-acif.ide</ide><ide>age-acir.ide</ide><ide>age-aciu.ide</ide><ide>age-acjb.ide</ide><ide>age-acjd.ide</ide><ide>age-acjl.ide</ide><ide>age-ackt.ide</ide><ide>age-aclf.ide</ide><ide>age-aclg.ide</ide><ide>age-acme.ide</ide><ide>alure-ai.ide</ide><ide>auto-cba.ide</ide><ide>autoi-dq.ide</ide><ide>autoi-sv.ide</ide><ide>autoi-sy.ide</ide><ide>autoi-tb.ide</ide><ide>autoi-tq.ide</ide><ide>autoi-uc.ide</ide><ide>autoi-ug.ide</ide><ide>autoi-uo.ide</ide><ide>autoi-up.ide</ide><ide>avatar-c.ide</ide><ide>avkill-k.ide</ide><ide>backd-iu.ide</ide><ide>backd-ix.ide</ide><ide>backd-ja.ide</ide><ide>backd-jb.ide</ide><ide>banbr-lh.ide</ide><ide>banbr-li.ide</ide><ide>banc-bvi.ide</ide><ide>banc-bvk.ide</ide><ide>banc-bvr.ide</ide><ide>bandel-a.ide</ide><ide>bank-fuf.ide</ide><ide>bank-fup.ide</ide><ide>bank-fus.ide</ide><ide>bank-fvg.ide</ide><ide>bank-fvu.ide</ide><ide>banlo-op.ide</ide><ide>banlo-os.ide</ide><ide>banlo-oy.ide</ide><ide>barys-g.ide</ide><ide>bckd-rqb.ide</ide><ide>bckd-rqe.ide</ide><ide>bdoo-bfa.ide</ide><ide>bdoo-bfb.ide</ide><ide>bdoo-bfc.ide</ide><ide>bdoo-bfd.ide</ide><ide>beebo-an.ide</ide><ide>boda-c.ide</ide><ide>bootlo-a.ide</ide><ide>bred-ahb.ide</ide><ide>bred-ahg.ide</ide><ide>bred-ahh.ide</ide><ide>bred-aho.ide</ide><ide>bred-ahp.ide</ide><ide>bred-ahq.ide</ide><ide>bred-ahs.ide</ide><ide>bred-ahu.ide</ide><ide>bred-ahy.ide</ide><ide>bred-aib.ide</ide><ide>bred-aid.ide</ide><ide>bredo-pq.ide</ide><ide>bubli-av.ide</ide><ide>bubli-aw.ide</ide><ide>bubli-ax.ide</ide><ide>bubli-ay.ide</ide><ide>bubli-az.ide</ide><ide>bubli-ba.ide</ide><ide>burst-ax.ide</ide><ide>buzus-ho.ide</ide><ide>buzus-hp.ide</ide><ide>cdejec-b.ide</ide><ide>choose-a.ide</ide><ide>coinmi-a.ide</ide><ide>crack-aq.ide</ide><ide> 02.07.2013 15:38:42 119C I Running SetAdapterStatusJob for adapter SAV 02.07.2013 15:39:00 119C I computer name is server5 02.07.2013 15:39:00 119C I This computer is part of the domain domain 02.07.2013 15:39:00 119C I workgroup/domain name is domain 02.07.2013 15:39:00 119C I computer description is 02.07.2013 15:39:00 119C I SendStatus: Sent EM-GetStatus-Reply (id=01D32C54) to EM

And here's the content of the Router's Log:

02.07.2013 15:38:33 10D4 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20130702-193833.log
02.07.2013 15:38:33 10D4 I Sophos Messaging Router 3.4.1.3411 starting...
02.07.2013 15:38:33 10D4 I Setting ACE_FD_SETSIZE to 138
02.07.2013 15:38:33 10D4 I Initializing CORBA...
02.07.2013 15:38:33 10D4 I Setting connection cache limit to 10
02.07.2013 15:38:33 10D4 I Creating ORB runner with 4 threads
02.07.2013 15:38:33 10D4 I This computer is part of the domain LIONS
02.07.2013 15:38:33 10D4 E ACE_DLL::open failed for TAO_ImR_Client: Error: check log for details.
02.07.2013 15:38:33 10D4 E Unable to find service: ImR_Client_Adapter
02.07.2013 15:38:33 10D4 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3130390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100ae00004f415401000000140000000100ae000100010000000000090101000000000014000000080000000100a60086000220
02.07.2013 15:38:33 10D4 I Successfully validated this router's IOR
02.07.2013 15:38:33 10D4 I Reading router table file
02.07.2013 15:38:33 10D4 I Host name: server5
02.07.2013 15:38:33 10D4 I Local IP addresses: 159.91.5.5
02.07.2013 15:38:33 10D4 I Resolved name: server5.domain.com
02.07.2013 15:38:33 10D4 I Resolved alias/es:
02.07.2013 15:38:33 10D4 I Resolved IP addresses: 159.91.5.5
02.07.2013 15:38:33 10D4 I Resolved reverse names/aliases: server5.domain.com
02.07.2013 15:38:33 10D4 I Waiting for messages...
02.07.2013 15:38:33 10D4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 2, max number of user ports 15360
02.07.2013 15:38:33 120C I Routing to Agent: id=01D32C28, origin=Router$server5:72699, dest=Router$server5:72699.Agent, type=EM-ClientLogoff
02.07.2013 15:38:33 0CB0 I Getting parent router IOR from 159.91.5.9:8192
02.07.2013 15:38:33 0CB0 I Received parent router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3135390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001007100004f41540100000014000000010071000100010000000000090101000000000014000000080000000100a60086000220
02.07.2013 15:38:33 0CB0 I Successfully validated parent router's IOR
02.07.2013 15:38:33 0CB0 I Accessing parent
02.07.2013 15:38:33 0CB0 I Parent is Router$Sophos-new
02.07.2013 15:38:33 0CB0 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
02.07.2013 15:38:33 0CB0 I RouterTableEntry state (router, logging on): Router$Sophos-new is passive consumer, passive supplier
02.07.2013 15:38:33 0CB0 I Logged on to parent router as Router$server5:72699
02.07.2013 15:38:33 0CB0 I This computer is part of the domain domain
02.07.2013 15:38:40 1058 I Client::LogonPushPush() successfully called back to client
02.07.2013 15:38:40 1348 I Sent message (id=01D32C28) to Agent
02.07.2013 15:38:40 1058 I Logged on Agent as a client
02.07.2013 15:38:40 120C I Routing to Agent: id=03D32C40, origin=Router$server5:72699, dest=Router$server5:72699.Agent, type=EM-ClientLogon
02.07.2013 15:38:40 11B4 I Sent message (id=03D32C40) to Agent
02.07.2013 15:38:40 120C I Received message for this router
02.07.2013 15:38:40 120C I EM-NotifyClientUpdates originator Router$server5:72699.Agent
02.07.2013 15:38:40 120C I Received message for this router
02.07.2013 15:38:40 120C I EM-GetClientStatus EMLib originator Router$server5:72699.Agent
02.07.2013 15:38:40 120C I Routing to Agent: id=09D32C40, origin=Router$server5:72699, dest=Router$server5:72699.Agent, type=EM-NotifyClientUpdates-Reply
02.07.2013 15:38:40 120C I Routing to Agent: id=0BD32C40, origin=Router$server5:72699, dest=Router$server5:72699.Agent, type=EM-GetClientStatus-Reply
02.07.2013 15:38:40 108C I Sent message (id=09D32C40) to Agent
02.07.2013 15:38:40 108C I Sent message (id=0BD32C40) to Agent
02.07.2013 15:39:00 120C I Routing to parent: id=01D32C54, origin=Router$server5:72699.Agent, dest=EM, type=EM-GetStatus-Reply
02.07.2013 15:39:00 11B4 I Sent message (id=01D32C54) to Router$Sophos-new

Thank you for taking the time to help me with this issue.

-Colleen

Thanks for the logs.

In the Agent log, you can see a status message (01D32C54) get created by the Sophos Agent:
02.07.2013 15:39:00 119C I SendStatus: Sent EM-GetStatus-Reply (id=01D32C54) to EM

In the Router log, you can see this message is sent:
02.07.2013 15:39:00 120C I Routing to parent: id=01D32C54, origin=Router$server5:72699.Agent, dest=EM, type=EM-GetStatus-Reply
02.07.2013 15:39:00 11B4 I Sent message (id=01D32C54) to Router$Sophos-new

The line "Sent message" means it has left the endpoint and has been delivered somewhere, the next question is where?

I do find a couple of things odd in the logs which might help to answer it.

In the router log it has:
02.07.2013 15:38:33 10D4 I Local IP addresses: 159.91.5.5

But it also has the line:
I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3130390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100ae00004f415401000000140000000100ae000100010000000000090101000000000014000000080000000100a60086000220

parsing that IOR through http://catior.org/ shows the IP in the IOR to be: 159.91.14.109, that should be the local IP.

I'm not sure why these would differ, but it's a similar story with the parent address.

02.07.2013 15:38:33 0CB0 I Getting parent router IOR from 159.91.5.9:8192

So I assume this is the IP in the ParentAddress registry key mentioned earlier and the new sec server? But when it gets the IOR from the server on port 8192 it has:

02.07.2013 15:38:33 0CB0 I Received parent router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000e0000003135392e39312e31342e3135390001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001007100004f41540100000014000000010071000100010000000000090101000000000014000000080000000100a60086000220

That has in it the IP: 159.91.14.159

This tells me that the client is connecting to its parent on address 159.91.5.9 on port 8192, reading the IOR from that port and then connecting to a different address (159.91.14.159) to send messagest to?

So I'm a bit confused what these IPs are.    Can you check what:

159.91.5.9 and 159.91.14.159 represent?

Regards,

Jak

You are correct. Since this is a public forum, I changed the ip addresses in the logs to mask them. The 14.109 is the client and the 14.159 is the new Sophos master. Server5 and Sophos-new are not the true names of the servers either.

Sorry for confusing you. That was not my intention.

-Colleen

HI,

That's somewhat a relief to be honest;  I was really scratching my head based on those IPs.

If you stop the router on the "managed" endpoint, does the "Connected" state of the client change in the new SEC?  That would be proof enough that communication is working?

To me, based on the client logs, it seems to be OK.

Tracing the messages once that arrive at the SEC server would be my next thing to try.  For example, based on what you did before to generate a EM-GetStatus-Reply message.  If you just perfrom just a restart of the Agent service on the client, 20 seconds later it would send another status message.

If you were to do that, then check the router logs on the new server, do you see a status message arrive from the client?

You can then follow that through in the "msgn" log:

C:\ProgramData\Sophos\Sophos Endpoint Management\log\

This is the final logging of the message before it goes into the database.

Regards,

Jak

Hi Jak,

I stopped the Sophos Message Router on Server5. On the SEC, it had a red "X" on the computer. Once I restarted the Sophos Message Router, it went back to a green symbol.

I restarted Server5's Sophos Agent at 9:31:12. On the new Sophos server, the MSGN log showed:

03.07.2013 09:31:34 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 30681013 of type EM-GetStatus-Reply from Router$Server5:72699.
03.07.2013 09:31:34 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 30681013.
03.07.2013 09:31:34 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 30681014 of type EM-RouterLogon from Router$Sophos-new.
03.07.2013 09:31:34 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 30681014.
03.07.2013 09:31:49 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 30681029 of type EM-EntityEvent from Router$USS9CFYFQ1:72542.
03.07.2013 09:31:49 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 30681029.
03.07.2013 09:31:51 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Received message 30681031 of type EM-RouterLogoff from Router$Sophos-new.
03.07.2013 09:31:51 0898 I MessagingSystemClientLib::EnvelopeReceiver::Receive: Processed message 30681031.

So it does appear that Server 5 is communicating to the new Sophos server, even though it says "Awaiting policy update..."

Does this mean that Server5 will get any policies changes that I make on Sophos-new? We are planning on making a major policy change at the end of this month and I wouldn't want it to miss this change.

Thanks again for all of your hard work on this confusing problem!

Hi,

Well communication is working so that's good.

What if you delete (on the endpoint) the contents of:

C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\

or

C;\documents and settings\all users\application data\Sophos\Remote Management System\3\Agent\AdapterStorage\

depending on OS; then restart the Sophos Agent service.

This will cause the client to essentially report to the server it has no policies for any managed components.  The server should then send them down.

Regards,

jak

Thank you jak! That did it. Deleting the folders under C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\     and restarting the Sophos Agent service worked!

The system now says "Same as policy" in the SEC.

Thanks again for all of your help and for also showing me around the insides of Sophos!

-Colleen