Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1796 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed computers + AD sync help

GizmonJack

We have been having big issues with making sure all our computers are being managed by Sophos. Here is the problem, we currently have 393 computers that are managed by 2 SEC consoles in two different cities. Using a bit of excel vlookup of the Active Directory export vs the 'Sophos Managed Computers' list of both consoles.

It's showing as 91 that are unmanaged. These computers definitely have Sophos Endpoint Security and Control installed. We don't use Active Directory sync as we cannot seem to choose a our own country out of the domain tree. For example tree:

"Domain":
"Delegated"

GB
FR
DE

In the domain tree there are 30 other countries OUs in the delegated folder of the overall domain. When I tried to get AD to sync with Sophos it tried to basically pull in every single computer from each delegated OU!

Are you able to select the OU you want it to sync with? For example I want the Oxford SEC to sync with the GB, Delegated, Oxford OU and the Northampton SEC to sync with the GB, Delegated, Northampton OU; but obviously not every other country.

This has been an on-going problem ever since I started and the IT support team have been unable to resolve it even though I have flagged this as a major concern. Some of the managed computers are showing as disconnected even though I can ping them from the Sophos server. I really want to sort out this mess I have inherited and make sure all my computers are managed, with the correct policies applied.

In addition to this we keep getting errors about the following primary update path not being able to download updates:

Primary path = http://<AV Server IP>/sophos/CIDs/S000/SAVSCFXP/
Secondary path = \\<AV Server name>\SophosUpdate\CIDs\S000\SAVSCFXP\

Kind regards.

:20203


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    You should be able to sync a single SEC group with a single OU.  It will however, always sync any childs of the OU, there is no way to prevent that.  

    AD sync is really 2 stages,

    1. Setting up the configuration that get stores in the database table dbo.SyncPointData.  

    You use Enterprise Console to run the AD Sync wizard on a particular SEC group and in effect construct the LDAP string to associate with it. Any interaction with AD at this point is all done in the context of the user using SEC.  These LDAP queries are then stored in the table mentioned above, along with a SEC group ID and other flags to denote sync interval and configuration regarding auto deploy.

    2. The sync with AD takes place at start-up of the Sophos Management Service and then at the interval chosen for the sync point.

    As the Sophos Management Service performs the sync and this is running as local system, the machine account is used, so this will need access to the DC queried.

    That's pretty much all there is to AD Sync.

    As for the problem where endpoint machines can be pinged, are known to have SAV installed yet show as disconnected in SEC; you have to turn to Remote Management System (RMS) logs and configuration to understand what's happening there.  In short, RMS on the client is responsible for sending to SEC information about the computer.  The Sophos Message Router (RouterNT.exe) on the client communicates with the same service (RouterNT.exe) on the server (assuming you're not using message relays).  The client always initiates the communication with the server.  So the first thing to check with one of these clients is that the client is pointing at the right address, i.e. the SEC server and can resolve it.  

    Check 1:

    Ensure that all the Sophos services are started on the server and client.

    Check 2:

    On the client, open up:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router \ParentAddress
    Is the parent address correct?

    Check 3:
    Stopping and starting the Router service should toggle the 'connected' state of the machine in SEC.  Does it?

    Check 4:

    Maybe worth checking the client communication report:. E.g.
    "C:\ProgramData\Sophos\Remote Management System\3\Router\NetworkReport\ReportData.xml"

    That might offer some help.

    There are many more possible checks but that should start you off.

    Updating errors do occur, are typically transient and should auto-clear providing there is not some hard error due to configuration issues.  

    For example a machine goes away from the network, attempts to update, fails, the messaging system, stores a failure message on the client.  Later, the client returns to the network, RMS communication is restored and it sends in the message, you get an error displayed in SEC, shortly after AutoUpdate updates ok, sends in a 'ok' message and the failure is cleared.  

    Maybe the first check of AutoUpdate happens before the machine has network access, generates a failure message and then has to wait until the next update interval to clear, meanwhile the machine has connected and sent in the failure message.  So the shorter the clients update interval the quicker it will clear a transient failure.  

    You really need to work out the reason for the failures to know if there is anything you can do.  For example, if the second scenario is likely then for these machines you could add the registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\[WOW6432NODE]\Sophos\AutoUpdate]

    "StartupDelay"=dword:0000000a  


    Where in this case, the Alupdate update process would kick off 10 seconds after the service starts.  You could adjust this key to a suitable amount of time it takes for the clients to establish network connectivity.  This delay should cut down on the reported error before the success.

    Regards,

    Jak

    :20217
Reply
  • 0

    Hi,

    You should be able to sync a single SEC group with a single OU.  It will however, always sync any childs of the OU, there is no way to prevent that.  

    AD sync is really 2 stages,

    1. Setting up the configuration that get stores in the database table dbo.SyncPointData.  

    You use Enterprise Console to run the AD Sync wizard on a particular SEC group and in effect construct the LDAP string to associate with it. Any interaction with AD at this point is all done in the context of the user using SEC.  These LDAP queries are then stored in the table mentioned above, along with a SEC group ID and other flags to denote sync interval and configuration regarding auto deploy.

    2. The sync with AD takes place at start-up of the Sophos Management Service and then at the interval chosen for the sync point.

    As the Sophos Management Service performs the sync and this is running as local system, the machine account is used, so this will need access to the DC queried.

    That's pretty much all there is to AD Sync.

    As for the problem where endpoint machines can be pinged, are known to have SAV installed yet show as disconnected in SEC; you have to turn to Remote Management System (RMS) logs and configuration to understand what's happening there.  In short, RMS on the client is responsible for sending to SEC information about the computer.  The Sophos Message Router (RouterNT.exe) on the client communicates with the same service (RouterNT.exe) on the server (assuming you're not using message relays).  The client always initiates the communication with the server.  So the first thing to check with one of these clients is that the client is pointing at the right address, i.e. the SEC server and can resolve it.  

    Check 1:

    Ensure that all the Sophos services are started on the server and client.

    Check 2:

    On the client, open up:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router \ParentAddress
    Is the parent address correct?

    Check 3:
    Stopping and starting the Router service should toggle the 'connected' state of the machine in SEC.  Does it?

    Check 4:

    Maybe worth checking the client communication report:. E.g.
    "C:\ProgramData\Sophos\Remote Management System\3\Router\NetworkReport\ReportData.xml"

    That might offer some help.

    There are many more possible checks but that should start you off.

    Updating errors do occur, are typically transient and should auto-clear providing there is not some hard error due to configuration issues.  

    For example a machine goes away from the network, attempts to update, fails, the messaging system, stores a failure message on the client.  Later, the client returns to the network, RMS communication is restored and it sends in the message, you get an error displayed in SEC, shortly after AutoUpdate updates ok, sends in a 'ok' message and the failure is cleared.  

    Maybe the first check of AutoUpdate happens before the machine has network access, generates a failure message and then has to wait until the next update interval to clear, meanwhile the machine has connected and sent in the failure message.  So the shorter the clients update interval the quicker it will clear a transient failure.  

    You really need to work out the reason for the failures to know if there is anything you can do.  For example, if the second scenario is likely then for these machines you could add the registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\[WOW6432NODE]\Sophos\AutoUpdate]

    "StartupDelay"=dword:0000000a  


    Where in this case, the Alupdate update process would kick off 10 seconds after the service starts.  You could adjust this key to a suitable amount of time it takes for the clients to establish network connectivity.  This delay should cut down on the reported error before the success.

    Regards,

    Jak

    :20217
Children
No Data