Additional SUM as message relay and 10.3.13

Good morning,

Apologies for jumping in, but I'm having the same problem.

I have a new install, SEC 5.3, and I'm trying to set additional SUMs as message relays. Everything seems to work as expected, ConfigCID.exe gives the expected output, but once the SUM is protected the reg keys are not set as expected and it is functioning as a message router not a relay.

Regards, Neil.

Hello Neil,

likely not the very same issue - my install started with 5.1. So you installed the SUM (with the correct mrinit.conf) and after protection (with 10.3.13?) it un-relayed itself? Please run SDU to collect the logs and submit them to Support (you might want to refer to my case #5088047).

Is RMS shown in Programs and Features? Anyway, stop the router, correct the keys - this should do it (if you're unsure PM me).

Christian

Hi Christian,

Thanks for the reply.

I've already opened a ticket, #5094104, and sent the SDU output.

I've tried this on three separate servers, all without success. If I manually change the reg keys and then protect clients, using this server as the install source, then the clients pick up the correct settings and use this server as a relay. However, on none of the relays is RMS listed in Programs and features. Also running EICAR on a client raises a local alert, but nothing is reported in the console.

Regards,

Neil.

Hello Neil,

are the SUMs shown as connected in the endpoints view? While the Network Report link has been removed the file is still written to %ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport. What's their RMS router type there? Are the Router logs being written?

Christian

Hi Christian,

The message relay computers do show as connected, but they aren't mentioned in the Network Report on the console;

<?xml version='1.0' encoding='UTF-16' ?>
<?xml-stylesheet type='text/xsl' href='transform.xslt' ?>
<RMS_status_report>
<string msg='explanation' />
<sections>
<section name='DNS'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Certification'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Incoming'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Outgoing'>
<string msg='OK' />
</section>

<!-- And another -->
</sections>
<computer_data>
<language>
en_GB
</language>
<local_time>
21 April 2015 15:18:45
</local_time>
<GMT>
21 April 2015 14:18:45
</GMT>
<computer_name>
MH126-HQ-EP
</computer_name>
<domain>
ELCMHT
</domain>
<router_name>
Router$MH126-HQ-EP
</router_name>
<IOR_port>8192</IOR_port>
<SSLIOP_port>8194</SSLIOP_port>
<parent_addresses>
<string msg='not_available' />
</parent_addresses>
<actual_parent>
<string msg='not_available' />
</actual_parent>
<router_type>
server
</router_type>
</computer_data>
</RMS_status_report>

On each relay router logs are being created.

Regards.

Hello Neil,

sorry, I haven't been clear - the Network Report is only about the local machine so you'd have to look into those on the SUMs.

Christian

Hi Christian,

On further investigation RMS is not being installed when I protect the servers being used as SUMs. I can manually install via the CID, but clicking update now does not initiate an install. The mrinit.conf file contains the correct parentrouteraddress, but the registry keys do not reflect the correct parentrouteraddress, rather they still show the SEC server details. If I manually alter the keys and then protect endpoints using the additional SUM the clients do point to the additional SUM as the message relay.

Below is the report data from one of the servers being used as a message relay which has had RMS manually installed;

<?xml version='1.0' encoding='UTF-16' ?>
<?xml-stylesheet type='text/xsl' href='transform.xslt' ?>
<RMS_status_report>
<string msg='explanation' />
<sections>
<section name='DNS'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Certification'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Incoming'>
<string msg='OK' />
</section>

<!-- And another -->
<section name='Outgoing'>
<string msg='OK' />
</section>

<!-- And another -->
</sections>
<computer_data>
<language>
en_GB
</language>
<local_time>
22 April 2015 15:27:04
</local_time>
<GMT>
22 April 2015 14:27:04
</GMT>
<computer_name>
MHDC38
</computer_name>
<domain>
ELCMHT
</domain>
<router_name>
Router$MHDC38:61
</router_name>
<IOR_port>8192</IOR_port>
<SSLIOP_port>8194</SSLIOP_port>
<parent_addresses>
10.182.3.126,MH126-HQ-EP.xelcmht.nhs.uk,MH126-HQ-EP
</parent_addresses>
<actual_parent>
10.182.3.126
</actual_parent>
<router_type>
endpoint
</router_type>
</computer_data>
</RMS_status_report>

I'm still waiting on a response from support.

One thing you should be aware of is the additional SUMs are all hosted on DCs. Not ideal, but the only servers on remote sites are all DCs.

Regards,

Neil.

Hi Christian,

After having a bit of a nose around the forum I found a thread covering the issue I was having, SUM and message relay on the same server. This pointed me to the knowledgebase article;

https://www.sophos.com/en-us/support/knowledgebase/111484.aspx

I followed the instructions found there and all is now working.

Thanks for your help on this.

Regards,

Neil.

Hi Sandy,

what Support say

well, the technician and I agreed that the available logs looked normal. No logs from around the communication loss, no indication when the registry keys were "reset" endpoint. As I had it "re-promoted" we decided not to pursue it.

While I was about to write this reply I did a check on the facts and found a ClientMRInit log in \Windows\SysWOW64 (sic!) from the time of the RMS 3.4 uninstall and this doesn't look correct (and I think the ClientMRInit should have refused to execute anyway). I've followed up on the case with this information ... we'll see.

Christian