This certificate is then polled for by the client. Errors listed marked with an E, like the following: 05.03.2013 11:52:53 00B4 E Failed to get parent router IOR
05.03.2013 11:52:53 00B4 E Failed to get certificate, retrying in 600 seconds
If this works then take a look at the client's Router logs ([...All Users\Application Data|ProgramData]\Sophos\Remote Management System\3\Router\Logs). In an ideal world the corresponding router log from the server also so we can see the client talking or not talking as it might be to the server? http://technologyprometheus.com/failed-to/failed-to-initialize-sophos-anti-virus-interface-savi.html
It pays to make application specific backups in addition and use a mechanism independent of the server backup. Regards, Jak Note: you will also need the client to be able to connect to 8194 of the server, telnetting to port 8194 should also connect but it will not display I've found a few articles on setting up DMZ message relays however that isn't our setup and would be difficult to implement. Sophos Community Search User Help Site Search User Forums Email Appliance Endpoint Security and Control Free Tools Mobile PureMessage Reflexion SafeGuard Encryption Server Protection Sophos Central Sophos Clean Sophos Home Sophos internet
So for a parent router, with 5 IP addresses, it will be a longer string. Telnetting to 8194 will nto display anything but will connect. The parameter is incorrect. Looking up the error it suggests the 'Environment is incorrect' but I've no idea what that means.As for the RMS connectivity, I have run the installer from each PC but they
I guess a firewall rule yesterday may have fixed the issue but I didn't give enough time for group policy to roll out.I've not done anything different on this PC specifically Is it possible to check the state of the ports from the server side rather than the client side? Still in Regedit, navigate to:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Privateand delete the pkc and pkp values.5. If the address is correct then check if there's actually someone listening (using telnet 10.x.x.x 8194 should result in a successful connection).
All rights reserved. 0xfffffffd Ideally the server can connect to TCP port 8194 on the client? On the client start the Sophos Message Router Service.Within a couple of seconds you should see the pkc and pkp value return under:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\PrivateThis is evidence the router has obtained its page Every comment submitted here is read (by a human) but we do not reply to specific technical questions.
I support several setups with Sophos however this is the first with Server Essentials 2012 and I've found the firewall configuration to be pretty awful so far (ie not allowing ping Thus you'd have to configure your relay to return a FQDN instead of the address.Hope I got it rightChristian:32045 SoSo_sophos 0 22 Sep 2012 2:27 AM Thanks! All rights reserved. Stop the Sophos Management Agent service 3.
Also as a check, on the server, the registry keys values for: HKLM\sotware\[wow6432node]\sophos\Certificaiton Manager\CerAuthStore\DelegatedManagerKey HKLM\sotware\[wow6432node]\sophos\Certificaiton Manager\CerAuthStore\ManagedAppKey HKLM\sotware\[wow6432node]\sophos\Certificaiton Manager\CerAuthStore\RouterKey should match the strings in the mrinit.conf that you seleted. https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/5931/main-location-endpoints-not-reporting-cannot-verify-peer-s-ssl-certificate-unknown-ca Click here to go to the product suggestion community SEC missing computer details and unable to apply policies We recently had a hard drive failure on our Windows 2003 Sophos Enterprise Sophos Fffffffd In case of SEC it's some (static) registry settings (see the Enterprise console migration guide chapter 6.1.3 for details) and the database. Sophos Remote Management System If that happens to have the same certificates it could start to use that, sounds a bit like a message relay has been born anyway I digress a bit.
Sophos Community Search User Help Site Search User Forums Email Appliance Endpoint Security and Control Free Tools Mobile PureMessage Reflexion SafeGuard Encryption Server Protection Sophos Central Sophos Clean Sophos Home Sophos So this token request is passed from client router to parent router, and is serviced by the Certification Manager on the management server. I hope this helps explain a little as to what is going on under the hood. Possible cause :"Sophos Message Router" service may be stopped on the server, or the server may be disconnected from the network, or a firewall may be blocking communications from the client Sophos Firewall Ports
Note that the Win7 firewall has both IN and OUT rules and can't be controlled with a GPO set on the server. So the above stages occur each time the client router starts up as a way of establishing a connection to 8194 of the parent router. Regards, Jak :20381 TechSupp 0 4 Jan 2012 2:28 AM Thanks youre a star! The name avmr.company.co.nz suggests this is the relay.
All rights reserved. You need to ensure that port 8192 TCP and 8194 TCP incoming are open on the server. 3. Assuming only the "main" endpoints don't connect (but the others do) I'd empty the CID and let the main SUM recreate it (you could copy mrinit.conf and cac.pem to a safe
What's the next step in resolving this please?Thanks:45351 QC 0 22 Nov 2013 4:44 PM Hello Dan,it does know its server.
Also check networking and services on the server.The router log is as below:03.01.2012 16:15:33 0878 W Parent address unknown: The requested name is valid and was found in the database, but The computer may need additional configuration before installation" Within a few seconds it does install properly and once I opened it the status changes to "Awaiting policy from console" before showing The client, by using the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router ParentAddress ParentPort Is able to find the IOR port of the parent router. 2. As a bit of furtherinformation, with regards to the certification process which happens when the client is still being set-up for the first time (until the client has its certificates).
How can i check that it can connect to the required ports or that they are even open on the server (server 2008 r2) and if they are blocked for listening I believe I can trace the behaviour from the info you have given me now. Regards, Jak:20351 TechSupp 0 3 Jan 2012 11:08 PM Sorry, yes I anonymised those lines. On the affected endpoint navigate to the taskbar, click Start|Run.
That's somewhat strange. The error in the oldest was apparently transient. I assume you've edited the client log to anonymize the address the client is using to connect as: ServerIP SERVERHOST.IPDOMAIN SERVERHOSTNAME don't look quite right. I re-ran the installer and its now appearing in the console.
The computer record must still exist in SEC for the machine, are you saying that the details for the record are those of the old XP machine and haven't been updated If you can't get a connection using the IP then the request is blocked somewhere on the way. All rights reserved. Switched over to the old SEC server and ran the script.
The clients can install and update properly but the reporting does not work. Check the RMS logs for errors, review theRouter.log and Agent.logon the endpoint. The four Getting parent router IOR ... HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router \ParentAddress RouterNT.exe on the client can connect to TCP port 8192 and 8914 on the server?
I've tried amending the mrinit.conf to use the 10. Christian DerekWeichenthal 0 20 Apr 2016 4:41 PM In reply to QC: I had gone through the Migration Guide and I just looked again and there is no step during this is something I will work with now:32467 SoSo_sophos 0 22 Sep 2012 5:34 AM Thanks QC - legend!:32511 Sophos Footer T&Cs Help Cookie Info Contact Support © 1997 - 2016 That being said, I would expect in your case the IOR of the parent router has a non routable address in it.
Note; ensure that the Certification Manager service on the server is started.The client should have the following 4 registry keys: Router:HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private \pkcHKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\Private \pkp Agent:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private \pkc HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management