22 November 2010

Configure Sophos message relay for improved scalability on Windows Server 2008 R2

One of the recommendation form Sophos is that message relays should be used when one console manages more than 10 000 devices.  In my experience this is a optimistic number.  In reality you start running into server response issues from about 5000 devices and up.

Client machines update the Sophos management server by sending status messages all the time.  These messages or envelopes as they are called are handled by the Remote Management Service (RMS).  Normally these messages are sent directly from the client to the management server.  When using a relay, the messages are sent to the relay, combined and then forwarded onto the management server.   It is possible to nest relays up to 6 levels, but unless you have a network that has a similar relay layout I would avoid nested relays all together, I rather use a flat structure and use multiple relays at "the same 1 hop level"

Configuring a message relay involves a few steps.  (The steps and paths are based on a Windows 2008 R2 since this is a x64 OS the path might differ slightly if you are using an x86 OS)

Step 1 Identify an existing or create a new CID and configure. 
This is the same as setting up and configuring any normal CID

Step 2 Edit the mrinit.conf file
The mrinit.conf file is used by the RMS to route messages.  By editing the file you can configure client to point to a new server that will then become a relay by the virtue or handling messages other than it's own.

On the machine that will be hosting the CID

  • Browse to C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
  • Find the mrinit.conf file 
  • Open the file for editing in notepad.

[Config] 

"NotifyRouterUpdate"="EM"
"ClientIIOPPort"=dword:00002001
"ClientSSLPort"=dword:00002002
"ClientIORPort"=dword:00002000
"IORSenderPort"=dword:00002000
"DelegatedManagerCertIdentityKey"="mUp+mEjFkUGEbP7xvEW2jfr4Hw8="
"ManagedAppCertIdentityKey"="ENBISBzWJwUjPqc5ZwoLZbLEx+M="
"RouterCertIdentityKey"="26kKHV8C8JacysnOmEsxVTbLxfY="
"ServiceArgs"=""
"MRParentAddress"="10.36.145.61,SOPHOS04.thecompany.co.za,SOPHOS04"
"ParentRouterAddress"="10.36.145.61,SOPHOS04.thecompany.co.za,SOPHOS04"


  • Now edit the variable string for ParentRrouterAddress.
  • The message relay must be Windows Server 2000,2003 or 2008
  • Specify the IP,FQDN, hostname of the machine that will be the message relay (it does not have to be the CID machine)
  • Create a new text file, copy the content of the  edited file into it, save as mrinit.conf
  • Save the changes.
  • Copy the file to the RMS folder


NOTE: the file is quite sensitive to formatting:

  • Do not edit the MRParentAddress this should be pointing to your management server.
  • There need to be an empty line at the bottom of the file (do not delete the final carriage return while editing)
  • The created on date MUST be different to the original mrinit.conf file.  You can't copy the file, edit it and paste it into the RMS folder.


Step 3 Register the changes using ConfigCID.exe
On the machine that will be hosting the CID

  • Open a command prompt and browse to the following folder : C:\Program Files (x86)\Sophos\Update Manager
  • Use the following command line :  configCID.exe "C:\programdata\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP"
  • Check for the following lines in the result
  •  - Adding entry for \rms\mrinit.conf
  •  - Adding entry for \mrinit.conf

One more really important step

  • Reinstall the message relay machine form the updated CID.

If you check the communication report on the message relay machine you should see that the RMS router type has changed from Endpoint to message relay



See Update 2 below

Step 4 Configure machines to use the message router
Use an updating policy to point your client machines to the CID.  Any machine updating from the updated CID will now reinstall the RMS component and start using the message relay.  Since the RMS component is reinstalled and not simply updated this needs to be considered if you are changing really resource constrained machines.

Step 5 Check the Client
You can check the client machine in two ways
  • Click on start -> All programs -> Sophos -> View Sophos Network Communications Report
  • There should be no errors listed and the Parent Address should be the Message Relay's details.
Check the registry
  • HKLM\Software\WOW6432Node\Sophos\Messaging System\Router\Parent Address
If you check the Sophos Management console the machine should still be updating and communicating.

Step 6 Check The Message Relay
When a machine acts as a relay it has to collect messages and send them on and of course back again.  For this to work the message relay need to build up a "Routing Table"

On the Message relay machine
  • Browse to C:\programdata\Sophos\Remote Management System\3\Router
  • If you open the table_router.txt file you should see the router to all the message relay "clients"
Agent.0..
Router$NLBTEST01:18005.1..

Router$NLBTEST02:18005.1..
Router$NLBTEST03:18005.1..

  • Open the Envelopes folder.  
  • If you watch this folder carefully you should see files come in and disappear right away.  
  • If you have a large number of connecting machines files can build up for a few seconds before being sent off.  
This envelope cue should be monitored and checked out if machines are not communicating with the management console.  It is sometime necessary to stop the message router service, delete the table_router.txt file and restart the service to fix a corrupted routing table.  This normally take  about 5 minutes before the cue starts decreasing.

Conclusion
In small deployments the Management server is often used "for everything."  As the deployment grow in size you should use CID's that are not hosted and the management server, the same goes for using message relays.
By using relays you can greatly improve the amount of machined being managed from a single management server.


UPDATE

Check out http://fixmyitsystem.blogspot.com/2010/12/troubleshooting-sophos-message-relay.html if you have issues... and you probably will

UPDATE 2

We recently deployed another message relay, and ran into some more issues.  If in step 3 you check the netowrk communications report and the RMD router type remains showing Endpoint you need to do the following:

Copy the cac.pem and newly created mrinit.conf files from your CID location - typically this would be:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\

These files need to also be placed in:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\rms\program files\Sophos\Remote Management System\

In the same directory you need to run the ClientMRinit.exe - You must Run As Administrator


Once complete the network communications report should correctly state that the machine is now indeed a Message Relay

Thanks to Jacques De Villiers from Woolworths and Monique Burger form Netactix for figuring this one out





5 comments:

Chris Jones said...

I just wanted to let you know that you did a lot better job of explaining this than Sophos' website. I was able to fix my message router issue. Thank you so much.

Etienne Liebetrau said...

Thanks for the feedback!

Anonymous said...

Thanks for writing a great article. I was wondering if you have endountered this issue & can offer assistance or advice: I have endpoint that wont connect. The View Sophos Network Communications Report is missing on the endpoint. How do I fix

Anonymous said...

What does it mean when this does not exist
HKLM\Software\WOW6432Node\Sophos\Messaging System\Router\Parent Address

Anonymous said...

Great Article! Thanks

Post a Comment