How to redirect Windows endpoints to a new management server

  • Article ID: 116737
  • Rating:
  • 8 customers rated this article 5.1 out of 6
  • Updated: 22 Dec 2014

When you install a new Enterprise Console (i.e., management server) you must redirect Windows endpoint computers to the new server. Under many circumstances, you can re-protect your computers from the new console or run Setup.exe on existing endpoint computers with the necessary switches. This can either be done manually or as part of a scripted approach.

This article describes how to use the Sophos endpoint migration utility to create a VBScript file that you use to redirect Windows endpoint computers to a new Enterprise Console. It should be used where either of the above options is undesirable.

Important: if you are following this procedure for Enterprise Console v 4.5 or 4.7, you must not apply the section to run the Patch. This cannot be done on  these versions.

Reasons for using a scripted method in preference to a re-protect from Enterprise Console may include:

  • Computers are not always connected.
  • Computers have been locked down preventing deployment from Enterprise Console.
  • You have to re-protect a large number of computers and therefore a scripted approach is more appropriate.

Reasons for using the 'Sophos endpoint migration utility' as outlined below include:

  • Bandwidth restrictions.
  • You can easily run remote tasks such as scripts on endpoint computers.

Important:

  • Before continuing, ensure that the migration of the Sophos Management Server has been fully completed as described in the Enterprise Console migration guide, and that the system is functioning correctly.
  • If you are using message relays in your environment, see article 14635 for more information on how to redirect your message relays to the new management server. Note: The clients behind your current messages relays will continue to message via the relay and therefore do not need to be reconfigured.  Only the relay needs to be pointed at the new management server.

WARNING:

  • The Force Configuration option should only be set if the reinit has been run previously on systems, as if it is set, this script will run on Relays and SECs, and can damage them beyond repair.

First seen in

Enterprise Console 4.5.0

What To Do

Where possible, you should run the Sophos endpoint migration utility from the new management server, although it can be run on any Windows computer with access to the new management server. Avoid running it from a network share to prevent any security warnings associated with running HTA files remotely.

Before deploying to a large number of computers, test the script file you create on a couple of endpoint computers to ensure it is configured with the correct options. The script creates a log on the computer which can be used to troubleshoot if the script should fail. The default location for this is: C:\windows\temp\SophosReInit.txt

  1. Download the 'EndpointMigrationUtility.hta' tool from here: EMU.zip.
  2. Once unpacked, open the Endpoint Migration Utility. From the utility window, you select the options you require for the VBScript file that you are creating.
    You may need to create multiple script files, for example if some endpoint computers need to be put into different console groups.
  3. The script that you create here is the one you will run on all the computers that you want to redirect to your new management server.

    Configuration Options:

    Remote Management System (RMS)  
    Reinitialize RMS required Redirecting Sophos Remote Management System (RMS). This will ensure that RMS on the endpoint is reconfigured to point to the new management server. This should be selected for most computer redirections.
    Path to new 'cac.pem'
    Path to new 'mrinit.conf'
    You can choose the 'cac.pem' and 'mrinit.conf' files from the new management server. These can be located in the default distribution share on the new management server:
    \\[NewServerName]\SophosUpdate\CIDs\S000\SAVSCFXP\

    Note: You should confirm that the address in the mrinit.conf file is that of the new management server.

    SEC Group Path (Optional) you can choose to place the machine in a particular SEC group on the new server. Note: The path is case sensitive.
    Force configuration This option has a link to Help within the tool. 

    Selecting this option will force a reconfigure of RMS even when a previous redirection has taken place.   When RMS is reconfigured by the script a 'marker' DWORD registry key is created called 'ReInitRMSMarker' under: HKLM\Software\[wow6432node]\Sophos\.  This is set to 1 to indicate a redirection on the endpoint has occurred.  The script checks to see if this is present and if it is, exits unless the force configuration option is set.  This aims to prevent the script running each time if used in a start-up script for example. 

    WARNING: This can damage the SEC Server or a Relay if run with this option. This script should not be run with force on either of these two servers as it can cause high amounts of damage.

    Enabling the force configuration option will also force a reconfigure to take place if the computer is a message relay or SEC server as indicated by the ConnectionCache registry key value being anything other than 10 as found under: HKLM\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router.  This check prevents accidental reconfiguration of a SEC server or message relay.  For this reason this option should be used with caution.

    Sophos Patch Agent Select the options in this section if you are using Patch or if you wish to create a separate script for your Patch computers. If you are not using Patch, you do not need to configure this section.
    Force configuration This option has a link to Help within the tool. 

    Selecting this option will force a reconfigure of the Sophos Patch Agent regardless of the DWORD registry key 'marker': 'ReInitPatchMarker' being set to 1 under: HKLM\Software\[wow6432node]\Sophos\.  This is set by a previous run of the tool and should prevent the script repeatedly re-initializing the computer when deployed as a start-up script for example.

  4. Once you have selected the required options, click 'Create VBScript'. A 'SophosReInit.vbs' file is created in the same directory as the endpoint migration utility.
  5. Run this VBScript on all Windows endpoint computers you wish to redirect to the new management server.
    Note:
    • This script must be run as an administrative user on the endpoints.
    • The script does not display anything on-screen when run.  To monitor progress you can view the log file 'SophosReinit.txt'.  By default this is in ''\windows\temp\.
    • The script will take approximately 1 minute to execute on an endpoint computer.
    • If you plan to use the new management server to manage the previous management server, you should uninstall all the Sophos console components from the 'old' server, these are:
      • Sophos Management Console
      • Sophos Management Database
      • Sophos Management Server
      • Sophos Update Manager

      Refer to the Migration Guide for more information on decommissioning the old server.

  6. Methods to consider for deployment of the resulting script to your clients include:

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments