Enterprise Console: IP address discovery

  • Article ID: 16436
  • Rating:
  • 6 customers rated this article 4.0 out of 6
  • Updated: 09 May 2014

When using 'Find by IP range' to search for new computers in Enterprise Console, a Windows username and password are used for the Windows network search. As with the other searches, the remote computer may not be discovered if connection fails because of a lack of a username and a password. A maximum range of 65536 addresses can be searched at any one time. Please note that the scan cannot be stopped after it has been started.

Applies to the following Sophos product(s) and version(s)

Enterprise Console

SNMP queries

The 'SNMP community' is used for SNMP queries. This is the equivalent of a password used to connect to the SNMP service. If the SNMP Community field is blank, it will default to 'public'. In most cases 'public' should work, but if the computers are configured to use a different community, then that string should be entered here. If the community is incorrect, then SNMP will fail to retrieve information about the computer.

Methods of detecting networked computers with IP discovery

IP discovery uses a variety of techniques for detecting computers on the network. These are:

  • ICMP
    ICMP sends a network packet to a given IP address, and the remote computer responds if it is present.
    Note: Some firewalls may block ICMP.
  • SNMP
    SNMP is a protocol used to exchange information between computers. A computer running SNMP will respond to requests for information about itself, and can report its name and its operating system. However not all computers run SNMP. On Windows 2000 computers SNMP is enabled by default.
  • Windows networking
    Windows networking is supported in Microsoft Windows networks. UNIX-based computers without Samba may not support this protocol.
  • DNS
    DNS requires that a name server accurately knows which IP addresses correspond to which computers. A DNS reverse-lookup determines a computer's name from its IP address. A faulty DNS system can lead to incorrect information being returned.

By default, IP discovery will use ICMP, SNMP and Windows networking. The following table compares the different protocols.

Network protocol Contacts computer? Name Workgroup DNS name Operating system IP address Comment
ICMP Yes No No No No No No
SNMP Yes Yes No No Yes No No
LDAP No Yes No Yes Yes No Yes
Windows networking Yes Yes Yes No Yes No Yes
DNS No Yes No Yes No Yes No

Configuring IP discovery in the Windows registry

Different networks have different configurations, and so may require different discovery settings. IP discovery can be configured using the Windows registry. Please read the warning about editing the registry.

The registry value: HKLM\Software\Sophos\EE\ManagementTools\IPScanSettings is a DWORD that configures the IP search. This registry value is normally absent, but creating the value and restarting the Sophos Management Service will override the default settings.

NOTE: For Windows 2008 R2 Server the correct registry hive is: HKLM\Software\WOW6432Node\Sophos\EE\Management Tools

The flags that can be set are shown in the following table.

Flag Meaning Default
0x01 Require that the computer responds to ICMP. If this flag is set, then an ICMP message is sent to the address. If the computer does not respond within 2 seconds, then the computer is not discovered. Yes
0x02 Require that the computer is in DNS. If this flag is set, then the computer will only be discovered if a reverse-DNS lookup succeeds. No
0x08 Attempt to contact the computer via SNMP. If this flag is set, then SNMP will be used to discover the name and operating system of the computer. Yes
0x10 Perform DNS reverse-lookup. If this flag is set, then the name of the computer will be obtained using a DNS reverse-lookup. No
0x40 Attempt to contact the computer via Windows networking. If this flag is set, then Windows networking will be used to determine the computer's workgroup, description and operating system. Yes
0x80 Require that the computer supports Windows networking. If this flag is set, then the computer will only be discovered if a Windows connection was successful. No

As an example, to use only the last 4 discovery methods in the table above the registry value would need to be 216 in decimal or D8 in hexadecimal. Worked out as follows:
0x08 (hex) = 8 (dec)
0x10 (hex) = 16 (dec)
0x40 (hex) = 64 (dec)
0x80 (hex) = 128 (dec)
8+16+64+128 = 216 (dec) or D8 (hex)

Related articles
Summary of port configurations in Sophos applications

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent