When using 'Find by IP range' to search for new computers in Enterprise Console, a Windows username and password are used for the Windows network search. As with the other searches, the remote computer may not be discovered if connection fails because of a lack of a username and a password. A maximum range of 65536 addresses can be searched at any one time. Please note that the scan cannot be stopped after it has been started..
The 'SNMP community' is used for SNMP queries. This is the equivalent of a password used to connect to the SNMP service. If the SNMP Community field is blank, it will default to 'public'. In most cases 'public' should work, but if the computers are configured to use a different community, then that string should be entered here. If the community is incorrect, then SNMP will fail to retrieve information about the computer.
Methods of detecting networked computers with IP discovery
IP discovery uses a variety of techniques for detecting computers on the network. These are:
ICMP sends a network packet to a given IP address, and the remote computer responds if it is present.
Note: Some firewalls may block ICMP.
SNMP is a protocol used to exchange information between computers. A computer running SNMP will respond to requests for information about itself, and can report its name and its operating system. However not all computers run SNMP. On Windows 2000 computers SNMP is enabled by default.
- Windows networking
Windows networking is supported in Microsoft Windows networks. UNIX-based computers without Samba may not support this protocol.
DNS requires that a name server accurately knows which IP addresses correspond to which computers. A DNS reverse-lookup determines a computer's name from its IP address. A faulty DNS system can lead to incorrect information being returned.
By default, IP discovery will use ICMP, SNMP and Windows networking. The following table compares the different protocols.
|Network protocol ||Contacts computer? ||Name ||Workgroup ||DNS name ||Operating system ||IP address ||Comment |
|ICMP ||Yes ||No ||No ||No ||No ||No ||No |
|SNMP ||Yes ||Yes ||No ||No ||Yes ||No ||No |
|LDAP ||No ||Yes ||No ||Yes ||Yes ||No ||Yes |
|Windows networking ||Yes ||Yes ||Yes ||No ||Yes ||No ||Yes |
|DNS ||No ||Yes ||No ||Yes ||No ||Yes ||No |
Configuring IP discovery in the Windows registry
Different networks have different configurations, and so may require different discovery settings. IP discovery can be configured using the Windows registry. Please read the warning about editing the registry.
The registry value: HKLM\Software\Sophos\EE\ManagementTools\IPScanSettings is a DWORD that configures the IP search. This registry value is normally absent, but creating the value and restarting the Sophos Management Service will override the default settings.
NOTE: For Windows 2008 R2 Server the correct registry hive is: HKLM\Software\WOW6432Node\Sophos\EE\Management Tools
The flags that can be set are shown in the following table.
|Flag ||Meaning ||Default |
|0x01 ||Require that the computer responds to ICMP. If this flag is set, then an ICMP message is sent to the address. If the computer does not respond within 2 seconds, then the computer is not discovered. ||Yes |
|0x02 ||Require that the computer is in DNS. If this flag is set, then the computer will only be discovered if a reverse-DNS lookup succeeds. ||No |
|0x08 ||Attempt to contact the computer via SNMP. If this flag is set, then SNMP will be used to discover the name and operating system of the computer. ||Yes |
|0x10 ||Perform DNS reverse-lookup. If this flag is set, then the name of the computer will be obtained using a DNS reverse-lookup. ||No |
|0x40 ||Attempt to contact the computer via Windows networking. If this flag is set, then Windows networking will be used to determine the computer's workgroup, description and operating system. ||Yes |
|0x80 ||Require that the computer supports Windows networking. If this flag is set, then the computer will only be discovered if a Windows connection was successful. ||No |
As an example, to use only the last 4 discovery methods in the table above the registry value would need to be 216 in decimal or D8 in hexadecimal. Worked out as follows:
0x08 (hex) = 8 (dec)
0x10 (hex) = 16 (dec)
0x40 (hex) = 64 (dec)
0x80 (hex) = 128 (dec)
8+16+64+128 = 216 (dec) or D8 (hex)
Summary of port configurations in Sophos applications