Enterprise Console: configuring message relay computers

A message relay computer relays messages (virus reports, etc.) between computers running Endpoint Security and Control or Sophos Anti-Virus and your management server. Reasons for using a message relay computer include:

• increasing the number of workstations that can be managed by the management server
• reducing the number of direct connections to the management server
• simplifying firewall configuration
• installing Enterprise Console on a server running Windows 2008 when you will manage more than 5,000 computers from a single console.

The computer that acts as a message relay:

• should be a Windows 2000/2003/2008 server
• will have Endpoint Security and Control 9 or Sophos Anti-Virus 7 installed on it as part of this procedure
• should have a static IP address
• should have enough processing power to handle communications for the number of endpoints and servers that it is intended to support

The procedure described below can be used to set up a message relay on networks managed by Enterprise Console 3 or 4. For networks managed by Enterprise Console 3, it is assumed that EM Library and Enterprise Console are located on the management server (the default setup).

What to do

There are three main steps to setting up a message relay:

1. Configure a new Distribution point (in Enterprise Console 4) or CID (in EM Library) to be used by the message relay computer and the endpoints/servers that will use the message relay
2. Create a new group and updating policy and group in Enterprise Console to be used by the message relay computer and the endpoints/servers that will use it
3. Protect (or re-protect) the message relay and the endpoints/servers that will use it.

The procedure listed above must be performed for each message relay to be configured. The detailed instructions for setting up a message relay are listed below.

1. Configuring a new update location or CID for the message relay

In order to configure a message relay, you must change some settings in the mrinit.conf file contained in its update location or CID; therefore, each message relay will need a separate Distribution point/group of CIDs.

1.1 Creating a new update location or CID

To create an additional CID for a package in EM Library, follow the instructions in section 3.2 of the Large Networks Configuration Guide. You must create a new CID for each package to be deployed; however, these CIDs can share the mrinit.conf file if they will use the same message relay.

To create an additional update location in Enterprise Console 4’s Update Manager, follow the instructions in the How do I... Specify where the software is placed? You can create one new Distibution point for all the packages in an existing Update Manager.

1.2 Editing mrinit.conf to change the message routing for the Distribution point/CID

The file mrinit.conf contains the router configuration information for the Distribution point or CID. It must be edited to specify the message router’s IP address. As the message router settings are identical for all packages in a particular group of CIDs (or in one Distribution point), once edited, you can copy the mrinit.conf file to the other CIDs/packages in the group.

1. In Windows Explorer, browse to the root of your new update location/CID
         Enterprise Console 3: \\[Server1]\InterChk\NewCID_Win2000plus\)
         Enterprise Console 4 : \\[Server1]\SophosUpdate\CIDs\Sxxx\[package name].
   
2. Copy the file mrinit.conf to the rms subfolder (for Windows 9x packages, the RMS subfolder will be called rms9x).
   
3. Open that copy of mrinit.conf in Notepad.
   
4. Find the variable:
   "ParentRouterAddress"="[address],[address],[address]"
         where 'address' is probably the domain name or IP address of your management server.
   
5. Edit it to take the form:
         "ParentRouterAddress"="[MR-IP],[MR-FQDN],[MR-NETBIOS]"
         where:
             * MR-IP is the IP address of the message relay computer.
             * MR-FQDN is the fully qualified domain name of the message relay computer.
             * MR-NETBIOS is the NETBIOS name of the message relay computer.
   

   In the above example this could be "ParentRouterAddress"="10.1.200.65,MRComputer.Sales.Acme,MRComputer"

6. Copy your edited mrinit.conf to the other RMS subfolders 
   
   In Enterprise Console 3: \\[Server1]\InterChk\NewCID_Win2000plus\rms.
   In Enterprise Console 4: \\[Server1]\SophosUpdate\CIDs\Sxxx\[package name]\rms.

Important:

• Do not edit the line containing "MRParentAddress".
• You must ensure that there is an empty line at the bottom of the file. If there is a final carriage return do not delete it.
• For Windows NT in a domain environment, where the message relay computer has a dynamically assigned IP address, make sure that the fully qualified domain name is included in the ParentRouterAddress so that your computers can resolve the address of the message relay.

1.3 Using ConfigCID.exe to use the new config file in the update location/CID

ConfigCID.exe is located in:

• Enterprise Console 3: in the TOOLS folder in the installation directory.
• Enterprise Console 4: in C:\Program Files\Sophos\Enterprise Console\SUM

1. Run ConfigCID.exe on all of your newly created packages:
   

   In Enterprise Console 3, to update the Windows 2000+ package:
   ConfigCID.exe "C:\Program Files\Sophos SWEEP for NT\NewCID_Win2000plus"

   In Enterprise Console 4, to update the Windows 2000+ package:
   ConfigCID.exe "C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\Sxxx\SAVSCFXP"

2. Check the program output:
   there should be two lines containing
   
   • Adding entry for \rms\mrinit.conf
   • Adding entry for \mrinit.conf
   
   and two lines containing:
   
   • Read catalog file cidsync.upd
   • Updating checksum

These lines confirm that the file mrinit.conf was found, and was added to the catalogue of files to be downloaded by Sophos AutoUpdate on your endpoints, and on the message relay computer.

2. Creating a message relay policy and group in Enterprise Console

In Enterprise Console:

1. create an updating policy (e.g. MessageR1). Set your new update location/CID as the primary server location.

   In Enterprise Console 3: \\[Server1]\InterChk\NewCID_Win2000plus\
   In Enterprise Console 4: \\[Server1]\SophosUpdate\Sxxx\[Package name]

2. create a new group (e.g. MessageR1), and assign your policy (MessageR1) to that group.
   
   See How do I... Create a group? and How do I... Create a policy? for more information..

3. Installing Sophos Anti-Virus on the message relay computer and the endpoints that will use it

Set up the message relay computer first

In Enterprise Console:

1. add the message relay computer to your new group (MessageR1) and protect it
2. wait until the computer is reported in Enterprise Console as managed and protected.
3. This computer should now be set up as a message relay. It will route messages between the management server and all workstations configured to use it as their parent.
4. To check that the message relay computer has received its configuration from your new update location/CID:
   
   On an endpoint computer running Sophos Anti-Virus:
   Open Sophos Anti-Virus and select 'Update options'. Check that the path listed in the 'Primary server' tab points to your new CID.
   
   On an endpoint computer running Endpoint Security and Control:
   Open Endpoint Security and Control and click Configure Updating. Check that the path listed in the ‘Primary server’ tab points to your new update location.

Deploy to the endpoint computers

In Enterprise Console:

1. move the workstations that will use the message relay computer into the message relay group (MessageR1)
2. wait for them to update.
   
   They will then transmit all messages to the management server via the message relay computer.
   
3. You can confirm that an endpoint is messaging to the correct computer by checking the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ParentAddress. It should contain the MR-IP, MR-FQDN and MR-NETBIOS addresses that you added to mrinit.conf in section 2 (e.g. 10.1.200.65,MRComputer.Sales.Acme,MRComputer).

Technical information

A message relay computer is a Windows 2000/2003/2008 server running a Sophos Message Router as part of Sophos Anti-Virus. This server is placed between the management server and managed workstations (endpoints).

Reasons for implementing a message relay include:

• it improves scalability
• it reduces the number of direct connections to the management server
• it may simplify firewall configuration
• the topology of the network is suitable.

The Sophos Message Routers on the workstations are configured to report to the message relay computer as their parent, rather than directly to the management server. Message relays are thus managed computers which act as parent routers for other computers. However, because a message relay computer is expected to have a potentially large number of connected child routers, server-grade operating systems and hardware are recommended. The message relay's RMS settings are modified by the process describes above in order to handle the increased message load.

• Message relays can be 'chained'. The maximum recommended nesting level is seven (six message relays and the final destination). This maximum limit is dependant on the string length of the machine names. Therefore, if your machine names are shorter or longer than average, you should revise the guidance for your own situation.
• You can run a message relay on the same server as a CID.
• The following registry keys are created/modified to enable the message router to function as a message relay as opposed to a regular message router.
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router]
  "ConnectionCache"=dword:00005020
  "NumSenderThreads"=dword:00000008
  "ConnectRetriesPause"=dword:00000064
  "TotalConnectRetryTimeSecs"=dword:0000000a
  "GetterInterval"=dword:00000078
  "GetterShortInterval"=dword:00000078
  "NumNotificationThresholdThreads"=dword:00000004