A message relay computer relays messages (virus reports, etc.) between computers running Endpoint Security and Control or Sophos Anti-Virus and your management server. Reasons for using a message relay computer include:
The computer that acts as a message relay:
- should be a Windows 2003, 2008 R2, 2012 or 2012 R2 server (we don't recommend using a server running Windows 2008 for a message relay: see Using Enterprise Console and RMS on Microsoft Windows Server 2008 for more details.)
- will have Endpoint Security and Control installed on it as part of this procedure
- should have a static IP address
- should have enough processing power to handle communications for the number of endpoints and servers that it is intended to support.
Note: As a guide, a correctly configured message relay with sufficient resources should be capable of supporting 8000 endpoints.
Applies to the following Sophos product(s) and version(s)
Enterprise Console 5.1.0 and above
Watch the video
What to do
There are three main steps to setting up a message relay:
- Configure a new Distribution point to be used by the message relay computer and the endpoints/servers that will use the message relay.
- Create a new group and updating policy and group in Enterprise Console to be used by the message relay computer and the endpoints/servers that will use it
- Protect (or re-protect) the message relay and the endpoints/servers that will use it.
The procedure listed above must be performed for each message relay to be configured. The detailed instructions for setting up a message relay are listed below.
1. Configuring a new update location for the message relay
In order to configure a message relay, you must change some settings in the mrinit.conf file contained in its update location; therefore, each message relay will need a separate Distribution point.
1.1 Creating a new update location
You must create a new distribution point for each package to be deployed; however, the distribution points can share the mrinit.conf file if they will use the same message relay.
1.2 Editing mrinit.conf to change the message routing for the Distribution point
The file mrinit.conf contains the router configuration information for the Distribution point. It must be edited to specify the message router’s IP address. As the message router settings are identical for all packages in one Distribution point, once edited, you can copy the mrinit.conf file to the other packages in the group.
- In Windows Explorer, browse to the root of your new update location:
- Copy the file mrinit.conf to the rms subfolder.
- Open that copy of mrinit.conf in Notepad.
- Find the variable:
where 'address' is probably the domain name or IP address of your management server.
- Edit it to take the form:
* MR-IP is the IP address of the message relay computer.
* MR-FQDN is the fully qualified domain name of the message relay computer.
* MR-NETBIOS is the NETBIOS name of the message relay computer.
In the above example this could be "ParentRouterAddress"="10.1.200.65,MRComputer.Sales.Acme,MRComputer"
- Copy your edited mrinit.conf to the other RMS subfolders:
- It is imperative that you place the edited mrinit.conf file in the rms sub-directory of the message relay distribution point before running ConfgCID.exe (see step 1.3). If you place the edited mrinit.conf file in the root of the distribution point, Sophos AutoUpdate will not bring down the correct file when RMS is installed or updated. Any modifications to the mrinit.conf file in the root of the distribution point will be lost when SUM updates the share, as the default location for mrinit.conf, as defined in system.xml (RMSConfigPath tag), is the RMS sub-directory.
- Do not edit the line containing "MRParentAddress".
- You must ensure that there is an empty line at the bottom of the file. If there is a final carriage return do not delete it.
1.3 Using ConfigCID.exe to use the new config file in the update location
Note: If User Account Control (UAC) is enabled on the computer ensure you open a command prompt as administrator ('Run as administrator') even if you are logged on with an administrative account.
- Run ConfigCID.exe on all of your newly created packages. For more information see article 13112.
- Check the program output. There should be two lines containing:
Adding entry for \rms\mrinit.conf
Adding entry for \mrinit.conf
and two lines containing:
Read catalog file cidsync.upd
These lines confirm that the file mrinit.conf was found, and was added to the catalogue of files to be downloaded by Sophos AutoUpdate on your endpoints, and on the message relay computer.
2. Creating a message relay policy and group in Enterprise Console
In Enterprise Console:
- Create an updating policy (e.g. MessageR1). Set your new update location/CID as the primary server location.
In Enterprise Console: \\[Server1]\SophosUpdate\
- Create a new group (e.g. MessageR1), and assign your policy (MessageR1) to that group.
Note: If you are using "Sophos" as Secondary update location it is recommended to enable the option "Allow location roaming" to prevent the client from changing the Message Relay configuration as long as it is getting updates from Sophos.
3. Installing Sophos Anti-Virus on the message relay computer and the endpoints that will use it
Set up the message relay computer first
In Enterprise Console:
- add the message relay computer to your new group (MessageR1) and protect it
- wait until the computer is reported in Enterprise Console as managed and protected.
- This computer should now be set up as a message relay. It will route messages between the management server and all workstations configured to use it as their parent.
- To check that the message relay computer has received its configuration from your new update location:
On an endpoint computer running Endpoint Security and Control:
Open Endpoint Security and Control and click Configure Updating. Check that the path listed in the ‘Primary server’ tab points to your new update location.
Deploy to the endpoint computers
In Enterprise Console:
- Move the workstations that will use the message relay computer into the message relay group (MessageR1)
- Wait for them to update. They will then transmit all messages to the management server via the message relay computer.
- You can confirm that an endpoint is messaging to the correct computer by checking the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ | ParentAddress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router | ParentAddress
It should contain the MR-IP, MR-FQDN and MR-NETBIOS addresses that you added to mrinit.conf in section 2 (e.g. 10.1.200.65,MRComputer.Sales.Acme,MRComputer).
The Sophos Message Routers on the workstations are configured to report to the message relay computer as their parent, rather than directly to the management server. Message relays are thus managed computers which act as parent routers for other computers. However, because a message relay computer is expected to have a potentially large number of connected child routers, server-grade operating systems and hardware are required. The message relay's settings are modified by the process described above in order to handle the increased message load.
- Message relays can be 'chained'. The maximum recommended nesting level is seven (six message relays and the final destination). This maximum limit is dependent on the string length of the machine names. Therefore, if your machine names are shorter or longer than average, you should revise the guidance for your own situation.
- You can run a message relay on the same server as a distribution point.
- The following registry keys are created/modified to enable the message router to function as a message relay as opposed to a regular message router.
Note: If you are experiencing slow message processing on message relays or a build up of message files on the message relays if not already set you can additionally add the following:
Once added you will need to restart the "Sophos Message Router" service for the change to be used. This will increase the number of threads the router can use from the default of 4 to 16 which is the same number used by the message router on the management server.