During the installation of, or upgrading to, Sophos Enterprise Console version 5.x the installer prompts for port 80 access and allows you to configure another port. Why is this required?
First seen in
Enterprise Console 5.0.0
A port number must be configured during the management server installation to enable:
- Managed endpoints running the Sophos Patch Agent to communicate with the management server.
- An Enterprise Console installation (local or remote to the management server) to communicate with the Web Control, Patch and Encryption server-side components.
What To Do
If you do not want to use port 80 or cannot use it (i.e. port 80 is already being used by an application that is unable to share the port - see Technical Information below) you can change the default port number to another, available port.
Warning: The port number you decide to use now can be changed later on by running the console installer again. However please be aware that if you change the port, after installing a remote console(s) or deploying Sophos Patch to clients, you will also need to re-configure all remote consoles and re-deploy Sophos endpoint security software to any clients using Sophos Patch.
If you are getting a message that the port is already in use, see KBA 116881.
The requirement for this port is due to the new framework in Enterprise Console which enables it to communicate with the new server-side web services hosted on the Sophos management server. It is also used by managed clients running the Sophos Patch Agent as the patch agent connects to the management server on this port to retrieve patch definitions and to report assessments.
It is possible to re-use port 80 even on a machine running IIS 6+ which is already bound to port 80 to serve content as both IIS and WCF (the technology used by Enterprise Console) use the kernel-mode HTTP stack (HTTP.sys). HTTP.sys allows the port to be shared through URL reservations and therefore you should not see any port conflicts with applications that also use HTTP.sys such as IIS. To view the URL reservations on the management server you can run the following commands:
Windows 7 and 2008/2008 R2
netsh http show urlacl
On Windows 2003 you will require httpcfg.exe which is part of the Support tools.
httpcfg.exe query urlacl
To prove that the "client", in this case EnterpriseConsole.exe is in alignment with the registrations on the server, if you open up the file EnterpriseConsole.exe.config, which is in the same directory as EnterpriseConsole.exe, you will see sections at the bottom which define the addresses of the web services.