Enterprise Console: configuring message relay computers
A message relay computer relays messages (virus reports, etc.) between computers running Sophos
No separate software is required. The functionality is provided by Sophos Anti-Virus for Windows 2000+, version 6 and above.
- A computer acting as a message relay must be a Windows 2000 or Windows 2003 server on which you will install Sophos
Anti-Virus version 6, or higher. - It should have a static IP address.
- How powerful the server should be will depend on the number of client workstations, and connections, that the message relay is intended to support.
Note: On large networks you may need to increase the number of ephemeral ports that Windows can assign.
When setting up a message relay you must:
- configure a CID for use by the message relay computer and workstations
- create an updating policy and group in Enterprise Console for use with the message relay computer
- ensure that the client workstations report to the message relay computer.
In the description below 'workstation' is used to describe all computers that report to the management server via the message relay computer, regardless of whether they are actually servers or workstations. It is also assumed that EM Library and Enterprise Console are located on the management server (the default setup).
These instructions should be used in conjunction with the network startup and upgrade guides.
What to do
You will need to create Central Installation Directories (CIDs) for your workstation packages. So, if you have Windows NT workstations as well as Windows 2000/XP workstations, you will need packages and CIDs for both.
- The instructions below describe setting up a message relay service for the Sophos
Anti-Virus for Windows 2000+ version 6 package, in conjunction with an existing management server (here called 'Server1'). - These steps must be repeated for any other CIDs (e.g. Windows NT) that use the message relay computer.
1. Creating the message relay CID
To create an additional CID for a package in EM Library, do as follows:- Open the EM Library console.
- In the left hand pane, select 'Packages' then select 'Subscribed'.
- Right-click a package (e.g. 'Sophos
Anti-Virus for Windows 2000+, v6.0.0'). - Select 'Add/Configure CID'.
- When asked if you want to create an additional central installation, click 'Yes'.
- In the Add CID Wizard give the new CID a different name (e.g. 'MR - Sophos
Anti-Virus for Windows 2000+, v6.0.0'). - In the CID Location dialog, select 'Custom CID location' and use a custom folder name (e.g. MRESXP instead of the default ESXP).
- Right-click the newly created CID.
- Select 'Update CID'.
Your newly created CID will be populated, in this example \\[Server1]\InterChk\MRESXP\.
2. Editing mrinit.conf
The file mrinit.conf contains the router configuration information. It must be edited to use the customized settings. As it is identical for all packages in a particular group of CIDs, the edited version can be copied to the other folders.
- In Windows Explorer, browse to the root of your new CID (e.g. \\[Server1]\InterChk\MRESXP\).
- Copy the file mrinit.conf to the rms subfolder (e.g. \\[Server1]\InterChk\MRESXP\rms).
- Open that copy of mrinit.conf in Notepad.
- Find the variable:
"ParentRouterAddress"="[address],[address],[address]"
where 'address' is probably the domain name or IP address of your management server. - Edit it to take the form:
"ParentRouterAddress"="[MR-IP],[ MR-FQDN],[ MR-NETBIOS]"
where:MR-IPis the IP address of the message relay computer.MR-FQDNis the fully qualified domain name of the message relay computer.MR-NETBIOSis the NETBIOS name of the message relay computer.
"ParentRouterAddress"="10.1.200.65,MRComputer.Sales.Acme,MRComputer"
Important:
- Do not edit the line containing "MRParentAddress".
- You must ensure that there is an empty line at the bottom of the file. If there is a final carriage return do not delete it.
Copy your edited mrinit.conf to the other RMS subfolders (e.g. \\[Server1]\InterChk\MRESNT\rms).
Other platform packages:
- On Windows 95/98/Me the subfolder will be called rms9x.
- For Windows NT in a domain environment, where the message relay computer has a dynamically assigned IP address, make sure that the fully qualified domain name is included in the ParentRouterAddress so that your computers can resolve the address of the message relay.
3. Using ConfigCID.exe
Obtain an up to date copy of ConfigCID.exe.
- If you have the network installation CD for Enterprise Console version 2, and EM Library version 1.3, you will find it in the TOOLS folder.
- Otherwise look in the temporary directory (usually C:\sec20) which is created by the Sophos
Anti-Virus and Sophos Client Firewall network installer.
Run ConfigCID.exe on all of your newly created CIDs:
ConfigCID.exe "C:\Program Files\Sophos SWEEP for NT\MRESXP"
Check the program output:
- there should be two lines containing
Adding entry for \rms\mrinit.conf
Adding entry for \mrinit.conf - and two lines containing:
Read catalog file cidsync.upd
Updating checksum
These lines confirm that the file mrinit.conf was found, and was added to the catalogue of files to be downloaded by Sophos AutoUpdate on your workstations, and on the message relay computer.
This completes the configuration of a message relay CID.
Repeat these steps for any other message relay CIDs that you will need.
4. Creating a message relay policy and group in Enterprise Console
In Enterprise Console:
- create an updating policy (e.g. relaypol). Set your new CID as the primary server location (e.g. \\[Server1]\InterChk\MRESXP\)
- create a group (e.g. relaygroup), and assign your policy (relaypol) to that group (relaygroup).
See the network startup and upgrade guides for details on setting up policies and groups.
5. Installing Sophos Anti-Virus on the message relay computer
In Enterprise Console:
- add the message relay computer to your new group (relaygroup) and protect it
- wait until the computer is reported in Enterprise Console as managed and protected.
This computer should now be working as a message relay. It will route messages between the management server and all workstations configured to use it as their parent.
To check that the message relay computer has installed from your new CID, open Sophos
6. Deploying to the workstations
In Enterprise Console:
- move the workstations that will use the message relay computer into the message relay group (relaygroup)
- wait for them to update.
They will then transmit all messages to the management server via the message relay computer.
You can confirm that a workstation is messaging to the correct computer, by checking the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router\ParentAddress. It should contain the MR-IP, MR-FQDN and MR-NETBIOS addresses that you added to mrinit.conf in section 2 (e.g. 10.1.200.65,MRComputer.Sales.Acme,MRComputer).
Technical details
A message relay computer is a Windows 2000/2003 server running a Sophos Message Router as part of Sophos
Reasons for implementing a message relay include:
- it improves scalability
- it reduces the number of direct connections to the management server
- it may simplify firewall configuration
- the topology of the network is suitable.
The Sophos Message Routers on the workstations are configured to report to the message relay computer as their parent, rather than directly to the management server. Message relays are thus managed computers which act as parent routers for other computers. No change is required in the configuration of the router to be able to fulfill the role of message relay. However, because a message relay computer is expected to have a potentially large number of connected child routers, server-grade operating systems and hardware are recommended.
- Message relays can be 'chained'. The maximum recommended nesting level is seven (six message relays and the final destination).
- You can run a message relay on the same server as a CID.
- The following registry keys are created/modified to enable the message router to function as a message relay as opposed to a regular message router.
[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router]
"ConnectionCache"=dword:00005020
"NumSenderThreads"=dword:00000008
"ConnectRetriesPause"=dword:00000064
"TotalConnectRetryTimeSecs"=dword:0000000a
"GetterInterval"=dword:00000078
"GetterShortInterval"=dword:00000078
"NumNotificationThresholdThreads"=dword:00000004
Workstations using a message relay need to have the router's ParentAddress setting in the registry changed from the address of the server, to the address of the message relay computer. This is done by changing the configuration centrally, but can be checked locally.
If you need more information or guidance, then please contact technical support.
- Article ID: 14635
- Created: 21 Mar 2006
- Last updated: 6 Oct 2008
