‎08-12-2022 08:48 PM - last edited on ‎04-02-2024 10:43 AM by Mercedes_O
On our asset list we have around 50 of these "webservers" with almost no information, I am not sure what lansweeper is looking at to get the info or where it comes from. They look like this:
When I visit the associated IP address, it goes to this generic Sophos screen:
We use a Sophos firewall and have Sophos clients installed on each computer, and the ESMTP makes me think it's something do with how our Sophos filters emails, but I don't really have much else to go on. I would love if someone could direct me on how to get some more information on these "webservers."
Thank you!
Solved! Go to Solution.
‎08-22-2022 11:30 PM
It looks like this person had the same issue scanning on a network with a Sophos firewall:
Scanning a public IP shows me my own firewall's information : nmap (reddit.com)
The firewall is acting as an email proxy to ensure all outbound email is scanned. This person disabled the proxy on the firewall to resolve the issue but if you're relying on that for email filtering I would recommend creating exceptions in Lansweeper instead.
‎08-19-2022 06:42 PM
A cause for the MAC address not to show up is if the device is on another subnet or different VLAN
‎08-19-2022 07:08 PM
Though if a reply packet is received by the host scanning an IP on another subnet/VLAN a MAC address will be associated with that packet, even if that address has been altered to mask the source device. Haven't seen a switch or firewall normally forward packets without source MAC address but I figure it's possible.
‎08-22-2022 05:17 PM
Would there be any other way to figure out the MAC address since advanced IP scanner isn't finding anything?
‎08-22-2022 10:49 PM
My mistake on this, scanning with tools like Advanced IP Scanner won't show MAC addresses for IPs on different subnets/VLANs per mkhuber1. That info needs to be pulled from routers or switches that route that subnet/VLAN, so try the below per mkhuber1's other post:
"When I run into "unknowns" like this I use the ARP cache on a router or core switch to find the MAC Address and then lookup that MAC to find the NIC manufacturer."
‎08-16-2022 06:10 PM
From your screencap, I'd guess that the device is being identified as a web server because it's running an FTP server. When you try to visit the IP address, you're likely using a web browser and trying to connect to an HTTP server, which the device isn't running, so it's no surprise you can't connect. Try using an FTP client and you should get a response. (If you can't do it from the command line, grab a copy of Filezilla.)
‎08-18-2022 06:21 PM - edited ‎08-18-2022 06:35 PM
Update, I wasn't able to connect to an ftp server through filezilla or cmd, the connection just times out every time. Thanks for the suggestion
‎08-15-2022 03:26 PM
When I run into "unknowns" like this I use the ARP cache on a router or core switch to find the MAC Address and then lookup that MAC to find the NIC manufacturer.
Some times the NIC manufacturer is enough to give some kind of clue about the device.
‎08-16-2022 03:43 PM
Thank you, I will try to figure out how to do this
‎08-16-2022 11:02 PM
Also check if the associated IPs belong to your computers that have the Sophos client installed on them. Though I can't see why a client would have a running and open?? SMTP service.
Now that I think of it, if I recall correctly from the one time that I scanned network subnets on a network that had a Sophos firewall, it returned odd results for IP addresses/subnets that couldn't be scanned - possibly similar results to what you're seeing where it was showing an FTP or SMTP service on those IP addresses. Try scanning your subnets using a tool like Advanced IP Scanner. If you see similar results it's mostly likely caused by a configuration on the Sophos firewall.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now