Antivirus high level migration steps

Hello Experts,

I have a client who deployed EPO 4.0 server on a site. Now the client has decided to deploy a second epo McaFee on another site and migrate all server policies and settings to the new site

Can anyone please summarize high-level steps to migrate all server configuration across Antivirus servers? Please refer to McaFee products

Any blog, business cases, docs, links are really appreciated
Jerry SeinfieldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jerry SeinfieldAuthor Commented:
Just to clarify,

I would like to get some guides, links, blogs in how to migrate ePO 4.5 to a new Server

The new server will have different IP, name, DB
Jerry SeinfieldAuthor Commented:
Any updates?

My request is basically Move ePo to a new server, new name, new IP, different directory path
btanExec ConsultantCommented:
You can catch

Recommended procedure for migrating or moving the ePO 4.0 server to a new system

Step 1 - Backups.
Step 2 - To restore the ePO server to a new system
(the article states "after a server crash" but see applicable for new server)
Step 3 - Restoring the Previous Key Pairs

also good to note the new server esp for migrating an ePO system from 32-bit to 64-bit

may be worth looking at the advices too (as similar to a/m links too and do backup)
if you still want to transfer computers from the old epo server to the new one
- From the old ePO server go to system tree->my organization and click on system tree actions->export systems (this group and all subgroups)
- From the new ePO server go to system tree->my organization and click on system tree actions->new systems->Import systems from a text file into the current group (My Organization), but do not push agents->Systems and System Tree structure

so you'll have all your computers (unmanaged) in your new ePO server using the same tree structure as the old one.
Now you'll have to export/import all your policies to the new ePO server:
- Check all product extensions on the new ePO server as you have in the old server
- From the old ePO server go to system tree->assigned policies->export all assignments
- From the new ePO server go to system tree->assigned policies->import assignments
so you'll have all policies applied to groups/computers on the new ePO server.
Now you'll have to register the olfd ePO server to the new server so you can transfer systems:
- From the old ePO server go to menu->configuration->server settings->security keys and export the master key (the one that usually does not have a 0 next to it)
- From the new ePO server go to menu->configuration->server settings->security keys and import the key
- From the old ePO server go to menu->configuration->registered servers and set a new ePO server (this will be the new ePO server).
Finally you can try to transfer some computers from the old ePO to the new one and see if they are transferred as they should (action->agent->transfer systems).
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Jerry SeinfieldAuthor Commented:
Thanks Btan,

I have one more question

Let's assume that I have a primary site where a Primary Epo 4.6 server is deployed and multiple sites where all my clients points to that primary ePo server.

Can I just deploy a new EPO server with a new SQL DB, join to same AV organization, this server will act as secondary server and then make it primary server and leave the original one as Secondary server?

If so, how can I redirect all my clients to new primary epo 4.6 server?
btanExec ConsultantCommented:
in past forum it is mentioned not recommended as this is a failover use case ((i.e. a multi-node active/passive MSCS cluster.) ) whereby  an agent can only talk to 1 ePO server and likely need to redeploy the agents from the secondary ePO server for them to become managed. There's no way to have clients - or agent handlers - talk to multiple ePO installations.

I digress...

Beginning with version 4.5 of the software, Agent Handlers were introduced to allow you to grow your logical ePolicy Orchestrator infrastructure horizontally. This is accomplished by adding multiple Agent Handlers to scale agent connectivity. It is 4.5 but I believe 4.6 will not be worst off

Do read thru Chapter 4 and 5 which I believe can advise you better - we should not treat it as failover for such upgrade though as unless you have some physical balancer fronting them as proxy else software clustering may not be assured and agent handler may not affected if not able to point to active server based on their interval polling for updates etc..

Do also catch the "Using Transfer Systems feature on ePolicy Orchestrator 4.5, or later" e.g. Use the ePolicy Orchestrator 4.5 Transfer Systems task to move your agents from the old McAfee ePO server to the new McAfee ePO server...
Jerry SeinfieldAuthor Commented:
so, your best recommendation is to deploy a new ePO from scratch, and deploy the agent to all clients?

I already have one Epo server with SQL 2008 local and this is the primary server for 2 locations, what would be the best approach to integrate both sites?

Perhaps something like below?

Deploy a new ePO 4.6 server in new location
From the old ePO 4.6 server export all server policies
Decommission the old ePO server
Import server policies onto new ePO server
Deploy additional ePO servers on each location using same DB same AV organization?

What would be the best approach to be followed?
btanExec ConsultantCommented:
yes as you have not even have the primary and secondary server for a start and you still be doing up the "secondary", you may want to test out and find a downtime once all testing is alright. failover is not an straightforward as i see an backup cum rollback is very critical for fall back plan..

as recommended in the wp, it already stated two ways to upgrade the existing version of the McAfee ePO server. Either perform an in-place McAfee ePO server upgrade, or a clean installation of the McAfee ePO server.

The advantages of an in-place McAfee ePO server upgrade include:
• You retain all your policies and client tasks — This means you don't have to rebuild them and could save you time.
• You retain your directory structure — If you have invested a lot time building this structure an in-place upgrade may be a good idea.
• You don't have to transfer any McAfee agents to a new server — Since nothing changes with an in-place upgrade the upgrade is transparent to all your agents.
The disadvantages of an in-place McAfee ePO server upgrade include:
• If your McAfee ePO server has been used for a long time do not transfer certain issues to the new upgrade. For example, if you ran extensive SQL scripts or altered your database in anyway outside of the normal operating procedures you might want start with a clean installation.
• Older policies might not still apply to your existing environment. Do not copy those policies during your in-place upgrade.

There might be a time when you need to move your McAfee ePO server from one physical server to another and maintain all your settings. For example, when your hardware is old, has failed, or is out of warranty. Or, when you upgrade your version of ePolicy Orchestrator software and you decide to upgrade your hardware as well.
You must understand how the agents find the McAfee ePO server especially if you are moving your McAfee ePO server. The agent tries to connect to the McAfee ePO server first using the IP address, then using the fully qualified DNS name. If you move the McAfee ePO server or change its IP address the agent attempts to query the DNS to get the IP address for the DNS name. If you are going to move your McAfee ePO server you must make sure you have good DNS name resolution in your environment.

Moving your agents from the old McAfee ePO server to the new McAfee ePO server is a compromise between copying your existing ePolicy Orchestrator SQL database to your new McAfee ePO server and having the McAfee Agents connect to the new server to populate the new, clean, database. Using versions of ePolicy Orchestrator software prior to release 4.5, many users tried to find a compromise between starting from a new installation with a clean database but still not losing all their old settings that they created over time. This compromise was difficult because it often required extensive rebuilding of policies and tasks on the new McAfee ePO server using the process in Move the server.

A fresh start is good but do weight the above mentioned

 the following steps were needed to try to mimic the older server:
1 Install a new McAfee ePO server. See McAfee ePolicy Orchestrator 4.5 Installation Guide for
detailed instructions.

2 Export and import the following from the old McAfee ePO server to the newly built McAfee ePO server:
• Export your product policy files in XML.
• Export your tree structure in a txt file (ePO version 4.5 only).
• Export any custom queries you have created.
• Import your tree structure on your new McAfee ePO server.
• Import the product policies and make sure they get assigned to the right groups.
• Import any custom queries that you want to preserve.

3 All of the following items, you previously configured, must be re-created manually:
• Client tasks including deployment, update, and on demand tasks
• Server tasks, including the McAfee content pull and replication
• McAfee ePO server administrators and permission sets

Make sure you back up the following:
• The SQL database is critical. Before you do anything make sure you back up your McAfee ePO server SQL database in case something goes wrong. The database stores everything about ePolicy Orchestrator. For example, your tree structure, your product policies, administrators, events, and server settings.

• Back up these items that are outside your database:
• Agent keys which secure the communication between the server and all your agents
• Software checked into the master repository
• Extensions to manage all your product policies
• Secure Sockets Layer (SSL) certificates
• Server settings such as communication ports
The Transfer Systems task is one of the useful features that allows you to:

• Stage and thoroughly plan your agent moves so you can test their settings during an appropriate change control window.
• Test your changes on a development McAfee ePO server before rolling out the changes to the production environment. For example, you can make changes on your test McAfee ePO server and move a group of live production agents to your test server to see the results. When done, you can easily transfer those agents back to the original production McAfee ePO server

Also to take some advice from below
Once you have an agent handler, your agents will recognize this as a way to communicate with the database and get updates. The handler IP and name will be communicated to the agents in the framepackage sitelist/epo agent policy.

If you database is down, like when your epo server is down or when you are doing database maintenance, your agent handler and ePO servers are useless. But your agents would still run the task and apply the policies, that doesn't go away with ePO down.Also, if your policy has McAfee has a fallback they can update from there.
So this brings me back to the database, it needs to be solid and ideally independent of your ePO server.

And always has the standby proactive mcafee support so that it is pre-empted of such upgrade and can be on the spot resolve swiftly...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.