Solved

Antivirus high level migration steps

Posted on 2014-09-03
7
889 Views
Last Modified: 2014-09-08
Hello Experts,

I have a client who deployed EPO 4.0 server on a site. Now the client has decided to deploy a second epo McaFee on another site and migrate all server policies and settings to the new site

Can anyone please summarize high-level steps to migrate all server configuration across Antivirus servers? Please refer to McaFee products

Any blog, business cases, docs, links are really appreciated
0
Comment
Question by:Jerry Seinfield
  • 4
  • 3
7 Comments
 

Author Comment

by:Jerry Seinfield
Comment Utility
Just to clarify,

I would like to get some guides, links, blogs in how to migrate ePO 4.5 to a new Server

The new server will have different IP, name, DB
0
 

Author Comment

by:Jerry Seinfield
Comment Utility
Any updates?

My request is basically Move ePo to a new server, new name, new IP, different directory path
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
You can catch

Recommended procedure for migrating or moving the ePO 4.0 server to a new system
https://kc.mcafee.com/corporate/index?page=content&id=KB51438

Step 1 - Backups.
Step 2 - To restore the ePO server to a new system
(the article states "after a server crash" but see applicable for new server)
Step 3 - Restoring the Previous Key Pairs

also good to note the new server esp for migrating an ePO system from 32-bit to 64-bit
https://kc.mcafee.com/corporate/index?page=content&id=KB71078

may be worth looking at the advices too (as similar to a/m links too and do backup)
https://community.mcafee.com/thread/54881
if you still want to transfer computers from the old epo server to the new one
- From the old ePO server go to system tree->my organization and click on system tree actions->export systems (this group and all subgroups)
- From the new ePO server go to system tree->my organization and click on system tree actions->new systems->Import systems from a text file into the current group (My Organization), but do not push agents->Systems and System Tree structure

so you'll have all your computers (unmanaged) in your new ePO server using the same tree structure as the old one.
 
Now you'll have to export/import all your policies to the new ePO server:
- Check all product extensions on the new ePO server as you have in the old server
- From the old ePO server go to system tree->assigned policies->export all assignments
- From the new ePO server go to system tree->assigned policies->import assignments
 
so you'll have all policies applied to groups/computers on the new ePO server.
Now you'll have to register the olfd ePO server to the new server so you can transfer systems:
- From the old ePO server go to menu->configuration->server settings->security keys and export the master key (the one that usually does not have a 0 next to it)
- From the new ePO server go to menu->configuration->server settings->security keys and import the key
- From the old ePO server go to menu->configuration->registered servers and set a new ePO server (this will be the new ePO server).
 
Finally you can try to transfer some computers from the old ePO to the new one and see if they are transferred as they should (action->agent->transfer systems).
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Jerry Seinfield
Comment Utility
Thanks Btan,

I have one more question

Let's assume that I have a primary site where a Primary Epo 4.6 server is deployed and multiple sites where all my clients points to that primary ePo server.

Can I just deploy a new EPO server with a new SQL DB, join to same AV organization, this server will act as secondary server and then make it primary server and leave the original one as Secondary server?

If so, how can I redirect all my clients to new primary epo 4.6 server?
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
in past forum it is mentioned not recommended as this is a failover use case ((i.e. a multi-node active/passive MSCS cluster.) ) whereby  an agent can only talk to 1 ePO server and likely need to redeploy the agents from the secondary ePO server for them to become managed. There's no way to have clients - or agent handlers - talk to multiple ePO installations.

I digress...

Beginning with version 4.5 of the software, Agent Handlers were introduced to allow you to grow your logical ePolicy Orchestrator infrastructure horizontally. This is accomplished by adding multiple Agent Handlers to scale agent connectivity. It is 4.5 but I believe 4.6 will not be worst off
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23051/en_US/epo_450_best_practices_guide_en-us.pdf.pdf

Do read thru Chapter 4 and 5 which I believe can advise you better - we should not treat it as failover for such upgrade though as unless you have some physical balancer fronting them as proxy else software clustering may not be assured and agent handler may not affected if not able to point to active server based on their interval polling for updates etc..

Do also catch the "Using Transfer Systems feature on ePolicy Orchestrator 4.5, or later" e.g. Use the ePolicy Orchestrator 4.5 Transfer Systems task to move your agents from the old McAfee ePO server to the new McAfee ePO server...
0
 

Author Comment

by:Jerry Seinfield
Comment Utility
so, your best recommendation is to deploy a new ePO from scratch, and deploy the agent to all clients?

I already have one Epo server with SQL 2008 local and this is the primary server for 2 locations, what would be the best approach to integrate both sites?

Perhaps something like below?

Deploy a new ePO 4.6 server in new location
From the old ePO 4.6 server export all server policies
Decommission the old ePO server
Import server policies onto new ePO server
Deploy additional ePO servers on each location using same DB same AV organization?

What would be the best approach to be followed?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
yes as you have not even have the primary and secondary server for a start and you still be doing up the "secondary", you may want to test out and find a downtime once all testing is alright. failover is not an straightforward as i see an backup cum rollback is very critical for fall back plan..

as recommended in the wp, it already stated two ways to upgrade the existing version of the McAfee ePO server. Either perform an in-place McAfee ePO server upgrade, or a clean installation of the McAfee ePO server.

The advantages of an in-place McAfee ePO server upgrade include:
• You retain all your policies and client tasks — This means you don't have to rebuild them and could save you time.
• You retain your directory structure — If you have invested a lot time building this structure an in-place upgrade may be a good idea.
• You don't have to transfer any McAfee agents to a new server — Since nothing changes with an in-place upgrade the upgrade is transparent to all your agents.
The disadvantages of an in-place McAfee ePO server upgrade include:
• If your McAfee ePO server has been used for a long time do not transfer certain issues to the new upgrade. For example, if you ran extensive SQL scripts or altered your database in anyway outside of the normal operating procedures you might want start with a clean installation.
• Older policies might not still apply to your existing environment. Do not copy those policies during your in-place upgrade.

There might be a time when you need to move your McAfee ePO server from one physical server to another and maintain all your settings. For example, when your hardware is old, has failed, or is out of warranty. Or, when you upgrade your version of ePolicy Orchestrator software and you decide to upgrade your hardware as well.
You must understand how the agents find the McAfee ePO server especially if you are moving your McAfee ePO server. The agent tries to connect to the McAfee ePO server first using the IP address, then using the fully qualified DNS name. If you move the McAfee ePO server or change its IP address the agent attempts to query the DNS to get the IP address for the DNS name. If you are going to move your McAfee ePO server you must make sure you have good DNS name resolution in your environment.

Moving your agents from the old McAfee ePO server to the new McAfee ePO server is a compromise between copying your existing ePolicy Orchestrator SQL database to your new McAfee ePO server and having the McAfee Agents connect to the new server to populate the new, clean, database. Using versions of ePolicy Orchestrator software prior to release 4.5, many users tried to find a compromise between starting from a new installation with a clean database but still not losing all their old settings that they created over time. This compromise was difficult because it often required extensive rebuilding of policies and tasks on the new McAfee ePO server using the process in Move the server.

A fresh start is good but do weight the above mentioned

 the following steps were needed to try to mimic the older server:
1 Install a new McAfee ePO server. See McAfee ePolicy Orchestrator 4.5 Installation Guide for
detailed instructions.

2 Export and import the following from the old McAfee ePO server to the newly built McAfee ePO server:
• Export your product policy files in XML.
• Export your tree structure in a txt file (ePO version 4.5 only).
• Export any custom queries you have created.
• Import your tree structure on your new McAfee ePO server.
• Import the product policies and make sure they get assigned to the right groups.
• Import any custom queries that you want to preserve.

3 All of the following items, you previously configured, must be re-created manually:
• Client tasks including deployment, update, and on demand tasks
• Server tasks, including the McAfee content pull and replication
• McAfee ePO server administrators and permission sets

Make sure you back up the following:
• The SQL database is critical. Before you do anything make sure you back up your McAfee ePO server SQL database in case something goes wrong. The database stores everything about ePolicy Orchestrator. For example, your tree structure, your product policies, administrators, events, and server settings.

• Back up these items that are outside your database:
• Agent keys which secure the communication between the server and all your agents
• Software checked into the master repository
• Extensions to manage all your product policies
• Secure Sockets Layer (SSL) certificates
• Server settings such as communication ports
The Transfer Systems task is one of the useful features that allows you to:


• Stage and thoroughly plan your agent moves so you can test their settings during an appropriate change control window.
• Test your changes on a development McAfee ePO server before rolling out the changes to the production environment. For example, you can make changes on your test McAfee ePO server and move a group of live production agents to your test server to see the results. When done, you can easily transfer those agents back to the original production McAfee ePO server

Also to take some advice from below
https://community.mcafee.com/thread/60612?tstart=0
Once you have an agent handler, your agents will recognize this as a way to communicate with the database and get updates. The handler IP and name will be communicated to the agents in the framepackage sitelist/epo agent policy.

If you database is down, like when your epo server is down or when you are doing database maintenance, your agent handler and ePO servers are useless. But your agents would still run the task and apply the policies, that doesn't go away with ePO down.Also, if your policy has McAfee has a fallback they can update from there.
So this brings me back to the database, it needs to be solid and ideally independent of your ePO server.

And always has the standby proactive mcafee support so that it is pre-empted of such upgrade and can be on the spot resolve swiftly...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now