Loading...

Knowledge Center


ePolicy Orchestrator server backup and disaster recovery procedure
Technical Articles ID:  KB66616
Last Modified:  6/19/2015
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x, 4.x

Summary

This article provides information on the backup and disaster recovery process for ePO servers. 

IMPORTANT:
  • This procedure is intended for use by network and ePO administrators only. Intel Security does not assume responsibility for any damage incurred because it is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
  • The procedure is for use with ePO 5.x, 4.6.x, and 4.5.x servers only. For ePO 5.x users, it is preferable to use the built-in Disaster Recovery feature and use these steps only if a valid Snapshot was not created and a manual recovery is required. For information about the Disaster Recovery feature, see the "Restoring McAfee ePO" section of the ePolicy Orchestrator Installation Guide.
  • If you are going from a 32-bit to a 64-bit OS, or installing ePO to a different path, you must follow KB71078 instead.

NOTES:

  • The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
  • You can also use this procedure if you want to migrate the ePO server to another system. For ePO 5.x users, it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
Preparation
To ensure a smooth recovery, do not perform a backup while the server is in the middle of installing an extension.
 
Before backing up
If possible, shut down the McAfee ePolicy Orchestrator Application Server service (Tomcat) entirely when doing the backup. Otherwise, ensure that no one is performing the following actions during the backup:
  • Installing, uninstalling, or upgrading an extension
  • Updating the ePO database configuration 
Backing up the ePO server
  1. Use the following to back up the SQL database (normally named ePO_<ServerName>, where the <ServerName> is your ePO server name):
    • See article KB52126 for details on backing up the ePO database using SQL Server Management Studio.
    • See article KB59562 for details on backing up the ePO database using OSQL commands.
       
  2. You must also back up the following folder paths:
     
    NOTE: The default 64-bit installation path is listed below. However, your installation might differ (for example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator).
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to required files used by the ePO software extensions.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent server communication and the repositories.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
All products that have been checked into the Master Repository are located here.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The Agent-to-server communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder will result in all client machines being unable to communicate with the server, and you will have to redeploy the agent to all machines. Additionally, you will have to check in all deployable packages again.
 
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

NOTE: Failure to back up and restore these directory structures will require a re-installation of ePO to create new ones and possibly require a clean database installation and redeployment of agents to all client computers.
 

Recover the ePO server
  1. Delete the ePO database on the SQL server. If you do not know how to perform the MSSQL operation, refer to http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
     
  2. If restoring ePO to the same system, uninstall ePO. Ensure that there is no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.

    NOTE: Renaming the existing ePolicy Orchestrator folder and leaving the old directory in place may interfere with the new installation. Intel Security recommends that you remove the old directory completely.
     
  3. Re-install ePO to the same version and patch level as the server you are restoring.

    NOTE: You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\) and cross-referencing it with article KB59938.

    IMPORTANT: 
    You must re-install ePO to the exact same directory path as the previous installation for this article to apply (or initialization of extensions will fail when the restore is complete). If the installation path is different, follow the steps in KB71078 instead.
     
  4. Apply any additional patches/hotfixes/POCs to ePO that had been previously applied.
     
    For ePO 5.x: 
    If you have previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor (including any hotfix releases) that had been installed before.
     
    For ePO 4.x:
    • If you have previously installed Policy Auditor 5.x for use with ePO, install the same version of Policy Auditor (including the hotfix release) that had been installed before.
    • If you have previously installed McAfee NAC 3.x or McAfee NAC 4.0 for use with ePO, install the same version of McAfee NAC (including the hotfix release) that had been installed before.
     
  5. Stop and disable all ePO services:

    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
    3. Double-click each of the following services and change Startup type to Disabled:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
        
  6. Restore the database.

    NOTE: 
    Restore the database so that you do not require the ePO database configuration to be updated (for example: same name, host, port, and so on). Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orion with the new information before starting up the server.
     
  7. Rename the following folders (for example, rename the extensions folder to extensions_old), and then replace them with the corresponding folders that were backed up earlier:
     
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
     
  8. Start the McAfee ePolicy Orchestrator Application Server service only
     
  9. Attempt to log on to the ePO console. If you are unable to log on, review all the steps performed in this article and ensure that they have been properly completed. If you cannot resolve the console logon issue, contact Technical Support for further assistance before proceeding.
     
    For Technical Support contact details:
    Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list.

    Alternatively
    :
    Log in to the ServicePortal at https://support.mcafee.com:
    • If you are a registered user, type your User Id and Password, and click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.

     
    NOTE:
    You must be able to log on for the rest of the recovery steps to work.
      
  10. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path; otherwise the setup will fail to create a new certificate: 
     
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt" 32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
      
  11. Click Start, Run, type cmd, and click OK.
  12. Change directories to your ePO installation directory.
     
    Default paths:
     
    64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\ 32-bit: Program Files\McAfee\ePolicy Orchestrator\
       
  13. Run the following command:
     
    IMPORTANT:
    • This command will fail if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    • This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state whether it used the files located in the ssl.crt folder
     
    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
     
    where:
     
    <ePO_server_name> is your ePO server NetBIOS name
    <console_HTTPS_port> is your ePO console port (default is 8443)
    <admin_username> is admin (use the default ePO admin console account)
    <password> is the password to the ePO admin console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default installation path:
     
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt" 32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
    Example
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
       
  14. Start the following services:
     
    McAfee ePolicy Orchestrator Event Parser 
    McAfee ePolicy Orchestrator Server
       
  15. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:
     
    20090923173647        I           #4108  NAIMSRV      ePolicy Orchestrator server started.
     
    If it does not, there will be an error similar to the following: 
     
    20090923173319       E          #4736  NAIMSRV      Failed to get server key information. 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.