Loading...

Knowledge Center


How to change ePO 5.x/4.6 Agent-to-Server Communication secure port
Technical Articles ID:  KB72936
Last Modified:  02/14/2014
Rated:


Environment

McAfee Agent (MA) 4.8, 4.6, 4.5
McAfee ePolicy Orchestrator (ePO) 5.x, 4.6

Summary

This article explains how to change ePO Agent-to-Server Communication SecurePort.

The Agent-to-Server Communication SecurePort is a new feature carried over from ePO 4.5. On a new ePO 5.x/4.6 installation, you can modify the default port value (443) for the Agent-to-Server Communication SecurePort entry. Current functionality does not allow modification of this port via the user interface (ePO console) after the product has been installed. If you have to change the port number after upgrading from an earlier version to ePO 4.6/5.x, follow the Solution in this article.

Only MA 4.5 and later can use the SecurePort provided with ePO 4.5 and later. All managed systems with MA 4.5 and later are affected by this port change, unless the feature has been disabled in the Server Settings on the ePO server. With this feature enabled (default), you must modify the port setting on each managed MA 4.5 and later system (see Solution Step 7) and the McAfee Framework Service restarted (manually or via script). Alternatively, you can re-deploy MA 4.5 or later to all affected systems.

NOTE: There is no automatic port validation for this procedure. You must ensure that the selected port is not already in use. Back up the ePO and ePO database before changing the Secure port to revert the setting in the event of issues. For more information about backing up the ePO database, see the section 'Back up using SQL Server Management Studio' in KB52126.

Solution

To change the ePO Agent-to-Server communication secure port:

Consideration
To lessen the length of time that a MA client is unable to communicate to the server due to the port change, you might choose to reduce the Agent-to-Server Communication Interval (ASCI). The default is 60 minutes, and the time interval that Agents will be out of communication with the ePO server is two ASCIs. After the port number change completes and the agents are communicating with the server, the ASCI can be changed back to the previous time interval.
  1. Stop the ePO services:
    1. Click Start, Run, type Services.msc, and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  1. Change the port number in the ePO database.
    NOTE: Ensure that you run the following SQL command against the correct (in other words, where you wanted to change the Secure Port) ePO Database.

    Connect to the ePO server database with SQL Server Management Studio and run the following SQL command, where [ePODBName] (brackets are required) is the name of your ePO database, and NewPortValue is the number of the port you want to use instead of default 443:

    Update [ePODBName].dbo.EPOServerInfo
    Set [ServerHttpsPort] = NewPortValue
  1. On the ePO server, edit the httpd.conf and ssl.conf files: 
    NOTE: The default location for these files is <Installation_Dir>\McAfee\ePolicy Orchestrator\Apache2\conf

    For httpd.conf, locate the following line and replace 443 with the new value: 

    Listen 443

    For ssl.conf, locate the following two lines and replace 443 with the new value:

    <VirtualHost _default_:443>
    ServerName <server>:443
  1. Start the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Start:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  1. Edit httpd.conf and ssl.conf on each remote Agent Handler (the default location is <InstallDir>\McAfee\Agent Handler\Apache\conf):

    For httpd.conf, locate the following line and replace 443 with the new value: 

    Listen 443

    For ssl.conf, locate the following two lines and replace 443 with the new value:

    <VirtualHost _default_:443>
    ServerName
    <server>:443

  2. Restart the ePO services on each remote Agent Handler (if any):
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the services below click Restart:

      McAfee ePolicy Orchestrator Server (this service may also be listed as MCAFEEAPACHESVR)
      McAfee ePolicy Orchestrator Event Parser
       
    3. Verify new SecurePort number listed in lastSent_SiteList.xml, located in: <Installation_Dir>\McAfee\Agent Handler\DB
  1. Replace SiteList.xml on all managed McAfee Agents 4.5 or later by following any one of the below options:
    NOTE: Agent versions earlier than McAfee Agent 4.5 are not affected by the secure port change as they work on port 80 (by default).

    Option 1
    Repeat the following steps for each client with McAfee Agent 4.5 and later:
    1. On the ePO server, copy SiteList.xml from <Installation_Dir>\McAfee\ePolicy Orchestrator\DB\
    2. On the client, click Start, Run, type services.msc, and click OK.
    3. Stop & Disable the McAfee Framework Service.
    4. Navigate to the appropriate folder:

      \Documents and Settings\All Users\Application Data\McAfee\Common Framework (Windows XP and 2003)
      \ProgramData\McAfee\Common Framework (Windows Vista/2008/Win 7 and later versions)

    5. Delete the following files:
      NOTE: You have to disable VSE Access Protection to delete these files.

      SiteList.xml

      sitecache.bin
      ServerSiteList.xml
       
    6. Paste the copied version of SiteList.xml from the ePO server into this folder.
    7. Rename the pasted SiteList.xml to ServerSiteList.xml.
    8. Click Start, Run, type services.msc, and click OK.
    9. Right-click the McAfee Framework Service and change the startup type back to Automatic and click Start.
    10. Wait or perform two ASCIs to ensure that the agent and server are now communicating with one another.

       
    Option 2
    After you have made the port change on the ePO server, open SiteList.xml on the ePO Server under <Installation_Dir>\McAfee\ePolicy Orchestrator\DB\ folder and ensure the new SecurePort number is reflected correctly.

    Reinstall/re-deploy all the existing managed Agents selecting/using /forceinstall to overwrite the existing SiteList.xml file.


    Option 3
    Update the SecurePort change:
    1. Click Start, Run, type explorer, and click OK.
    2. Navigate to the folder below on the ePO 4.6 server:

      C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\ePOAgent3000\Install\0409

    3. Copy the following files below to a temporary folder on the client (for example, C:\Temp):

      srpubkey.bin
      reqseckey.bin
      SiteList.xml 

    4. Run the following command on the systems that require an update to the SecurePort entry:
      NOTE: By default, FrmInst.exe is located in: C:\Program Files\McAfee\Common Framework.

      FrmInst.exe /SiteInfo=C:\<Temporary_folder_path>\SiteList.xml

      (where <Temporary_folder_path> is the temporary folder where the files listed in Step 3 are located).

      Example: FrmInst.exe /SiteInfo=c:\Temp\SiteList.xml 
       

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.