Loading...

Knowledge Center


How to change the ePolicy Orchestrator agent-to-server communication secure port
Technical Articles ID:  KB72936
Last Modified:  3/16/2016
Rated:


Environment

McAfee Agent (MA) 5.x, 4.8.x
McAfee ePolicy Orchestrator (ePO) 5.x

Summary

This article explains how to change the ePO agent-to-server communication SecurePort.

On a new ePO installation, you can modify the default port value (443) for the agent-to-server communication SecurePort entry. Current functionality does not allow modification of this port through the ePO console after the product has been installed. If you need to change the port number after an upgrade from an earlier version of ePO, perform the steps in this article.

All managed systems are affected by this port change unless the feature has been disabled in the Server Settings on the ePO server. With this feature enabled (default), you must modify the port setting on each managed MA system (see Solution Step 7). Alternatively, you can re-deploy MA to all affected systems.

NOTE: There is no automatic port validation for this procedure. You must ensure that the selected port is not already in use. Back up ePO and the ePO database before you change the secure port to ensure that you can revert the setting in the event of issues. For more information about backing up the ePO database, see KB52126.

Solution

To change the ePO agent-to-server communication secure port:

Consideration
To lessen the length of time that an MA client is unable to communicate with the server because of the port change, you might choose to reduce the agent-to-server communication interval (ASCI). The default is 60 minutes, and the time interval that agents will be out of communication with the ePO server is two ASCIs. After the port number change completes and the agents are communicating with the server, you can change the ASCI back to the previous time interval.
  1. Stop the ePO services:
    1. Click Start, Run, type Services.msc, and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
  2. Change the port number in the ePO database. Connect to the ePO server database with SQL Server Management Studio and run the following SQL command, where [ePODBName] (brackets are required) is the name of your ePO database, and NewPortValue is the number of the port you want to use instead of the default 443: 
     
    NOTE: Ensure that you run the following SQL command against the correct ePO database.

    Update [ePODBName].dbo.EPOServerInfo
    Set [ServerHttpsPort] = NewPortValue
     
     
  3. On the ePO server, edit the httpd.conf and ssl.conf files (the default location is <Installation_Directory>\McAfee\ePolicy Orchestrator\Apache2\conf):
     
    For httpd.conf, locate the following line and replace 443 with the new value: 

    Listen 443

    For ssl.conf, locate the following two lines and replace 443 with the new value:

    <VirtualHost _default_:443>
    ServerName <server>:443
  1. Start the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Start:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  1. Edit the httpd.conf and ssl.conf files on each remote Agent Handler (the default location is <Installation_Directory>\McAfee\Agent Handler\Apache\conf):

    For httpd.conf, locate the following line and replace 443 with the new value: 

    Listen 443

    For ssl.conf, locate the following two lines and replace 443 with the new value:

    <VirtualHost _default_:443>
    ServerName <server>:443

  2. Restart the ePO services on each remote Agent Handler (if any):
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Restart:

      McAfee ePolicy Orchestrator Server (this service may also be listed as MCAFEEAPACHESVR)
      McAfee ePolicy Orchestrator Event Parser
       
    3. Verify the new SecurePort number listed in lastSent_SiteList.xml, located in: <Installation_Directory>\McAfee\Agent Handler\DB
  1. Replace SiteList.xml on all managed agents by following any one of the below options:

    Option 1
    Repeat the following steps for each client:
    1. On the ePO server, copy SiteList.xml from: <Installation_Directory>\McAfee\ePolicy Orchestrator\DB\
    2. On the client, click Start, Run, type services.msc, and click OK.
    3. Right-click the McAfee Agent Service (MA 5.x) or McAfee Framework Service (MA 4.x), click Stop, and change the startup type to Disabled.
    4. Navigate to the folder \ProgramData\McAfee\Common Framework.
    5. Delete the following files:
       
      NOTE: You must first disable VSE Access Protection to delete these files.

      SiteList.xml

      sitecache.bin
      ServerSiteList.xml
       
    6. Paste the copied version of SiteList.xml from the ePO server into this folder.
    7. Rename the pasted SiteList.xml to ServerSiteList.xml.
    8. Click Start, Run, type services.msc, and click OK.
    9. Right-click the McAfee Agent Service (MA 5.x) / McAfee Framework Service (MA 4.x), change the startup type back to Automatic, and click Start.
    10. Wait or perform two ASCIs to ensure that the agent and server are now communicating with one another.

       
    Option 2
    After you have made the port change on the ePO server, open SiteList.xml on the ePO server in the <Installation_Directory>\McAfee\ePolicy Orchestrator\DB\ folder and ensure the new SecurePort number is reflected correctly.

    Reinstall or re-deploy all the existing managed agents and use the /forceinstall option to overwrite the existing SiteList.xml file.


    Option 3
    Use FrmInst.exe to update the SecurePort change:
    1. Click Start, Run, type explorer, and click OK.
    2. Navigate to the folder below on the ePO server:

      C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\ePOAgent3000\Install\0409

    3. Copy the following files to a temporary folder on the client (for example, C:\Temp):
       
      srpubkey.bin
      reqseckey.bin
      sr2048pubkey.bin
      req2048seckey.bin
      agentfipsmode
      SiteList.xml
       
    4. Run the following command on the systems that require an update to the SecurePort entry:
       
      NOTE: By default, FrmInst.exe is located in: C:\Program Files\McAfee\Common Framework.

      FrmInst.exe /SiteInfo=C:\<Temporary_folder_path>\SiteList.xml

      where <Temporary_folder_path> is the temporary folder where the files listed in Step c are located.

      Example: FrmInst.exe /SiteInfo=C:\Temp\SiteList.xml 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.