Loading...

Knowledge Center


How to transfer computers from one ePolicy Orchestrator server to another
Technical Articles ID:   KB79283
Last Modified:  10/11/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

This article describes how to transfer systems from one ePO server to another.

IMPORTANT:
  • The Transfer systems option only moves the entries for the systems and causes the agents to report to the new ePO server. You must manually update System Groups, Policies, Assignments, product extensions, and packages on the new server.

    The transfer of policies does not occur automatically when you transfer systems from one ePO server to another. Policy assignment for managed products must be applied manually to the respective group on the new ePO server. 

    McAfee recommends that you first transfer one system. Verify that it is correctly reported to the Lost and Found group on the new server, and policies are correctly applied before you transfer a large number of systems.
     
  • The following applies if you manage Drive Encryption (DE) systems:

    DE 7.1 Update 3 (7.1.3) provides the ePO administrator with a new capability. This feature allows systems to be transferred from one ePO server to another while preserving user assignments and user data. For details, see the following documentation:
The following applies to Management of Native Encryption (MNE) systems:

With MNE in the environment, the same applies whether managing Microsoft BitLocker or Apple FileVault (Mac OS X 10.3 and later).

IMPORTANT: Key points to observe:
  • The MNE FileVault or BitLocker policy must be enabled on the destination ePO server before transferring systems.
  • FileVault example:
    • If the MNE FileVault policy is not enabled on the destination ePO server, the McAfee Endpoint Protection for Mac Console status under Encryption and Management Mode shows FileVault as not managed. The Recovery Key Status shows that "Client has not escrowed the key in ePO."
    • If the MNE FileVault policy is enabled after the system has been transferred and policy enforcement has taken place:
      • The McAfee Endpoint Protection for Mac Console status under Encryption and Management Mode shows that "FileVault is managed."
      • The Recovery Key Status shows that "Client has not escrowed the key in ePO."
    • The system can be transferred back to the source ePO server and then transferred back to the destination ePO server, which allows the key to then be escrowed.

Problem

You might see the following error when you register the servers and enable the Transfer Systems option with Automatic Sitelist Import:
 
ERROR: Master agent-server key(s) must be imported into the remote server prior to importing the sitelist. Go to Server Settings to export security keys from this server. Note that visiting this link now will cause you to lose any unsaved changes to this registered server.

Import both keys (1024 and 2048) from the ePO server for successful registration so the Automatic Sitelist Import can save without issue.

Solution

IMPORTANT: 
  • Do not transfer systems with DE 7.1.1 or earlier between servers because encryption keys and user assignments are not moved from one server to the other. Doing so disassociates the client from its keys and remove users from systems, which cause users to be locked out. 
     
  • You might consider consolidating ASCI keys between ePO servers so that both (all) servers use the same ASCI keys. Consolidating ASCI keys is useful if you intend to keep all ePO servers live in production and transfer agents back and forth between them. Large numbers of ASCI keys on an ePO server can result in delays in data channel requests and agent wakeup calls. This result is because each outbound connection attempt must be tried with each ASCI key present. See KB82022 for more details. 
The following procedure describes how to transfer managed computers from Server A to Server B, where:
  • Server A = Old ePO 4.x
  • Server B = New ePO 5.x
  1. Export the security keys from Server A:
     
    NOTE: Only ASCI keys are needed. You must export only the 2048-bit and 1024-bit keys.
     
    1. Log on to the ePO 4.x console.
    2. Click Menu, Configuration, Server Settings.
    3. Click Security Keys under the Setting Categories column, and click Edit on the right pane at the bottom of the page.
    4. For the 2048-bit keys listed under the Agent-server secure communication keys, do the following:
      1. Click the key identified as 2048-bit and click Export.
      2. Click OK. Confirms the export key confirmation message.
      3. Click Save.
      4. Type or browse to a path where you want to save the security key (.zip) file, then click Save again.
    5. Repeat step 1d for the 1024-bit keys.
       
  2. Import the security keys from Server A to Server B:
     
    NOTE: Only ASCI keys are needed. You must import only the 2048-bit and 1024-bit keys.
     
    1. Log on to the ePO 5.x console.
    2. Click Menu, Configuration, Server Settings.
    3. Click Security Keys under the Setting Categories column, and click Edit on the right pane at the bottom of the page.
    4. Click Import.
    5. For the 2048-bit key, do the following:
      1. Click Browse, locate the exported 2048-bit security key .zip file, and click Open.
      2. Click Next.
      3. Click Save on the Summary tab.
    6. Repeat step 2e for the 1024-bit keys.
       
  3. Register Server B (ePO 5.x) to Server A (ePO 4.x):
    1. From Server A, log on to the ePO 4.x console.
    2. Click MenuConfigurationRegistered Servers.
    3. Click New Server.
    4. Select ePO for the Server type drop-down list, type a name for this server in the Name section, and click Next.
    5. Type the credentials to reach Server B (ePO database), and click Test Connection
    6. If the test is successful, click Enable for the Transfer systems entry. Make sure that Automatic sitelist import is selected, and click Save.

      NOTES:
       
      • The Manual sitelist import option is also available. Can be used if you want to do a manual import. Achieved by selecting an existing Sitelist.xml file. See the ePolicy Orchestrator Product Guide for details about how to use this option.
      • You can obtain the Sitelist.xml file to use for this process. It is located in the following folder on the ePO server where the agents are being transferred to:

        <ePO_Installation_Directory>\DB\SiteList.xml
         
      • On an ePO 4.6 server, you can select only version 4.6 or previous versions as the ePO version. When you test the connection to the database of the registered server, you see the following warning:

        Database connection successful! Warning Versions mismatch!

        You can safely ignore the warning; the ePO version selected (4.6) does not match the database (5.x) you tested.
         
  4. After you have imported the keys and ePO Server B is registered, Server A allows the option for transfer to be selected:
    1. Log on to the ePO console.
    2. Click System Tree.
    3. Click the Systems tab on the right pane and select the computer to transfer.
    4. Click ActionsAgentTransfer Systems.
    5. Select the entry for Server B (ePO 5.x) and click OK to transfer.

      NOTE: Make sure that the selected computer is communicating to Server A ePO before the transfer.
       
  5. Verify the status of transferred computers after two ASCI triggers.
    After the process has finished, you see the computer listed in the Server B (ePO 5.x) System Tree. 

    NOTE: The computer is not expected to display in the Server A System Tree. To confirm, send an agent wake-up call from Server B (ePO 5.x) and confirm that the computer is communicating.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.