ePolicy Orchestrator server backup and disaster recovery procedure
Technical Articles ID:
KB66616
Last Modified: 7/28/2021
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Summary
This article provides information about the backup and disaster recovery process for the ePO server.
IMPORTANT:
This procedure is provided for use by network and ePO administrators. McAfee Enterprise doesn’t assume responsibility for any damage incurred because the article is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
It’s preferable to use the built-in Disaster Recovery feature. Only use this article if a snapshot wasn’t created, and a manual recovery is needed.
For information about the Disaster Recovery feature, see the "Restoring McAfee ePO" section of the ePolicy Orchestrator 5.10 Installation Guide.
Migrating from a 32-bit to a 64-bit operating system
Or
Installing ePO to a different path
NOTES:
The agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these values, make sure that the agents have a way to locate the server. The easiest way is to retain the existing DNS record and change it to be directed to the new IP address of the ePO server. After the agent successfully connects to the ePO server, it downloads an updated Sitelist.xmlwith the current information.
You can also use this procedure if you want to migrate the ePO server to another system. But, it’s preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
Make sure that you restore the same version of ePO Server and Update.
For a smooth recovery, don’t perform a backup while the server is in the process of installing an extension.
Contents:
Click to expand the section you want to view:
Before backing up
Shut down the ePO Application Server service (Tomcat) when you perform the backup. If you can't, make sure that no one is performing the following actions during the backup:
Installing, uninstalling, or upgrading an extension
IMPORTANT: In ePO 5.10 and later, threat event information has been split into its own database, so you must back up both databases. Carry out the backup process on both the main database (default name ePO_ePO_server_name) and the events database (default name ePO_ePO_server_name_Events).
You must also back up the following folder paths: NOTE: The default 64-bit installation paths are listed below. But, your installation might differ. For example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to needed files used by the ePO software extensions.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
Products that have been checked in to the Master Repository are located here.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The agent-server communication and Repository Keys that are unique to your installation are located here. If you fail to restore this folder, all client systems are unable to communicate with the server, and you have to redeploy the agent to all systems. Also, you must check in all deployable packages again.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The following items are located here:
The server configuration settings for Apache
SSL certificates needed to authorize the server to handle agent requests
Console certificates
NOTE: Failure to back up and restore these directory structures requires a reinstallation of ePO to create new structures. It might also require a clean database installation and redeployment of agents to all client systems.
If you’re restoring ePO to the same system, uninstall ePO. Make sure that there’s no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.
NOTE: If you rename the existing ePO folder and leave the old directory in place, it might interfere with the new installation. So, we recommend that you remove the old directory completely.
Reinstall ePO to the same version and update level as the server you’re restoring.
NOTE: You can verify the ePO update level. Look at the Version field in the backed-up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\). Then cross-reference it with the details in KB51569 -Supported platforms for ePolicy Orchestrator.
Apply any additional updates, hotfixes, or POCs to ePO that were previously applied. If you previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor. This step includes any hotfix releases that were previously installed.
IMPORTANT:
In an ePO 5.10 environment that has had a Cumulative Update applied, make sure that you apply the same update version to the newly installed ePO server. If you don’t apply the same version, the ePO Application Server service is unable to start.
If you’re restoring an ePO 5.10 Update 10 environment, log on to the ePO console upgrade the following extensions, and then apply the CU10 update:
McAfee Agent (MA): Upgrade to MA 5.7.2 or later. This action also removes the Product Improvement Program extension.
Endpoint Upgrade Assistant (EUA): Upgrade to EUA 2.9.0.17 or later.
Stop and disable all ePO services:
Click Start, Run, type services.msc, and click OK.
Right-click each of the following services and select Stop:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Double-click each of the following services and change Startup type to Disabled:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
NOTE:Restore the database so that you don’t require the ePO database configuration to be updated. For example, same name, host, and port. Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orionwith the new information before you start the server.
IMPORTANT:In ePO 5.10 and later, threat event information has been split into its own database, so you must restore both databases. Carry out the restore process on both the main database and the events database.
Rename the following folders. For example, rename the extensions folder to extensions_old. Then replace them with the corresponding folders that were backed up earlier in step 2:
IMPORTANT: If you’re restoring an ePO 5.10 environment, select the option Change password, and confirm the password for the account used to access SQL, even though it hasn’t changed. Verify that the password is accepted by using the Test Connection option. If the connection is successful, click Apply to save the password, and restart the ePO application server service. This step creates a new password hash based on the new ePO server's unique key.
Attempt to log on to the ePO console. If you’re unable to log on, review all steps performed in this article and make sure that they’ve been properly completed. If you can't resolve the console logon issue, contact Technical Support for assistance before you continue.
If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
NOTE: You must successfully log on for the rest of the recovery steps to work.
Rename the SSL.CRTfolder (see path below) to SSL.CRT.OLDand manually create an empty folder namedSSL.CRT in the same path. If you don’t, the setup fails to create a new certificate:
Where: ePO_server_name - Your ePO server NetBIOS name Console_HTTPS_port - Your ePO console port (default is 8443) Admin_username - Administrator (use the default ePO administrator console account) Password- The password to the ePO administrator console account Installdir\Apache2\conf\ssl.crt - Your installation path to the Apache folder. Make sure that you enclose this path in double quotes. The default installation path is:
This command fails if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
This command is case sensitive. The ahsetup.log provides information about whether the command succeeded or failed. It also states whether it used the files located in the ssl.crt folder. NOTE: The ahsetup.log is located in ePO_install_directory\Apache2\conf\ssl.crt.
Start the following services:
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Look in the DB/logs/server.log, and make sure that the Agent Handler (Apache server) started correctly. It must state something similar to the following:
I #4108 NAIMSRV ePolicy Orchestrator server started.
If it doesn’t, there’s an error similar to the following:
E #4736 NAIMSRV Failed to get server key information
