Environment
McAfee ePolicy Orchestrator
(ePO) 5.x
Summary
This article provides information on
the backup and disaster recovery process for ePO servers.
IMPORTANT:
This procedure is
intended for use by network and ePO administrators only. McAfee does
not assume responsibility for any damage incurred because it
is intended as a guideline for disaster recovery. All liability for
use of the following information remains with the user.
It is preferable to use the
built-in Disaster Recovery feature and use these steps only if a valid
Snapshot was not created and a manual recovery is required. For
information about the Disaster Recovery feature, see the "Restoring
McAfee ePO" section of the
ePolicy Orchestrator Installation
Guide.
If you are migrating from a
32-bit to a 64-bit operating system, or installing ePO to a different
path, you must follow the instructions in
KB71078 instead.
NOTES:
The agent uses either the last
known IP address, DNS name, or NetBIOS name of the ePO server. If you
change any one of these, ensure the agents have a way to locate the
server. The easiest way to do this is to retain the existing DNS
record and change it to point to the new IP address of the ePO
server. After the agent is able to successfully connect to the ePO server,
it downloads an updated SiteList.xml with the current information.
You can also use this procedure
if you want to migrate the ePO server to another system, though it is
preferable to use the built-in Disaster Recovery feature to migrate the
ePO server to another system.
Preparation
To ensure a smooth recovery, do not perform a backup while the server is
in the process of installing an extension.
Before backing up
If possible, shut down the McAfee
ePolicy Orchestrator Application Server service (Tomcat) entirely when
performing the backup. Otherwise, ensure that no one is performing the
following actions during the backup:
Installing, uninstalling, or
upgrading an extension
Updating the ePO database
configuration
Backing up the ePO server
Use the following
documents to back up the SQL database (normally named
ePO_<ServerName>, where the <ServerName> is your ePO
server name):
See article
KB52126 for
details on backing up the ePO database using SQL Server Management
Studio.
See article
KB59562 for details
on backing up the ePO database using OSQL commands.
You must also back up
the following folder paths:
NOTE:
The default
64-bit installation paths are listed below; however, your installation
might differ (for example, the default 32-bit installation path
is C:\Program Files\McAfee\ePolicy Orchestrator).
C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\Server\extensions
The default path to ePO software extension information.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to required files used by the ePO software extensions.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories.
C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\DB\Software
All products that have been checked into the Master Repository are
located here.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The agent-to-server communication and Repository Keys that are unique to your
installation are located here. Failing to restore this folder will result
in all client systems being unable to communicate with the server, and you will
have to redeploy the agent to all systems. Additionally, you will have to check
in all deployable packages again.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The server configuration settings for Apache, the SSL certificates needed to
authorize the server to handle agent requests, and console certificates are
located here.
NOTE: Failure to back up and restore
these directory structures will require a re-installation of ePO to
create new ones and possibly require a clean database installation and
redeployment of agents to all client systems.
Recover the ePO server
If restoring ePO to the
same system, uninstall ePO. Ensure that there is no ePolicy
Orchestrator folder in the original installation path after
the software is uninstalled.
NOTE: Renaming the existing
ePO folder and leaving the old directory in place may interfere with
the new installation; therefore, we recommend that you remove the old
directory completely.
Re-install ePO to the same
version and patch level as the server you are restoring.
NOTE: You can verify the ePO
patch level by looking at the
Version field in the backed
up
Server.ini file (
C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\DB\)
and cross-referencing it with article
KB59938.
IMPORTANT: You
must re-install
ePO to the
exact same directory path as the previous installation for
this article to apply (or the initialization of extensions will fail when
the restore is complete). If the installation path is different, follow
the steps in article
KB71078 instead.
Apply any additional
patches/hotfixes/POCs to ePO that had been previously applied. If you have
previously installed Policy Auditor 6.2 for use with ePO,
install the same version of Policy Auditor (including any hotfix
releases) that had been installed before.
Stop and disable all
ePO services:
Click Start, Run,
type services.msc, and click OK.
Right-click each of the
following services and select Stop:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Double-click each of the
following services and change Startup type to Disabled:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Restore the database. See
article
KB52126 for details on
restoring the ePO database using SQL Server Management Studio.
NOTE:
Restore the
database so that you do not require the ePO database configuration to be
updated (for example, same name, host, port, and so on). Otherwise, you must
update the restored DB.PROPERTIES file in C:\Program
Files\McAfee\ePolicy Orchestrator\Server\conf\orion with the new information
before starting the server.
Rename the following folders (for
example, rename the extensions folder to extensions_old), and then replace
them with the corresponding folders that were backed up earlier in step 2:
C:\Program Files
(x86)\McAfee\ePolicy Orchestrator\Server\extensions
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
Start only the McAfee
ePolicy Orchestrator Application Server service.
Access the core/config page of
ePO and re-enter the DB credentials if you are using ePO 5.3 or later, or
if you are unable to access the ePO console. See
KB69850 for
detailed instructions on how to access the core\config page and update the
DB credentials if needed.
Attempt to log on to
the ePO console. If you are unable to log on, review all the
steps performed in this article and ensure they have
been properly completed. If you cannot resolve the console logon
issue, contact Technical Support for further assistance before proceeding.
If you are a registered user,
type your User Id and Password, and then click Log In.
If you are not a registered
user, click Register and complete the required fields. Your
password and logon instructions will be emailed to you.
NOTE: You must be able to log
on for the rest of the recovery steps to work.
Rename the SSL.CRT folder
(see path below) to SSL.CRT.OLD and manually create an empty folder
named SSL.CRT in the same path; otherwise the setup will fail
to create a new certificate:
64-bit: "C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
32-bit: "C:\Program Files\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
Click Start, type cmd in the search field, right-click, and select Run as
administrator.
Change directories to your ePO
installation directory.
Default paths:
64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\
32-bit: Program Files\McAfee\ePolicy Orchestrator\
Run the following command:
Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name>
<console_HTTPS_port> <admin_username> <password>
<"installdir\Apache2\conf\ssl.crt">
where:
<ePO_server_name> is your ePO server NetBIOS name
<console_HTTPS_port> is your ePO console port (default is 8443)
<admin_username> is admin (use the default ePO admin console
account)
<password> is the password to the ePO admin console account
<installdir\Apache2\conf\ssl.crt> is your installation path to the
Apache folder; Default installation path:
64-bit: "C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
32-bit: "C:\Program Files\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
Example
Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator
password "C:\Program Files\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
IMPORTANT:
This command is case-sensitive.
The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>)
provides information about whether the command succeeded or failed
and will state whether it used the files located in the ssl.crt
folder.
Start the following services:
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It
should state something similar to the following:
20090923173647
I #4108
NAIMSRV ePolicy Orchestrator server started.
If it does not, there will be an error similar to the
following:
20090923173319
E #4736
NAIMSRV Failed to get server key
information.
Related
Information
For information on the ePO cluster
backup and disaster recovery procedure, see
KB75497.
For information on how to migrate ePO from a 32-bit system to a 64-bit system
(or to a different installation path), see
KB71078.