Summary
This
article explains how to change the ePO agent-to-server communication secure
port.
On a new ePO installation, you can modify the default port value (443) for the
agent-to-server communication secure port entry. Current
functionality does not allow modification of this port through the ePO console
after the product has been installed. If you need to change the port number
after an upgrade from an earlier version of ePO, perform the steps in this
article.
This port change affects all managed systems, unless the feature has been
disabled in the Server Settings on the ePO server. With this feature enabled
(default), you must modify the port setting on each managed MA system (see Step
7 in the Solution). Or, you can redeploy MA to all affected systems.
NOTE: There is no automatic port
validation for this procedure. You must ensure that the selected port is not
already in use. Back up ePO and the ePO database before you change the secure
port to ensure that you can revert the setting in the event of any
issues. For more information about backing up the ePO database, see
KB52126.
Solution
To change the ePO agent-to-server
communication secure port:
Consideration
To lessen the length of time that an MA client is unable to communicate with
the server because of the port change, you might choose to reduce the
agent-to-server communication interval (ASCI). The default is 60 minutes, and
the time interval that agents will be out of communication with the ePO server
is two ASCIs. After the port number change completes and the agents are
communicating with the server, you can change the ASCI back to the previous
time interval.
1. Stop the ePO services:
a. Click Start, Run, type Services.msc, and click OK.
b. Right-click each of
the following services and select Stop:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
2. Change the port number in the ePO
database. Connect to the ePO server database with SQL Server Management
Studio and run the following SQL command, where [ePODBName] (brackets
are required) is the name of your ePO database, and NewPortValue is the
number of the port you want to use instead of the default 443:
NOTE:
Ensure that you run the following
SQL command against the correct ePO database.
Update [ePODBName].dbo.EPOServerInfo
Set [ServerHttpsPort] = NewPortValue
3. On the ePO server, edit the httpd.conf and ssl.conf files. (the default location is
<Installation_Directory>\McAfee\ePolicy Orchestrator\Apache2\conf):
For httpd.conf,
locate the following line and replace 443 with the new value:
Listen 443
For ssl.conf, locate the following two lines and replace 443 with
the new value:
<VirtualHost _default_:443>
ServerName <server>:443
4. Start the ePO services:
a. Click Start, Run, type services.msc, and click OK.
b. Right-click each of the following
services and select Start:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
5. Edit the httpd.conf and ssl.conf files on each remote Agent Handler (the default location is
<Installation_Directory>\McAfee\Agent Handler\Apache\conf):
For httpd.conf, locate the following line and replace 443 with
the new value:
Listen 443
For ssl.conf, locate the following two lines and replace 443 with
the new value:
<VirtualHost _default_:443>
ServerName <server>:443
6. Restart the ePO services on each
remote Agent Handler (if any):
a. Click Start, Run, type services.msc, and click OK.
b. Right-click each of the following
services and select Restart:
McAfee ePolicy Orchestrator Server (this service might also be listed as MCAFEEAPACHESVR)
McAfee ePolicy Orchestrator Event Parser
c. Verify the new secure port number
listed in lastSent_SiteList.xml, located in:
<Installation_Directory>\McAfee\Agent Handler\DB
7. Replace SiteList.xml on all
managed agents by following any one of the three options shown below:
Option 1
For 4.x Agents:
Repeat the following steps for each client:
a. On the ePO server, copy SiteList.xml
from: <Installation_Directory>\McAfee\ePolicy Orchestrator\DB\
b. On the client, click Start, Run,
type services.msc, and click OK.
c. Right-click the McAfee Framework
Service (MA 4.x), click Stop, and change the startup type to Disabled.
d. Navigate to the folder \ProgramData\McAfee\Common
Framework.
e. Delete the following files:
NOTE: You must first disable VSE
Access Protection to delete these files.
SiteList.xml
sitecache.bin
ServerSiteList.xml
f. Paste the copied version of SiteList.xml from the ePO server into this folder.
g. Rename the pasted SiteList.xml to ServerSiteList.xml.
h. Click Start, Run, type services.msc, and click OK.
i. Right-click the McAfee Framework
Service (MA 4.x), change the startup type back to Automatic, and
click Start.
j. Wait or perform two ASCIs to ensure
that the agent and server are now communicating with each other.
For 5.x Agents:
Locally reprovision the agent with maconfig.exe:
a. Send Sitelist.xml, srpubkey.bin, reqseckey.bin, req2048seckey.bin, and sr2048pubkey.bin from the McAfee ePO server to the computers you want.
b. At the command line on the local PC,
navigate to C:\Program Files\McAfee\Agent, and run the command shown
below:
maconfig.exe -provision -managed -dir "<directory location where
the sitelist.xml and security keys were exported from>"
Option 2
After you
have made the port change on the ePO server, open SiteList.xml on the ePO
server in the <Installation_Directory>\McAfee\ePolicy Orchestrator\DB\ folder
and ensure the new secure port number is reflected correctly.
Reinstall or redeploy all the existing managed agents and use
the /forceinstall option to overwrite the existing SiteList.xml file.
Option 3
Use FrmInst.exe to update the secure port change:
a. Click Start, Run, type
explorer, and click OK.
b. Navigate to the folder below on the
ePO server:
C:\Program Files\McAfee\ePolicy
Orchestrator\DB\Software\Current\ePOAgent3000\Install\0409
c. Copy the following files to a
temporary folder on the client (for example, C:\Temp):
srpubkey.bin
reqseckey.bin
sr2048pubkey.bin
req2048seckey.bin
agentfipsmode
SiteList.xml
Run the following command on the systems that
require an update to the secure port entry:
NOTE: By default, FrmInst.exe is
located in: C:\Program Files\McAfee\Common Framework.
FrmInst.exe /SiteInfo=C:\<Temporary_folder_path>\SiteList.xml
where <Temporary_folder_path> is the temporary folder where the files
listed in Step c are located.
Example: FrmInst.exe /SiteInfo=C:\Temp\SiteList.xml