cancel
Showing results for 
Search instead for 
Did you mean: 
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 51

ePO Agent Handler Upgrade - Best Approach?

Hi McAfee Community Members,

I'm upgrading a customer's ePO server this week to 5.9.1 from 5.3.2.

This will be an in-place upgrade followed by the installation of 5.9.1 on the new server which has been prepared by using the restore from snapshot option - as the existing 5.3.2 ePO server is running Windows Server 2008 R2 so will be migrating it to a Windows Server 2016 platform (this has already been prepared).

The customer also has an Agent Handler but this is not in the DMZ.

What would be the best approach to upgrade the Agent Handler? Should they prepare another 2016 server and then install ePO 5.9.1 on here also? Would we also need to install this using the 'Restore from snapshot' option as with the actual ePO server itself, assuming that the Agent Handler is also running an older Windows OS such as Server 2008 R2?

As background info, the SQL DB is on a separate box running SQL Server 2016.

I look forward to your replies!

UPDATE: The Agent Handler is running a recent Windows OS so will not need to be migrated, just upgraded to match the version of ePO which is 5.9.1 Presumably we would run this immediately after the in-place upgrade on the main ePO server?

Thanks guys,

Nick

50 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

All you need to do is to upgrade it in place, but before doing so, I would prepare it for the ciphers and protocols needed by 5.9.1.  To do that, I would run iiscrypto tool on it, choose best practices, then reboot. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 3 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Hi,

Thanks for that, it makes sense.

Would it be best to perform the in-place upgrade on the AH after the migration exercise, or does the order not matter?

Thanks again,

Nick

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

You need to upgrade the agent handler as soon as you upgrade epo, otherwise it will not be used by the agents and it won't be able to communicate with the db and server due to mismatched version.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 5 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Excellent, thanks very much.

Nick_B
Level 11
Report Inappropriate Content
Message 6 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Hello again,

With regard to the IISCrypto tool, would it be advisable to run that on both the current and proposed ePO servers?

Thanks,

Nick

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Yes, it would

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 8 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Hello again,

Apologies - another IISCrypto question!

IISCrypto is actually run on the SQL Server, where the ePO DB resides is it not (as opposed to the ePO server).

That would require a change to go to CAB, but should not be a big deal.

If for whatever reason, the change to the cipher suite order needed to be reverted, how would that be accomplished? Might it be safer to use Group Policy for this type of change?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 9 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

To be safe, I would run it on the epo and sql servers as well as agent handlers.  5.9 and 5.10 are very specific in requirements for certain cipher suites and tls protocols being enabled.  That is the easiest way to ensure requirements are met.  If you revert changes, you may lose database connectivity. 

You can look at kb91305, kb91296, kb91115, kb89940, kb87731

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 10 of 51

Re: ePO Agent Handler Upgrade - Best Approach?

Great, thanks for that exhaustive list of KB articles, I am familiar with 87731 for sure but not so the others.

On that note then, would you also run the PIA tool on the source and destination ePO servers? 

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community