1 2 Previous Next 10 Replies Latest reply on Oct 2, 2009 9:29 AM by whifty

    Installing ePolicy on a server that is managed by another ePo server

      Hi all, noob round these parts - sorry if this is a daft question but I'm being driven nuts trying to figure it out, so here goes!

      (Deep breath)

      Here's the scenario:

      In our environment we have one ePo server running V4.0 (server x) that is due to be decommissioned. We are ready to move to ePo 4.5 and I'm currently installing 4.5 on another server in the domain (server y).

      Server Y has Virusscan 8.5 running on it, being managed by server X.null We can't disable virusscan on the server Y as it's also operating as a proxy server for web browsing, and thus needs On Access Scanning running at all times.

      The installation of ePo 4.5 on server Y went smoothly right up until the point I tried to push out an agent to a test PC - ePo simply refuses to detect the IP address of the PC, even though it's detected the test PC through a successful AD sync.

      McAfee Support have told me (after a 1.5 hr phone call) that this is an unsupported scenario and that ePo must be installed on a server that does not have VirusScan installed and managed by another ePo server, and this is the reason that I cannot push agents out to any PCs from it.

      Is this true?

      :confused::confused::confused:

      Thanks in advance!

      PS - I know that migrating is probably the way to go here rather than this convoluted approach i'm taking, however my manager has requested that we start from scratch rather than migrate our existing database and configuration.
        • 1. RE: Installing ePolicy on a server that is managed by another ePo server
          JoeBidgood
          Hmmm.... it's a slightly unusual scenario, but I can't think of a reason why it shouldn't work (unless VSE was somehow configured to block access.)

          I think it more likely that the push is failing for another reason - unfortunately there are lots of things that can cause pushes to fail.

          What does the corresponding entry in the server task log say? Can you ping the machine in question from the epo server by its netbios name alone?

          HTH -

          Joe
          • 2. RE: Installing ePolicy on a server that is managed by another ePo server
            Hi Joe thanks for response.

            The server task log just says that the Push Agent task has failed due to expiry.

            I can ping the client PC from the server both by its IP address and hostname.

            The client PC's entry in the system tree shows as Unmanaged, no IP address is displayed and when I try to ping from ePo it responds "Failed to determine host IP address". I've googled this and searched the forums and it seems this is because for whatever reason the host's ip address is not entered in the ePo database.

            Beyond this I'm stumped. If it's relevant, the client PC also has VirusScan installed on it managed by the old server, though deleting the client PC from the old server system tree and deleting the agent has no effect on being able to push an agent from the new server.
            • 3. RE: Installing ePolicy on a server that is managed by another ePo server
              JoeBidgood
              Hmm... can you check the epoapsrv.log on the server? There may be more detail in there regarding what failed.
              With regard to being unable to ping, theat would make sense - the server is trying to ping the machine's last known address taken from the DB, and if it's never communicated then there won't be such an entry.
              For pushes to work, a number of things all have to be enabled - the admin$ share has to be available, remote registry access, and a number of other things. A common gotcha is to have VSE's access protection configured to prevent things running from the admin$ share - which of course means VSE blocks push agent installs :)

              As a test, you could always manually install the framepkg from the new server on the client machine: if all goes well it should be able to communicate with the new server and appear in the system tree...

              HTH -

              Joe
              • 4. RE: Installing ePolicy on a server that is managed by another ePo server


                This is from the EpoApSvr.log at the time of initiating a Push Agent from the server:

                __

                20091001170850 I #2908 EPOJNI Getting license data...
                20091001170850 I #2908 EPOJNI Getting license data...
                20091001170854 I #2908 EPOJNI Getting license data...
                20091001171122 I #1500 SiteMgrWrap Created instance of Site Manager
                20091001171122 I #1500 SiteMgr SetEPOMode: SiteMgr enter ePO mode, server=HO-SCM01, port=8443, EPOUser=, Password=********
                20091001171122 I #1500 SiteMgr DALInit: Connected to DAL successful
                20091001171122 I #1500 SiteMgr SetEPOMode: Set ePO mode successful
                20091001171122 I #1500 SiteMgr GeneralInetRequestThreadProc: GeneralInetRequest thread started
                20091001171122 I #1500 SIM_InetMgr Starting download session for url myavert.avertlabs.com:8801
                20091001171122 I #1500 naInet HTTP Session initialized
                20091001171122 I #1500 naInet Connecting to HTTP Server using Microsoft WinInet
                20091001171122 I #1500 naInet Trying to connect to Real Server myavert.avertlabs.com using INTERNET_OPEN_TYPE_PRECONFIG
                20091001171122 I #1500 naInet Connected to Server: myavert.avertlabs.com on Port: 8801 using WinInet
                20091001171122 I #1500 SIM_InetMgr Started download session 1 for site myavert.avertlabs.com:8801
                20091001171122 I #1500 SiteMgr GeneralInetRequestThreadProc: Downloading /reportservice.asmx
                20091001171122 I #1500 SIM_InetMgr Downloading file reportservice.asmx from session 1, LocalDir=C:\WINDOWS\TEMP\nai4C45.tmp\00000000, RemoteDir=
                20091001171122 I #1500 naInet Open URL: http://myavert.avertlabs.com:8801/reportservice.asmx
                20091001171122 I #1500 naInet Trying to download using Microsoft WinInet library
                20091001171122 I #1500 naInet Connecting to Real Server myavert.avertlabs.com using INTERNET_OPEN_TYPE_DIRECT
                20091001171122 I #1500 naInet No resume download needed, calling InternetOpenUrl
                20091001171122 I #1500 naInet Downloading a file of total size: 7991, content-length: 7991
                20091001171122 I #1500 naInet Downloaded 7991 bytes this time
                20091001171122 I #1500 naInet Downloaded 0 bytes this time
                20091001171122 I #1500 SIM_InetMgr Downloaded file reportservice.asmx successfully in session 1
                20091001171122 I #1500 naInet HTTP Session closed

                ___

                I can't see anything in there to indicate a reason for failure though I don't really know what I'm looking for...

                The client PC has Access Protection disabled. This is what is so confusing: the client PC is communicating happily enough with the old ePo server which leads me to believe that there's not a configuration problem at that end. Its even the same service account that is pushing the agent from both old and new server so there should be no permissions issues there either!

                :confused:
                • 5. RE: Installing ePolicy on a server that is managed by another ePo server
                  JoeBidgood
                  Sorry, my mistake - I meant the server.log, not the epoapsrv.log :(

                  More coffee required...

                  Joe
                  • 6. RE: Installing ePolicy on a server that is managed by another ePo server
                    Should the server.log be found in C:\Program Files\McAfee\ePolicy Orchestrator\DB\Logs?

                    I've just looked there and there's 4 log files, but no server.log. Could this be because it's never successfully deployed an agent? Or am I looking in the wrong place?

                    Thanks again!
                    • 7. RE: Installing ePolicy on a server that is managed by another ePo server
                      JoeBidgood


                      Yep, that's where it should be (assuming ePO is installed to C:\Program Files\McAfee\ePolicy Orchestrator.)
                      What files have you got? The absence of server.log is a bit worrying... it logs agent to server comms activity as well as things like agent pushes, so it really ought to exist if the server is OK.

                      Joe
                      • 8. RE: Installing ePolicy on a server that is managed by another ePo server
                        EpoApSvr.log
                        EpoApSvr_backup.log
                        epomisc.log
                        eventparser.log

                        ...

                        but no server.log
                        • 9. RE: Installing ePolicy on a server that is managed by another ePo server
                          JoeBidgood
                          That's a touch worrying.
                          Is the epo server service started?
                          If you restart it does it throw any errors?
                          In the <install folder>\Apache2\Logs folder will be some files of the format "errorlog.<datetime>" - can you post the contents of the latest one after restarting the service?
                          1 2 Previous Next