9 Replies Latest reply on Nov 27, 2009 6:44 AM by StefanT

    ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server

    StefanT

      I have a test environment where all our software gets installed/created tested and packaged and then deployed to a live environment. What I want to achieve is to take a McAfee Agent 4.5 created on the test environment and be able to install it on the live side and have it talk to the live ePO 4.5 server.

       

      My question is, what is the minimum configuration I need to do to get the test ePO agent to talk with the live ePO server, such as running it with command line switches to parse in a different sitelist.xml file etc? Also does anything have to be done regarding the key signing etc?

       

      Thanks

       

      Stef

        • 1. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
          Sailendra Pamidi

          You can try supplying the sitelist.xml from the production epo server on the command line:

          friminst /install=agent /siteinfo='c:\sitelist.xml'

           

          You need to ensure that your production ePO server has the agent server key that was exported from the test ePO server. (Configuration->Server Settings->Keys)

           

           

          Message was edited by: Sailendra Pamidi on 11/24/09 10:21 AM
          • 2. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
            StefanT

            Thanks for the reply, once I've exported my agent server key from the test ePO server and imported to my live server would I need to then make that the master key or just leave it as legacy?

             

            Thanks

             

            Stefan

            • 3. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
              Sailendra Pamidi

              Once you import the key, the clients would be recognized by the production ePO server (not under legacy - but under the name you imported the key). You dont need to use the key updater for it (unless you want all clients to be using the current master key for their communication.

              • 4. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                StefanT

                That's great, thanks for the info!

                 

                Stefan

                • 5. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                  StefanT

                  I'm still having issues with this and I think what I'm being asked to achieve isn't possible!

                   

                  Basically what I have to do is take a framepkg.exe file which is run from a vbs script. What this vbs script does is perform an nslookup and grab the DNS alias of the ePO server on the target system and parses the details in to a dummy sitelist.xml file, the vbs script populates the .xml file with the new server details as expected and then the vbs runs the framepkg file with the /siteinfo= command, however, even though we use the agent from the test server and the agent to server key is imported on the live server, the live server refuses to see the agent. The .xml file only contains the following once created................

                   

                  - <ns:SiteLists xmlns:ns="naSiteList" GlobalVersion="20061127130539" LocalVersion="Mon, 27 Nov 2006 13:53:06 UTC" Type="Client">
                  - <SiteList Default="1" Name="SomeGUID">
                  - <HttpSite Type="fallback" Name="McAfeeHttp" Order="2" Enabled="0" Local="0" Server="update.nai.com:80">
                  <RelativePath>Products/CommonUpdater</RelativePath>
                  <UseAuth>0</UseAuth>
                  <UserName />
                  <Password Encrypted="1">f2mwBTzPQdtnY6QNOsVexH9psBK8z0HbZ2OkDTrPQsR/abAFPM9B3Q==</Password>
                  </HttpSite>
                  - <SpipeSite Type="master" Name="ePO_test" Order="1" Enabled="1" Local="0" Server="test:9132" ServerName="test:9132" ServerIP="10.20.20.20:9132">
                  <RelativePath>Software</RelativePath>
                  <UseAuth>0</UseAuth>
                  <UserName />
                  <Password Encrypted="1">f2mwBTzPQdtnY6QNOsVexH9psBK8z0HbZ2OkDTrPQsR/abAFPM9B3Q==</Password>
                  </SpipeSite>
                  </SiteList>
                  </ns:SiteLists>
                  Once the nslookup has run the script, the server details in the line below are changed with the live servers correct details (name, IP, FQDN etc), the rest of the .xml file remains the same................
                  <SpipeSite Type="master" Name="ePO_test" Order="1" Enabled="1" Local="0" Server="test:9132" ServerName="test:9132" ServerIP="10.20.20.20:9132">
                  I think there's more to it than just ammending the dummy file.
                  The solution that is required is to create an install package in our test pre-production system that talks direct with the live ePO server without having to go off and grab anything from the live system. My bosses say that building the live server first, then creating a framepkg.exe file to deploy to all our clients is unnaceptable!
                  Is this possible?
                  Thanks
                  Stefan
                  • 6. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                    JoeBidgood

                    I'm afraid what you're describing is not going to be possible until the live server is built. The dummy sitelist you have there is not going to work - it's not a valid ePO4.5 / MA 4.5 sitelist, I'm afraid

                     

                    There may be additional issues as well - I don't know your exact environment, obviously, but even if you could get this to work, then the next time the sitelist on the server is modified it is going to be sent to the clients, replacing the one built from the dummy file. This would presumably break things...

                     

                    I would very strongly recommend building the live server, taking the framepkg that it creates, and deploying that to your clients - even though your bosses deem it unacceptable    It is by far the safest method...

                     

                    Regards -

                     

                    Joe

                    • 7. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                      StefanT

                      Thanks for the reply Joe. I think I'm correct in saying that the sitelist.xml file for 4.5 contains the CA certificate info which is required for the agent/server communication and I presume this is unique to the server and couldn't be cloned from the test server to the live server?

                       

                      I totally agree that the server should be built first, but because the .vbs method used to work on our other ePO 3.6.1/Agent 3.6 system my management are telling me it will work!

                       

                      Thanks

                       

                      Stefan

                      • 8. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                        JoeBidgood

                        StefanT wrote:

                         

                        Thanks for the reply Joe. I think I'm correct in saying that the sitelist.xml file for 4.5 contains the CA certificate info which is required for the agent/server communication and I presume this is unique to the server and couldn't be cloned from the test server to the live server?

                         

                        Exactly   Also there are a few other things, like the hashed GlobalVersion, and the change to the spipe site format.

                         

                        I totally agree that the server should be built first, but because the .vbs method used to work on our other ePO 3.6.1/Agent 3.6 system my management are telling me it will work!

                         

                        Unfortunately, it won't     It used to work for ePO 361 and CMA 3.6 because they all shared the same server public key, so any agent could talk to any server. The advent of ePO 4 / MA4 changed that by making server keys unique: ePO 4.5 / MA 4.5 take it a step further by introducing SSL certificates.

                         

                        Regards -

                         

                        Joe

                        • 9. Re: ePO 4.5 and Agent 4.5 Creation For Use On Another ePO Server
                          StefanT

                          That's cool thank you, it gives me plenty of facts to take back to them in my favour!

                           

                          Thanks

                           

                          Stefan