7 Replies Latest reply on Jan 28, 2016 10:06 AM by andrep1

    EPO Migration from 4.6.6 to 5.3.0 - Roll out plan

    zade

      Hi Guys,

      I've just joined the forum and am new here and new to Mcafee EPO, I work for an organization with about 6000 computers and servers and have been given the task of migrating EPO from 4.6.6 to the latest version 5.3.0. The migration appears to have gone pretty well, I've managed to install EPO pointing at a brand new database and configure EPO with the same settings that are on 4.6.6. I've managed to replicate alot of the settings some via export and import and some others as manually setting up other settings.

       

      What I've done so far:

       

      -Installed EPO

      -Setup Server settings, personal settings, registered servers

      -Synced with AD but I havent ticked push out agents, so all machines are still managed by the old EPO server.

      -Exported and imported Policy Catalog and Task catalog, setup assignments but with tasks have left the assignments disabled as I wasnt sure if even with push out agents unticked it would try and speak to workstations/servers

      -Setup system tree, with tasks

      -Setup tag Catalog

      -Setup Queries and reports

      -Setup Users and Permissions

      -Setup Contacts

       

      A few questions I have...

      1. I would like to test rolling out the agent and new version of VSE to JUST our team of 8 people, but these machines are within a folder which is synced with AD and this folder has lots of other machines in, what is the best way of doing this? Do I need to create a new AD folder and move the computers into this folder, then sync this with the individual folder in EPO and assign task and policy so it replicates that of the main folder?

      2. Once this has been tested, what is the best way of rolling this out in a staged process so we do not flood the network? I there a way of saying automatically push out agents for 100 machines, once completed do VSC, then move onto the next 100?

       

      I usually cover VMWare within our team so this is a learning experience for me on the job, all help is fully appreciated.

        • 1. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
          andrep1

          Hi and welcome.

          This is a big environment so start out with!

           

          So just to understand the two servers are still up and agents still reporting to old  ?

          You have AD sync with the previous server ? Do you automatically push the agent with the sync or is the agent in the image/install with gpo/manually/sccm ?

          If syncing, those are the options that can affect your results:

          Installation options:    

            

           

          Did you know you can use ePO to transfer systems from one to the other? I find that a bit more elegant.

           

          To test the agent, find your 8 devices in the system tree, select them, select actions, agent, deploy agent and select the option to overwrite the existing install.

          With the transfer agent option, they'll just show up in the system tree on the new server. You just need to cross-register the servers in epo (export agent-server keys from new server, import in new server, on old server create a registered of type ePO and provide database servers details of new SQL server so old server can talk to new server sql database and copy agent information.

           

          In  regards to traffic, do you know agent 5.0 supports p2p ? On large subnets you can flood you subnets with broadcast traffic so don't make all you agent peer servers but you could make all you servers "peer servers", it is just a setting in the agent policy then use that.

          You can also randomize you start time for your tasks: the agent push is not too big, but vse with the full dat file is over 100MB

          • 2. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
            zade

            Hi Andre,

             

            First of all thank you for the response it is much appreciated.

             

            Both servers old and new are up at the moment, the old server has 'auto push enabled at the moment' and on the new server I have not enabled this to be sure. I'm guess when I decide it is time to roll out this agent from the new server I untick auto push from the old server and tick it on the new server. In regards to our AD sync we have set it up to sync to individual ad group such as 'managed servers' and 'managed computers' so we do not pull down all irrelevant folder names. This allows us to push out agents on one folder then do the other separately.

             

            I've now done all of the transfer of policies, tasks, queries, etc etc... which I think is all in place.

             

            I've rolled out the agent ticking 'Force Installation over existing version' to 10 machines, 3 test servers and 7 of our workstations I can see them as managed which is great, all seems to have worked. I've also done a Run client task now > mcafee agent > product update > dat update and VSE product update to the latest version manually on these machines which appears to work. With the newer EPO we have a slightly newer version of VSE, in our system tree there is only tasks to install the current brand of VSE to new machines, so I'm guessing once we have all the agents out from the new server we will need to setup some tasks to do the upgrade of VSE.

             

            In regards to traffic, you mentioned agent 5.0, I've been told by our reseller that this agent can cause blue screen problems, so I've stayed with 4.8.0.1938. What is the best way to push out the VSE update? is there a way of doing as an automated task? Is there a way of staggering this? or would you just recommend creating the task on individual subfolders so this runs one folder at a time, once completed create a task for the update on a new folder and so on?

             

            Do you think in regards to the agents I can just roll them all out at the same time? or is this also worth staggering? If so how would I do this baring in mind that I have two synced folders with AD with the push option will it not just roll out all the agents at the same time?

            • 3. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
              andrep1

              HI,

               

              Correct in regards to VSE, the deployment agent client task will only install VSE on devices that do not have it. You need an agent update task that updates the product to latest patch and hotfix.

              In regards to agent 5.0, there are already multiple version of the product. I invite you to read the release notes and manage you risk accordingly. 5.0.3 should be out very soon as it is already in RTS stage, it should be release to world I hope in the start of the new year.

              In regards to staggering the agent push, it is a bit more complicated as it is not a client task per say. It really depends on available of the circuits/bandwidth. The following approach works but is a little bit more complicated.

              1. Create a query of devices that are not running the latest agent: managed systems, table format, on the "configure chart" set the maximum item to a number you feel appropriate as concurrent deployments.

              2. Create a server task that runs periodically (every 30 minutes, every hour ?, it has to be longer than the time to push the agent), select action run query, sub action deploy mcafee agent

              So that's pretty much it, then you client update task will take over to update VSE (set a good randomization in there to spread the load)

              • 4. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
                zade

                Hi Andre,


                When creating the query at the result type stage, when you say 'create a query of devices that are not running the latest agent' do I select 'Agent Version (deprecated)' ? as the sort by value?

                Could you provide me with the steps to do this?

                • 5. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
                  andrep1

                  HI Zade,  on the chart page select the maximum item and the value you deem appropriate, the info on the column page is irrelevant, on the filter page Under Agent  Properties, Product Version (Agent)  select that field and filter on the version that are inappropriate. The deprecated agent version filed can also work.

                   

                  Hope this helps.

                  • 6. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
                    zade

                    Hi Andre,


                    I think I've figured it out, but the agent version on my side is not filled in for the machines that are managed by the 'old server'. Could I do 'managed state = unmanaged' or is there a way of choosing the agent version 'blank'

                     

                     

                    As you can see there are 2579 machines still with the old epo server, I've been selecting this and just doing a select all and deploying the agent, but I'm finding now that I'm only getting 30/40 completed machines each time (where as the first bulk was like hundreds). Thats why I want the task just to run automatically in the background and just pickup machines as they are powered on throughout the day. Let me know what you think the best way to target these, at the moment they are showing as 'unmanaged' in the system tree i think, maybe I could use the managed state. hmmm

                    • 7. Re: EPO Migration from 4.6.6 to 5.3.0 - Roll out plan
                      andrep1

                      managed stat=unmanaged or agent version blank are both good options.

                       

                      For those agents still on the old server, do consider the transfer functionality or maybe look at using a system management tool or a GPO script to install the agent as alternative deployment methods.

                       

                      From the new ePO server, you can push all you want but if all those machines are offline or somehow unreachable it wont do any good. That's why taking actions from the old server is easier since you know the status of the device.