i need to move policy manager to a new server

The PM server is having hardware issues and I will likely need to move the PM to a different server. The PM server also has user data on it so I cannot redirect the DNS name. What will I have to do to get the clients to see the new PM server name? What do I need to watch out for?

Find more posts tagged with

Comments

pusaqall

Hi there. Where can I get this type of instruction?

Ben

Hello zdravko,

This message indicates indeed that the key pair used by PM to signed the policy file doesn't match the admin.pub present on the client.

Did you follow Siltanen's instruction and restored the whole H2B on the new server?

Did this client machine show this kind of message prior to the migration when you were distributing the policy?

zdravko

I get this error on client machine with anti-virus f-secure do you know someting about this

zdravko

i have policy managment server console 10.00.36754 i install new server and replace the key from old one and after that on client machine i get error: policy.bpf did not pass signature verification

Siltanen

Hello qbj,

This is a bit tricky situation but if done correctly, it should go smoothly. First of all you need to take backup of the commdir or the h2 database.

This depends on what version of Policy Manager you are currently running. Policy Manager 9 still has the old commdir structure and in Policy Manager 10 the domain and policy data, as well as the signing keys, are all stored in the H2 database.

I am going to write only instructions for Policy Manager 10, if you are still running Policy Manager 9, it is better to contact support directly about the procedure.

Here you will find how to create a backup of the policy data and domain structure.
1. Stop the Policy Manager Server service.
2. Backup the <F-Secure installation folder>\Management Server 5\data\h2db directory.
3. Restart the Policy Manager Server service.

If you want to save the Policy Manager Console preferences, back up the lib\Administrator.properties file from the local installation directory.

Now you'd need to install Policy Manager 10 on a new server (where you intent to move the PM).

After installation:

1. Stop the Policy Manager Server service.
2. Copy the previously saved database from the old server to <F-Secure installation folder>\Management Server 5\data\h2db directory.
3. Restart the Policy Manager Server service.

Now here's the tricky part:

1. Create a policy on the new server (from policy domain root level) that points to the new server address. (F-Secure Management Agent -> Settings -> Communications -> Protocols -> HTTP -> Management Server Address) NOTE! Please make sure that the address is correctly written in including the host module port number and distribute the policy.

2. Create a policy on the old server (from policy domain root level) that points to the new server address. (F-Secure Management Agent -> Settings -> Communications -> Protocols -> HTTP -> Management Server Address) NOTE! Please make sure that the address is correctly written in including the host module port number and distribute the policy.

3. On the new server untick and retick some management agent setting from policy domain root level (for example the final setting on F-Secure Management Agent -> Settings -> Communications -> Protocols -> HTTP -> Management Server Address). Make sure you just untick it once and then retick it so that the distribute policies becomes active, but no actual settings are changed at this point anymore. Distribute policies.

Now all of the clients should have a policy which will tell them to go to the new Policy Manager server. Once they reach the new policy manager server, they'll get a new policy from there in due time with a greater policy file counter number and shouldn't fall back to the old server anymore. The only problem with this solution is that there's always some computers that are not connected to the network/not turned on during the time you do the change so you might want to keep the old server running for a while until all the clients have been moved to the new server. Otherwise you'll have to reinstall those clients manually.

If you have any questions or concerns about the migration, please feel free to post it into this thread, leave me a private message or contact support directly.