F-Secure clients stay connecting to old PM server

Gaasbeek

I have migrated the PM server to a new server.

I first created a backup of all the settings.

Copied it to the new server.

Did a clean install of the PM (10)

Restored the backup.

And all looks ok.

Upgraded the PM to version 11.

All looks ok.

Now i have changed the setting on the old and new server so it would connect to the new server.

Didnt change the ports or anything.

Only a differnt servername.

But the servers keep on connecting to the old server.

I have tryd the "Poll the server now"

and it keeps on connecting towards the old server.

When i modify the connection on the client to go to the new server then it works fine.

I have modified it to go to ip.

And clicked poll the server now and it changes to the new server name.

So the new server is working.

Considering that we have 150+ servers and 800+ clients, changing it by hand is not an option.

Any one with an idea?

Find more posts tagged with

Comments

Costas-Inter

Can you check in your old PMC the host entry for the server that is still connecting to old PM? Check its central management URL. Is the address configured as a 'locked' setting?

It could be that you changed the address, but if not locked, then it could be overriden by local UI setting.

I suggest that you make the experiment and lock the setting (pointing to the new PM) on one host that has the problem, and see if it resolves it. Don't do it massively before you are sure this is the issue.

Costas

Gaasbeek

Checked the logging

All is succesfully.

It doenst display to what server it is connecting.

I have opened a support ticket

Included 3 FSdiag, one of a server that is still connecting towards the old server.

one of the old server and one of the new server.

Just received the message that it is being investigated

Costas-Inter

Hello

Another thing to investigate is connectivity problems to the new server.

If the client fails to connect to the new PM it will fall back to connecting to the old one, and then retry the new one at predefined intervals.

Check the logfile.log of one of your end-points that has a problem into switching to new server. In there you should find indication wether it connected or not to the new one and if 'fallback' has occured for some reason.

Costas

Gaasbeek

Yeah it is all done on the root level

and the differnt setting is seen also on servers within the same domain policys.

42 servers in 1 domain policy

5 go to the new

37 go to the old.

Ben

Hello Gassbeek,

Yes, I was also referring to the two previous points.

It isn't not normal that the client would take only part of the modifications made (only the exclusion). Can you confirm that the server's address was modified on the root level(on both old and new installation) and not only on sub-domains? That would explain partial success.

If you are still stuck you might want to open a support ticket here, providing fsdiags of the machines involved so that we can take a deeper look.

Gaasbeek

If you mean this

3. On the new server untick and retick some management agent setting from policy domain root level (for example the final setting on F-Secure Management Agent -> Settings -> Communications -> Protocols -> HTTP -> Management Server Address). Make sure you just untick it once and then retick it so that the distribute policies becomes active, but no actual settings are changed at this point anymore. Distribute policies.

then yes

I have changed it

The weird thing is that off all the servers some have contacted the new server already.

A quick count tells me that 25 servers did receive the new connection rule.

the rest of the servers didnt.

I have tested if they receive the policy by adding an exclusion on the old server.

Polled the server and checked it

And it did receive that part of the policy.

So it is distributing the policy but doesnt change the HTTP communication.

Ben

Hello Gaasbeek,

Please double check carefully that you did exactly as Siltanen's post indicates.

http://community.f-secure.com/t5/Management/i-need-to-move-policy-manager-to/m-p/13961#M476

That you made the modifications on the old server on the root, that theses policies were distributed and received by the clients, etc...

The last part is the critical one.

If you need any precision on the procedure don't hesitate to ask.