To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

F-Secure clients stay connecting to old PM server

Gaasbeek
Gaasbeek Posts: 17 Security Scout
in Business Suite

I have migrated the PM server to a new server.

I first created a backup of all the settings.

Copied it to the new server.

Did a clean install of the PM (10)

Restored the backup.

And all looks ok.

Upgraded the PM to version 11.

All looks ok.

Now i have changed the setting on the old and new server so it would connect to the new server.

Didnt change the ports or anything.

Only a differnt servername.

 

But the servers keep on connecting to the old server.

 

I have tryd the "Poll the server now"

 

and it keeps on connecting towards the old server.

 

When i modify the connection on the client to go to the new server then it works fine.

I have modified it to go to ip.

And clicked poll the server now and it changes to the new server name.

So the new server is working.

 

Considering that we have 150+ servers and 800+ clients, changing it by hand is not an option.

 

Any one with an idea?

 

Comments

  • Ben
    Ben Posts: 664 Cybercrime Crusader

    Hello Gaasbeek,

     

    Please double check carefully that you did exactly as Siltanen's post indicates.

    http://community.f-secure.com/t5/Management/i-need-to-move-policy-manager-to/m-p/13961#M476

     

    That you made the modifications on the old server on the root, that theses policies were distributed and received by the clients, etc...

     

    The last part is the critical one.

     

    If you need any precision on the procedure don't hesitate to ask.

  • Gaasbeek
    Gaasbeek Posts: 17 Security Scout

    If you mean this

     

    3. On the new server untick and retick some management agent setting from policy domain root level (for example the final setting on F-Secure Management Agent -> Settings -> Communications -> Protocols -> HTTP -> Management Server Address). Make sure you just untick it once and then retick it so that the distribute policies becomes active, but no actual settings are changed at this point anymore. Distribute policies.

     then yes

     

    I have changed it

    The weird thing is that off all the servers some have contacted the new server already.

    A quick count tells me that 25 servers did receive the new connection rule.

    the rest of the servers didnt.

     

    I have tested if they receive the policy by adding an exclusion on the old server.

    Polled the server and checked it

    And it did receive that part of the policy.

    So it is distributing the policy but doesnt change the HTTP communication.

     

  • Ben
    Ben Posts: 664 Cybercrime Crusader

    Hello Gassbeek,

     

    Yes, I was also referring to the two previous points.


    It isn't not normal that the client would take only part of the modifications made (only the exclusion). Can you confirm that the server's address was modified on the root level(on both old and new installation) and not only on sub-domains? That would explain partial success.

     

    If you are still stuck you might want to open a support ticket here, providing fsdiags of the machines involved so that we can take a deeper look.

  • Gaasbeek
    Gaasbeek Posts: 17 Security Scout

    Yeah it is all done on the root level

    and the differnt setting is seen also on servers within the same domain policys.

    42 servers in 1 domain policy

    5 go to the new

    37 go to the old.

     

  • Costas-Inter
    Costas-Inter Posts: 35 Security Scout

    Hello

     

    Another thing to investigate is connectivity problems to the new server.

    If the client fails to connect to the new PM it will fall back to connecting to the old one, and then retry the new one at predefined intervals.

     

    Check the logfile.log of one of your end-points that has a problem into switching to new server. In there you should find indication wether it connected or not to the new one and if 'fallback' has occured for some reason.

     

    Costas

     

  • Gaasbeek
    Gaasbeek Posts: 17 Security Scout

    Checked the logging

     

    All is succesfully.

    It doenst display to what server it is connecting.

     

     

    I have opened a support ticket

    Included 3 FSdiag, one of a server that is still connecting towards the old server.

    one of the old server and one of the new server.

     

    Just received the message that it is being investigated

     

  • Costas-Inter
    Costas-Inter Posts: 35 Security Scout

    Can you check in your old PMC the host entry for the server that is still connecting to old PM? Check its central management URL. Is the address configured as a 'locked' setting?

     

    It could be that you changed the address, but if not locked, then it could be overriden by local UI setting.

     

    I suggest that you make the experiment and lock the setting (pointing to the new PM) on one host that has the problem, and see if it resolves it. Don't do it massively before you are sure this is the issue.

     

    Costas

     

This discussion has been closed.

Categories