IMPORTANT:
- This procedure is intended for use by network and ePO administrators only. McAfee does not assume responsibility for any damage incurred because they are intended as guidelines for disaster recovery. All liability for use of the following information remains with the user.
- The procedure is for use with ePO 4.5, 4.6, and 5.x servers only. For ePO 5.x users, it is preferable to use the built-in Disaster Recovery feature and only use these steps if a valid Snapshot was not created and a manual recovery is required.
- The Operating System (OS) must be the same if you are going to re-install the OS.
- You must reinstall ePO to the exact same directory path as the previous installation or initialization of extensions will fail when the restore is complete. See KB70685 for a Product Management statement regarding this limitation.
NOTES:
- The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this would be to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
- The procedure can also be used by customers who want to migrate the ePO server to another system. For ePO 5.x users, it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
PreparationTo ensure a smooth recovery, do not perform a backup while the server is in the middle of installing an extension.
Before backing up
If possible, shut down the McAfee ePolicy Orchestrator Application Server service (Tomcat) entirely when doing the backup. Otherwise, ensure that no one is performing the following actions during the backup:
- Installing, uninstalling, or upgrading an extension
- Updating the ePO database configuration
Backing up1. Use the following to back up the
SQL database (normally named ePO4_
, where the is your ePO 4.5 / 4.6 server name):
- See article KB59562 - How to back up the ePO database using OSQL commands, or KB52126 - How to back up and restore the ePO database using Enterprise Manager/ Management Studio.
- SQL Enterprise Manager
2. You must also backup the following folder paths (the default installation path is used - your installation might differ):
C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\
All installed extensions and configuration information for the ePO Application Server service is found here.
NOTE: If you want to reduce the number of items to back up from the \SERVER folder backup, consider excluding onlythe following:
- C:\Program Files\McAfee\ePolicy Orchestrator \server\logs (server log files)
- C:\Program Files\McAfee\ePolicy Orchestrator\server\cache (Contains cached information that ePO creates and uses, such as generated chart images. ePO will regenerate that information, if deleted.)
- C:\Program Files\McAfee\ePolicy Orchestrator\server\work (Contains cached information about web applications registered with Tomcat. Tomcat will regenerate that information, if deleted.)
C:\Program Files\McAfee\ePolicy Orchestrator\DB \SOFTWARE\All Products that have been checked into the Master Repository are located here.
C:\Program Files\McAfee\ePolicy Orchestrator\DB \KEYSTORE\The Agent to Server Communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder results in re-pushing the agent to all your systems, and checking in all of your deployable packages again.
C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONFThe Server configuration settings for Apache, the SSL Certificates needed to authorize the server to handle agent requests, and Console Certificates are located here. Failure to back up and restore this directory results in a re-installation of ePO to create new ones and possibly using a clean database installation.
Recovery
- Delete the ePO database on the SQL server.
If you do not know how to perform the MSSQL operation, refer to http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
- If restoring ePO to the same system, uninstall ePO. Ensure that there is no ePolicy Orchestrator folder in the original install path after the software is uninstalled.
NOTE: Renaming the existing ePolicy Orchestrator folder and leaving the old directory in place may interfere with the new installation. McAfee recommends that you remove the old directory completely.
- Reinstall ePO to the same version and patch level as the server you are restoring.
NOTE: You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files\McAfee\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938 - Version information for ePolicy Orchestrator.
IMPORTANT: You must reinstall ePO to the exact same directory path as the previous installation or initialization of extensions will fail when the restore is complete. Also, you do not have to specify the same port configuration except for the database. The ports are restored to the previous installation values during the restore.
- Apply any additional patches/hotfixes/POCs to ePO that had been previously applied.
For ePO 4.x:- If you have previously installed Policy Auditor 5.x for use with ePO, install the same version of Policy Auditor (including the hotfix release) that had been installed before.
- If you have previously installed McAfee NAC 3.x or McAfee NAC 4.0 for use with ePO, install the same version of McAfee NAC (including the hotfix release) that had been installed before.
For ePO 5.x: - If you have previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor (including any hotfix releases) that had been installed before.
- After installing, stop and disable all ePO services:
- Click Start, Run, type services.msc, and click OK.
- Right-click each of the following services and select Stop:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
- Double-click each of the following services and change Startup type to Disabled:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
- Restore the database.
NOTE: Restore the database so that you do not require the ePO database configuration to be updated (for example: same name, host, port, and so on). Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator \server\conf\Orion with the new information before starting up the server.
- Delete the following folders, then replace them with the corresponding folders that were backed up earlier:
C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\
C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF
C:\Program Files\McAfee\ePolicy Orchestrator\DB \SOFTWARE\
C:\Program Files\McAfee\ePolicy Orchestrator\DB \KEYSTORE\
- Before you enable and start the ePO services, ensure that the contents (version numbers) of the C:\Program Files\McAfee\ePolicy Orchestrator\server\extensions\installed folder match the extensions listed in theOrionExtensions table.
To check the contents of the OrionExtensions table, access the SQL Tools and run the following T-SQL command:
Select * from OrionExtensions
If there is a mismatch on server startup, the server removes each extension not listed in the OrionExtensions table. If this happens, check in these extensions again and also restore the database again.
- Start the McAfee ePolicy Orchestrator Application Server service.
NOTE: You must start this service for RunDllGenCerts to work.
- Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path, otherwise the setup will fail to create a new Cert:
32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
- Click Start, Run, type cmd, and click OK.
- Change directories to your ePO installation directory.
Default path:
32-bit: Program Files\McAfee\ePolicy Orchestrator\
64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\
- Run the following command:
IMPORTANT: - This command will fail if you have enabled User Account Control (UAC) on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
- This command is case-sensitive. The ahsetup.log (found in ) provides information about whether the command succeeded or failed and will state if it used the files located in the ssl.crt folder
Rundll32.exe ahsetup.dll RunDllGenCerts <"installdir\Apache2\conf\ssl.crt">
where:
is your ePO server's NetBIOS Name
is your ePO Console Port (default is 8443)
is admin (use the default ePO admin account)
is the password to the ePO Admin console account
is your installation path to the Apache folder; Default installation path:
32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
Example:Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
- Start the following services:
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
- Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:
20090923173647 I #4108 NAIMSRV ePolicy Orchestrator server started.
If it does not, there will be an error similar to:
20090923173319 E #4736 NAIMSRV Failed to get server key information.
