Force client to connect to different server

[jimwillsher 65]

I think I probably know the answer but I will ask anyway...

Scenario: 150 clients on LAN and WAN connecting to ERA, and have been for months. Everything working fine. I now need to get them to connect instead to a totally different ERA - different site, different certificate.

Is there any command I can push to the clients to force them to establish a connection to a new ERA?

So far the only solution I can find is to RDP or TeamViewer to the clients, uninstall the agent via appwiz.cpl, and then run the new agent live installer.

Many thanks

Edited January 1, 2018 by jimwillsher

[tmuster2k 22]

you will create a temp agent policy on the old server to get them to check in for that initial time to grab the new address of server. After they have got new policy and no longer checking into old server you will then apply your certificate to these computers. You can use this link as a guide >> https://support.eset.com/kb6492/   

[Marcos 5,074]

The other ERA server must have the public CA certificate imported in order to trust the agent certificate. Without that, you'd need to reinstall agent and provide the correct CA certificate used by the other ERA server.

[jimwillsher 65]

Thanks both, much appreciated. Looks like the uninstall/reinstall process is the way forward.

Off hand, does anyone know the correct syntax to uninstall the existing agent (6.5.xx) using msiexec, so I can edit the live installer to remove the old one before installing the new one?

[MartinK 378]

There should be no need to uninstall AGENT -> just use newly created live installer to repair AGENT installation. Just be aware that repair is performed only in case the same AGENT version is currently installed. Otherwise two executions of live installer will be required (upgrade + repair).

There is also "remote" alternative for migration to new SERVER. Following steps should do the trick:

1. import CA certificate of new ERA server into your current ERA server. Once this is done, AGENTs will trust both old and new ERA server.
2. create AGENT policy, which will:
   1. change AGENT certificate to new one, trusted by new ERA server (this is only required in case old CA is not imported into new ERA server)
   2. change hostname of ERA server (i.e. new SERVER location)

[jimwillsher 65]

Brilliant, thanks Martin. Could you confirm which certificates I need to export - these are from the NEW server:

 

[jimwillsher 65]

Removed

Edited January 2, 2018 by jimwillsher

[MartinK 378]

In case you just re-direct AGENT to new SERVER, there will be two problems:

1. AGENT will reject to connect to NEW SERVER, becasue it will be missing CA certificate. To resolve this:
   1. export public part (DER) of CA certificate used to sign NEW SERVER certificate. By default, this is the only CA certificate available in new ERA
   2. import this CA certificate into your old SERVER. This will technically distribute this certificate to all AGENT connecting to old SERVER
2. NEW SERVER will reject AGENTs, because their certificate is signed with different CA certificate. This can be resolved either:
   • by changing AGENT certificates (using policy) to AGENT certificate form NEW SERVER. To do that, just export AGENT certificate from NEW SERVER (your screenshot), it should be PFX file, which can be inserted into policy. I would prefer this solution, because NEW SERVER stays cleaner, i.e. without data imported from OLD SERVER. Even after AGENT certificate change, AGENT should be able to connect to both SERVERs.
   • alternatively you could import CA certificate from OLD SERVER to NEW SERVER (i.e. inverse operation as in step 1). Once this would be done, all AGENT will be able to connect to both ERA SERVERs. Both SERVER and AGENT will trust both CA certificates...