Jump to content

Migrating machines from Existing to Existing without reinstall of agent?


jdashn
 Share

Recommended Posts

We have two management servers (6.x) we're looking to consolidate down to 1 (7.x).

To this end we followed these instructions to migrate one of the 6.x servers (server A) to the new server (server C).

https://support.eset.com/kb6498/

https://support.eset.com/kb6490/

https://support.eset.com/kb6492/

This worked great for us, our endpoints started talking to the new server as we applied the policy to them (allowing us to move machines over before updating agent or endpoint).

The issue comes when attempting to apply these instructions to the task of moving over the endpoints from the 2nd old server (server B).  When i take the certificates from this server, and change the connection certificate on server C, all of the machines that currently connect to Server C no longer communicate until i change the certificate back to the original.

In this situation is there a better method of moving over clients, or am i stuck reinstalling the agent on the endpoints reporting to server B to get them to connect to C? Will this change my ability to manage the endpoint software (mainly uninstall/upgrade/update) on these endpoints?

Thanks a ton, in advance, for your consideration of this question!!

 

Jdashn

 

Link to comment
Share on other sites

  • ESET Staff

I would recommend to start by distributing CA certificates to both networks, i.e. to:

  1. Export CA certificate (used to sign SERVER's certificate) from server C and import it into B
  2. Export CA certificate (used to sign SERVER's certificate) from server B and import it into C

Once this is done, AGENTs from both "sub-networks" should be able to connect to both SERVERs, and also both SERVER's should be accepting connections from AGENTs. Now you have to create a policy for AGENTs connection to B with new hostname (you can list both C and B, but in this exact order). At this moment, there is no need to change AGENT's certificate, otherwise there would be risk of loosing AGENTs connectivity.

When AGENTs from B are successfully connecting to C, you can create policy in C, which will change peer certificate of AGENTs formerly connecting to B, so that all AGENTs are using new certificate, created & managed by C.

Link to comment
Share on other sites

@MartinK

Thanks! This seems to have worked without issue!

Still doing some testing this morning, but my test machines are responding to commands on the new server - and they appear to use a certificate generated by server C.

Thanks again!!

 

Jdashn

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...