jdashn 12 Posted December 18, 2018 Share Posted December 18, 2018 We have two management servers (6.x) we're looking to consolidate down to 1 (7.x). To this end we followed these instructions to migrate one of the 6.x servers (server A) to the new server (server C). https://support.eset.com/kb6498/ https://support.eset.com/kb6490/ https://support.eset.com/kb6492/ This worked great for us, our endpoints started talking to the new server as we applied the policy to them (allowing us to move machines over before updating agent or endpoint). The issue comes when attempting to apply these instructions to the task of moving over the endpoints from the 2nd old server (server B). When i take the certificates from this server, and change the connection certificate on server C, all of the machines that currently connect to Server C no longer communicate until i change the certificate back to the original. In this situation is there a better method of moving over clients, or am i stuck reinstalling the agent on the endpoints reporting to server B to get them to connect to C? Will this change my ability to manage the endpoint software (mainly uninstall/upgrade/update) on these endpoints? Thanks a ton, in advance, for your consideration of this question!! Jdashn Link to comment Share on other sites More sharing options...
ESET Staff MartinK 375 Posted December 18, 2018 ESET Staff Share Posted December 18, 2018 I would recommend to start by distributing CA certificates to both networks, i.e. to: Export CA certificate (used to sign SERVER's certificate) from server C and import it into B Export CA certificate (used to sign SERVER's certificate) from server B and import it into C Once this is done, AGENTs from both "sub-networks" should be able to connect to both SERVERs, and also both SERVER's should be accepting connections from AGENTs. Now you have to create a policy for AGENTs connection to B with new hostname (you can list both C and B, but in this exact order). At this moment, there is no need to change AGENT's certificate, otherwise there would be risk of loosing AGENTs connectivity. When AGENTs from B are successfully connecting to C, you can create policy in C, which will change peer certificate of AGENTs formerly connecting to B, so that all AGENTs are using new certificate, created & managed by C. Link to comment Share on other sites More sharing options...
jdashn 12 Posted December 19, 2018 Author Share Posted December 19, 2018 @MartinK Thanks! This seems to have worked without issue! Still doing some testing this morning, but my test machines are responding to commands on the new server - and they appear to use a certificate generated by server C. Thanks again!! Jdashn Link to comment Share on other sites More sharing options...
Recommended Posts