Upgrade ERA 6.1 to ESMC 7

[Caio Amemiya 0]

Good Morning guys.

We're planning to upgrade from ERA Server 6.1 to ESMC 7 soon. I'm having some doubts about it, if someone elucidate these questions I would be thankful.

1- The old 6.5.522 Agent installed on my clients will be compatible with the new server (ESMC 7) if I migrate the DataBase correctly from the old Server? Or I will have to upgrade all agents from my network to the latest version (7.1) before migrate my server? Since if It's not compatible i won't be able to send a command to update the agent, and I will have to do this manually, right?

2- I already read about this and says it compatible, but I'm not sure. The ERA products license is compatible with the ESMC products?

Thanks in advance.

[MichalJ 434]

Hello,

• 6.5 agent is compatible with the ESMC server. Do NOT upgrade agents before having completed the upgrade of the server. As newer agents (7.0+) are not able to talk with the older server 
• Yes, license is compatible with the ESMC. 

Also, please note, that after the upgrade of the server, you should also upgrade the agents to the latest version, to be able to use all of the new features of the ESMC 7.1 properly. Once the old 6.5 agents connects to the 7.1 server, you will be able to send a "component upgrade task" to them to upgrade them remotely. 

[Caio Amemiya 0]

Thank You MichalJ!

We're gonna upgrade the ESET server and migrate to another physical server. I'm planning to do these steps:

1- Backup ERA Server 6.1 DB
2- Update ERA Server from 6.1 to 6.5 version
3- Then upgrade Era 6.5 to ESMC v7 in the old server
4- Install ESMC v7 in the new physical server
5- Backup ESMC v7 from old server
6 Restore the ESMC backup to the new server

I'm following the best practices with these steps?

Or I could just install the ESMC V7 at the new server then backup the database from the old server and restore on the new one?

I'm kind afraid with the differences in the engineering between these versions may give us inconsistency data's.
 

Very thanks again!

[MartinK 378]

1 hour ago, Caio Amemiya said:

Or I could just install the ESMC V7 at the new server then backup the database from the old server and restore on the new one?

This won't work, or only in case you mode database prior to installation.

I have just few hints:

• You should definitely completely re-install Apache Tomcat and ESMC WebConsole as  you are probably using old components. Be aware that component upgrade task won't upgrade third-party components as is Tomcat, so my recommendation is to use manual installation using ESMC all-in-one installer. Just backup original Tomcat configuration and installation directory in case you with to re-use original TLS/SSL certificate for console. This is not mandatory but might be more convenient for console users.
• ESMC 7.1 requires at least SQL Server 2012 so it might be necessary to upgrade also database server, otherwise installation/upgrade to ESMC 7.1 will fail
• Also be aware that minimal supported operating systems were changes since ERA 6.1.
• It is not tested scenario, but manual upgrade from ERA 6.1 to ESMC 7.1 should be possible

[Caio Amemiya 0]

Good morning.
Thanks for the advice MartinK!

I'm considering install the ESMC 7.1 on the new server and simply update to the same IP/DNS from the old one, doing this the endpoint terminals will appear at the Lost&Found right?

Thanks again!

[MartinK 378]

I would recommend to follow documentation for migration to another server. In case you migrate database (data) to new server, everything will be retained.

In case completely new installation will be made, AGENT's won't be able to connect due to certificates, but this scenario is also described, it just requires some manual steps to backup & restore original certificates to ensure AGNETs do not loose connectivity. If you follow this way, AGENTs will end up in Lost&Found group.

[Caio Amemiya 0]

I get it, so I will have to export/import the certificate, after exporting the certificate from the old server to the new one, the agents will start to communicate and appear in Lost&Found group, right?

I'm saying this, because I won't be able to export the database with clients, policies and everything from the old server to the new one, since the old ERA server is using MySQL and the new ESMC uses Sql Server 2012.

 

Reconfigure the new server settings Its simply, but if I had to reinstall the agents from all terminals will be a hard task.

Thank you for helping.

[MartinK 378]

6 hours ago, Caio Amemiya said:

I get it, so I will have to export/import the certificate, after exporting the certificate from the old server to the new one, the agents will start to communicate and appear in Lost&Found group, right?

Yes, you will have to import original CA certificates and set original ERA Server peer certificate in ESMC's server settings. You won't be able to use imported certificates to create installers nor sign/create any new certificates using imported CA certificates, so use of old/original certificates should be temporary, just to restore connectivity of clients.

6 hours ago, Caio Amemiya said:

I'm saying this, because I won't be able to export the database with clients, policies and everything from the old server to the new one, since the old ERA server is using MySQL and the new ESMC uses Sql Server 2012.

I would recommend to export anything that is possible, like policies, reports and computers (with static groups hierarchy) and import them into new ESMC server.

[Caio Amemiya 0]

Sorry for taking too long to reply.

 

On 2/13/2020 at 6:28 PM, MartinK said:

Yes, you will have to import original CA certificates and set original ERA Server peer certificate in ESMC's server settings. You won't be able to use imported certificates to create installers nor sign/create any new certificates using imported CA certificates, so use of old/original certificates should be temporary, just to restore connectivity of clients.

Right, but in this case I won't be able to use this certificate? There's any cost to generate another one? Since I won't be able to add new agents with the old certificate.

 

On 2/13/2020 at 6:28 PM, MartinK said:

I would recommend to export anything that is possible, like policies, reports and computers (with static groups hierarchy) and import them into new ESMC server.

The export/import tool works between different versions? Like the ERA 6.1 and ESMC 7.1?

 

Thanks for the help!

[MartinK 378]

6 hours ago, Caio Amemiya said:

Right, but in this case I won't be able to use this certificate? There's any cost to generate another one? Since I won't be able to add new agents with the old certificate.

You could theoretical use original certificates (all wizards for installers and AGENT's configuration do support import from file) but I would recommend to use original certificate just for transition. You cannot use new certificate from beginning as AGENT's won't trust it until they get new CA certificate created during ESMC 7.1 installation. Newly installed AGENTs can use new certificate and also you can switch existing AGENT to use new certificate via policy.

6 hours ago, Caio Amemiya said:

The export/import tool works between different versions? Like the ERA 6.1 and ESMC 7.1?

I guess most common objects as list of devices, policies and reports should work, but I would recommend to verify prior to migration to be sure.

[Caio Amemiya 0]

Sorry for taking too long, I'm returning to this project now.

I'm setting up the new server with the ESMC 7.1, I will import/export everything I can.

It is possible to use the certificate in 2 server for a brief moment?

Or I will have to disable the old server during this time?

I would like to test a small amount of terminals, pointing manually to the new server just to see if the communication works fine, I will be able to export the certificate from the old server and import to the new server, keeping the certificate running on the old server?

Thanks for the help!
 

[MartinK 378]

I would recommend to check relevant migration scenario as descried in documentation.

Regarding certificates, there is no problem with using the same certificate also on new ESMC Server: you just have to import it into settings. It won't be possible to import it in "certificates" screen. Just be aware that before doing so, you have to also import original CA certificate to new ESMC, otherwise redirected AGENTs might loose ability to connect. Also make sure that old certificate is suitable for use with new hostname/IP address, i.e. hostname of new ESMC server or wildcard "*" has to be signed in certificate.

In case it won't be possible to re-use old certificate in new ESMC (for example due to hostname limitation), you can import new CA certificate from ESMC to old ERA which will enable ERA Agent to connect to new SERVER even when it is using new certificate. In case connectivity of ERA Agent to both servers is required in the same time, even when different certificates are used, you have to exchange both CA certificates prior to migration = import old CA into new ESMC, and import new CA certificate into old ERA.

[Caio Amemiya 0]

I've finish the migration and works fine, the terminals communicate with the new server after I update the agents to the new IP address.

But then when I tried to restore the MS SQL backup from the old server to the new one, started show up some problems. When I try to connect, give me the error "Login failed: Connection has failed with state 'Not connected'".

It was a migration from MS SQL 2008 to MS SQL 2014, I did it the default backup and restore, I'm missing some configuration?
Thank you so much!

[MartinK 378]

Could you be more specific of how you are migration database? Documented scenarios actually expect that database is migrated before new server is installed "over" it. This ensures that:

• Database is in correct version. Installer of ESMC upgrades database to specific version, and it is not possible to restore older database without running installer to upgrade it.
• Database is paired with installation. In short, there is a unique identifier stored both in database and in  windows registries. Not sure how you actually installed ESMC, but in case it was clean installation, ESMC has probably different identifier.

Solution might be to run ESMC installation / repair once database is restored, but I cannot guarantee as it is not clear what steps were made previously. Also be aware that by restoring database from backup you loose all change you made, especially with certificates, which might result in AGENT connectivity issues.

[Caio Amemiya 0]

Apparently it was some issue with the DB administrator account, after I run a repair of ESMC installation and re-set the administrator password I was able to login again.

Everything It's working just fine, test some terminals and now I just had to set the same IP to the new server.

Thanks for all the support!