MDM isues after subnet change and update

[PiotrZ 0]

Hi

I have Era and MDM installed for years.

Last week Both servers have been moved to different subnet and updated.

Era works OK but something is wrong with MDM.

All mobile clients contacts with MDM and ERA but no updates all data is old.

Task for mobiles does not work.

I tried to fix agent on MDM side and looks OK.

I found 2 errors, both are fixed now:

There is problem with connection to remote peer 

Error: CReplicationManager: Replication (network) connection to 'host: "NameOfOurESETServer.com" port: 2222' failed

Both errors back after reboots servers

???

 

Edited July 22, 2020 by PiotrZ

[PiotrZ 0]

OK I found the issue but i have no solution.

When i rollback servers before update nothing changed but when I back to previous network configuration everything back to normal functionality.

The question is: How to change subnet for both eset servers without bad impact.

Edited July 23, 2020 by PiotrZ

[Mirek S. 18]

Hello,

I guess we would need logs (in this case those in proxy directory) in trace severity. However as far as I'm aware MDM should not care where server is - MDM only cares about device endpoint which must remain the same - so this is likely connectivity/firewall issue.

Some data are sent/received over Agent installed next to MDM. Device data are sent over MDM proxy component (for which connection can be configured in MDM policy.

HTH,

M.

[PiotrZ 0]

Very weird both servers are in same subnet, same switch.

Both are reachable from WAN IP.

Mobile devices can contact with MDM and ERA shows:

GlaxyS10 Updated 2020 Jul 23 15:04:52 0 0 ESET Endpoint Security 2.7.17.0

Update time is correct but I known that phone using 2.8.12.0 not 2.7.17.0

 

I did not find any blocked traffic on firewall, all rules for ESET are clearly pass.

From ESET expert perspective: I should only change both servers IPs and reconfigure agents on servers?

 

Edited July 23, 2020 by PiotrZ

[Mirek S. 18]

Well, if you're changing subnet and Agents are deployed in a way they contact server via IP adress, You will need to reconfigure both Agents and MDM (as I previously pointed out MDM also has server connection settings in it's policy).

If you're using IP address for MDM device endpoint You will loose connectivity from all enrolled devices and will need to re-enroll those.

if You're using DNS names and DNS entires are correctly updated (or traffic is forwarded from some other endpoint) in both cases subnet change should work without issues.

As for last connection time, I believe some data related to devices are sent over Agent next to MDM, with last connection time being one of those (which means Agent is configured properly, however MDM can't connect to server as noted in OP)

HTH,

M.

[PiotrZ 0]

15 hours ago, Mirek S. said:

(as I previously pointed out MDM also has server connection settings in it's policy).

Should I update policy for local subnet new IPs? How to do that?

I have 1 Management Agent Policy applied with 3 entries: WAN IP, old local IP, new local IP

Edited July 24, 2020 by PiotrZ

[Mirek S. 18]

Hello,

First create MDM policy on device which has MDM installed

And edit connection list same as You would with Agent

HTH,

M.

[PiotrZ 0]

Thanks, that was the solution!

But one weird thing there was no any Mobile Device Connector policy on MDM before.

I am afraid ERA will trying to change new policy with "ghost" policy over and over and vice versa ???

 

[Mirek S. 18]

Connection parameters (and other configuration options) are set during installation, so these settings were not changed from initial setup. Once policy is applied it stays in configuration (some of our products have a feature that policy removal restores original settings, MDM does not have this feature).

ERA/ESMC will not try to do something behind scenes without user approval, so no worries.

Actually we will create improvement for newer versions so some connection settings are taken from Agent as it does not make sense/is misleading to configure this separately.