Sunday, September 29, 2019

ePO Upgrade 👇

ePolicy Orchestrator Upgrade 👇

1.      Backup the all the product policy backups store in shared folder.
2.      Go with all pre-checks of Database and ePo servers as per McAfee Recommendations https://kc.mcafee.com/corporate/index?id=KB71825&page=content.

3.      Remove file inside of these below directory (No folders, only files inside it)
<epo_installation_directory>\Server\Temp
<epo_installation_directory>\Server\Logs
<epo_installation_directory>\DB\Logs
<epo_installation_directory>\Apache2\Logs

4.      Take the backup of below folders from ePO server as well.
SNO
FolderPath in ePO installation directory
File Actual name
Rename_If
1
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
Extensions
Not Renamed
2
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
Conf
Not Renamed
3
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
Keystore
Not Renamed
4
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
Software
Not Renamed
5
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
Keystore
Yes as [DBKeystore]
6
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
conf
Yes as [Apacheconf]

5.       Take Backup of SQL Database as below

               I.            Using SQL management console)
             II.            Select the McAfee ePO database
           III.            Right click database and select tasks and Backup (Select Fullbackup ).
           IV.            Select the location to where you wanted to store (Make file extension as .bak)





ePolicy Orchestrator installation and update checklist
Requirements
6.       Existing ePo version
5.3.2 (Build 156)
7.       Upgrade Version
5.9.1
8.       Supported Operating System
Windows server 2012 R2
9.       Processor Recommended
4 Cores
10.   RAM Recommended
8 GB
11.   System temp drive minimum size
2 GB
12.   Epo Installation drive( 3 Times than installation package)
X*3 = y GB
13.   Reduce the drive space requirement by purging log files and temp files from the ePO installation directory, before upgrading

1.       <epo_installation_directory>\Server\Temp
2.       <epo_installation_directory>\Server\Logs
3.       <epo_installation_directory>\DB\Logs
4.       <epo_installation_directory>\Apache2\Logs
18.   <epo_installation_directory>\Server\software managers (Recommended by McAfee as per meeting  scheduled)

19.   <epo_installation_directory>\Server\Eventparser files(Recommended by McAfee as per meeting  scheduled)
20.   Disable run immediately client tasks:

21.   Disable ePO server tasks

SERVER TEAM TASKS


22.   Make sure that the Windows 8.3 naming convention is enabled, Enable Windows 8.3 naming convention on the drive where McAfee ePO is installed.
1.       Click Start, Run, type regedit, and click OK.
2.       Navigate to, and select, the following registry key:
         [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]  

3.       Right-click NtfsDisable8dot3NameCreation, and select Properties or Modify.
4.       Modify the Value data from 1 to 0.
5.       Windows Server 2008 the default value is 2; you must change it to 0
6.       Restart
7.       To verify that 8.3 naming convention is enabled
         Start, Run, type cmd, and click OK
         Enter the command : dir /x

         Now we can see that folders now have a column for short names, for example, Progra~1 for Program Fi    

 23 Windows scheduled tasks that might be set to run on the ePO server:
example : >http://www.sarayoo.info/how-to-turn-off-automatic-windows-update-on-windows-server-2012-and-server-2016/
24. latest patch & certificates 

25.   Ensure the id="orion.server.https" attribute is not missing from server.xml


26.   Disable remote Agent Handlers

I.            https://kc.mcafee.com/corporate/index?page=content&id=KB83298
II.            Do not disable any Agent Handlers in the Handler List page.
III.            Log on to the system where the Agent Handler is installed, open the Windows Services panel, and stop the McAfee Event Parser and McAfee Apache services.
IV.            External Agent Handler ALF1WPRDMZEPO01

SQL SERVER TASKS: 

 Custom Indexes:  Need check with Database team on this if any custom index is created for ePo server :https://serverFQDN.:8443

27.   Ensure correct account permissions
                    I.            Public
                  II.            db_owner
Default database must be master 
1.            Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
2.            Expand Security, Logins.
3.            Right-click the account and select Properties.
4.            Ensure the default database is set to master.
5.            Expand User Mapping and ensure that the account has dbo in the schema for the database

This account must be the db_owner in the database security properties 

1.            Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
2.            Expand Databases, your ePO database, Security, Users.
3.            Right-click the dbo account and select Properties.
4.            Ensure that the account has dbo in the Default schema for the database.

If you use an NT account to authenticate to the ePO database, ensure that the account has Local Admin rights on the ePO server.
https://kc.mcafee.com/corporate/index?page=content&id=KB75766


Verify the SQL instance that ePO is using  (Confirmed servername is listed in DB as  - RS)
1.       select @@servername
2.       go

 Ensure Auto Close is set to False for the ePO database   (Confirmed - RS)
1.     Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
2.     Right-click the ePO database and select Properties.
3.     Click Options and ensure Auto Close is set to False. If it is not, click Auto Close, select False, and click OK.

Ensure Arithmetic Abort Enabled is set to True for the ePO database  (Was set to FALSE!  Changed to True per instructions - RS
                                 I.            Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
                               II.            Right-click the ePO database and select Properties.
                              III.            Click Options and ensure Arithmetic Abort Enabled is set to True. If it is not, click Arithmetic Abort Enabled, selectTrue, and click OK.

Ensure the Compatibility level is set to 100 or higher for the ePO database   Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
1.     Right-click the ePO database and select Properties.
2.     Click Options and ensure Compatibility level is set to 100 rather than 80 or 90. If it is not, select 100 from the Compatibility level drop-down list and click OK.

Verify the correct DB collation is set on the SQL server  (Coll Level is default SQL_Latin1_General_CP1_CI_AS - RS)
1.     Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
2.     Log on to the server using Windows Authentication or SQL Server Authentication, as applicable.
3.     In Object Explorer, expand Databases, and locate the ePO database.
4.     Right-click the ePO database and select Properties.
5.     Review the Collation field in the General page.
See KB73717 for detailed information on supported collation types for ePO.

Ensure the SQL browser service is running  
1.     Click Start, Run, type services.msc, and click OK.
2.     Locate the SQL Server Browser service and ensure that it is started and running.
3.     If it is not, right-click the SQL Server Browser service and select Start.

To avoid the issue documented in KB76645 if you are using Microsoft SQL 2008 R2 or earlier, ensure that Microsoft KB 2653857 is applied on the SQL server. If that is not possible, disable SQL Force Encryption before upgrading if it is enabled

Ensure that the ePO admin and SQL account usernames and passwords meet the criteria
https://kc.mcafee.com/corporate/index?page=content&id=KB66286
  
26.Disable VSE Access Protection

Perform a preventative measure to avoid Tomcat failing to stop
        I.            Click Start, Run, type services.msc, and click OK.
      II.            Stop the ePolicy Orchestrator Server Service and ePolicy Orchestrator Event Parser Service.
    III.            Restart the ePolicy Orchestrator Application Server Service.
    IV.            Right-click the installer setup.exe and run it as an administrator

28.   Download both the ePO 5.9.1 installer and our Pre-Install Auditor. They are in your existing ePO Software Manager.  Enter "McAfee ePolicy Orchestrator 5.9 in the search window
(Requires Password of DB /Windows Login
29.   ePo Database hosted  Window server  name
Epo Database server hostname
30.   ePo Database name
DB name
31.   service account of AD to sync LDAP
Pwd: ******
32.   ePo Database hosted  Window server  username
Username :****

Upgrade Steps:

33.   Download the ePO 5.9.1 setup file it usually as zip and extract it.
34.   Before running setup, file make sure that you check compatibility of setup file.
35.   To Run this compatibility, you required ePo Administrator password.
36.   Check for the patch if require if not upgrade will fail

https://www.catalog.update.microsoft.com/Search.aspx?q=KB3042058

  
37.   Run the patch setup in ePO server and follow the instructions take help from server team if required.
38.   Once Patch is updated you need to reboot the server.
39.   If everything fine , Run the setup of ePO 5.9.1 and proceed accordingly.
40.   SQL credentials also required for the upgrade to run and ePO Administrator password also required.
41.   Once it start license information then it will take huge hours then finish it.
42.   Check the all McAfee services and Apache other make sure everything looks fine.
43.   Sometime it will show you certificate errors suggest articles also.
44.   Login to ePO and certification manager and regenerate and Activate it.
45.   Don’t finish and restart the McAfee ePolicy Orchestrator services.
46.   Login back and verify the certificate and finish activation finally.




Note: if any communication issue please do follow the steps(If Certificate mismatch only perform)


https://kc.mcafee.com/corporate/index?page=content&id=KB66616
1.Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path. If you do not, the setup fails to create a new certificate:

64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
  2.Click Start, type cmd in the search field, right-click, and select Run as administrator.

3.Change directories to your ePO installation directory.
Default paths:

64-bit: D:>  cd Program Files (x86)\McAfee\ePolicy Orchestrator\
32-bit: Program Files\McAfee\ePolicy Orchestrator\
  
4.Run the following command:
 Syntax:
Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
 Example:
Rundll32.exe ahsetup.dll RunDllGenCerts alf1wprdmepo01  8443 <***ePO_username > <ePO_Admin_Password***> "installdir\Apache2\conf\ssl.crt"

Note: Login to ePO server ( ePO Eventparser stop, ePO server service stop)
Start again
Where:
<ePO_server_name> is your ePO server NetBIOS name
<console_HTTPS_port> is your ePO console port (default is 8443)
<admin_username> is admin (use the default ePO admin console account)
<password> is the password to the ePO admin console account
<installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default installation path:

64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"

Example
Rundll32.exe ahsetup.dll RunDllGenCerts epo_server_name 8443 username  administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"


















at
Subscribe to: Posts (Atom)