Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

Move Policymanager to other server WITH content

Hello everyone!Smiley Happy

 

We are facing the migration / movement of fspm to a new server. Is there any option to export all preferences as well as all clients?

I don't want to set up the whole thing again including all policies and so on...

 

I guess the only thing I can do is a whole backup of the folders. This procedure is discribed in the manual of fspm.

Are the clients also backupped?!

 

Thanks for some hints!

Best Answer

  • PeterPeter Posts: 186
    Accepted Answer

     (Topic moved to "Management Products and Portals")

     

    The manual indeed has this information, check Creating the backup + Restoring the backup in the PM 10 admin manual. The backup does include everything that is relevant: policy domain structure, hosts, their preferences etc. etc.

     

    Starting with PM 10, even the policy file public/private signing keys are embedded in to the (H2) database.

     

    (Meaning if the PM version used here is v. 9, don't forget to copy admin.pub/admin.prv also to the new server!)

     

    You also have to figure out a policy for how to introduce the new PMS to the existing clients but in case the clients are using a DNS-name, simply change the relevant DNS record to point to the new Server IP. 

     

    Hope this helps!

     

Comments

  • i don't need to change IPs or Hostname on the clients. I'll use the same IP so nothing must be changed.


    Thanks for your help. It agrees to my consideration how to move the fspm... Hope it will work for me.

  • PopeyePopeye Posts: 36

    Am I misunderstanding something, or are you trying to migrate/copy the policy hierarchy?

     

    That can be done during/after installing the new policy manager server (PMS). If you upgrade the PMS on the same server, you will be asked if you want to upgrade the current installaton. If you are performing a fresh install on a new server you can run a simple command that will migrate the old policy hierarchy to the new server.

     

    First, map the folder with the old PMS installation as a network drive on the new server. Then run the command

     

    <F-Secure installation>\Management Server 5\bin\fspms-migrator-launcher.exe

     

    That will launch the migrator that will guide you through the migration process. Remember to copy the keys from the old server!

     

    Note: The Admin guide states that the migration will not change anything on the old server, so you can roll back if necessary. On one of my two migrations, the old install was corrupted somehow and could not be rolled back. It wasn't a big deal for me as I managed to fix the new PMS installation, but if I wanted to I could not roll back. I hope this was just me, and not a problem others experience.

  • MJ-perCompMJ-perComp Posts: 1,098

    Popeye wrote:

    Note: The Admin guide states that the migration will not change anything on the old server, so you can roll back if necessary. On one of my two migrations, the old install was corrupted somehow and could not be rolled back. It wasn't a big deal for me as I managed to fix the new PMS installation, but if I wanted to I could not roll back. I hope this was just me, and not a problem others experience.



    There is a domain recovery tool that would fix a broken PM9-commdir. But after a couple of weeks the old commdir is pretty useless, depending on the size of your installation and your own activity in the PMC. Most important is BACKUP the H2-databases, but do not forget to stop PMS before the backup!!!

     

  • Hi

     

    I am migrating policy manager 10 from one server to a new server.  I have copied the H2 database (with  PMS stopped) and have changed the DNS record that the clients use to now point to the new policy manager server.  However, all of my clients are now booting with errors saying:

     

    An error occurred when trying to use the key that is in the file C:\Program Files\F-Secure\Common\admin.pub.

     

    F-Secure Management Agent: The file C:\Program Files\F-Secure\Common\policy.bpf did not pass signature verification. The file may have been manually modified. If the problem persists, please contact the system administrator.

     

    I expected that this was because the keys were not transferred but how can this be if they are now in the H2 database?

     

    For now I have changed the DNS back to point at the old server but I need to get this resolved.

     

    Thanks

     

    Matt

  • etomcatetomcat Posts: 1,312

    Hello,

     

    There is a menu within F-Secure Policy Manager Console to replace the signing key pair (admin.pub and admin.prv):

    Tools / Server Config / Keys / Replace Keys. You may need to use that.

     

    Sincerely: Tamas Feher, 2F 2000, Hungary.

  • Hi

     

    I have just imported the keys but I still have the errors...

  • etomcatetomcat Posts: 1,312

    Hello,

     

    You need to distribute policies after changing the keys.

  • Hi

     

    Thanks for this.  I have distributed policies but this hasn't helped as the clients can't connect to the management server anymore.  Once I change the DNS record to point at the new management server and restart the client computer the policy file cannot be read and F-Secure reverts to the default policies and the management server address is blank (http://) so there is no way for the client to actually talk to the new server.  As soon as I revert the DNS record to point at the old management server and restart the client F-Secure works fine again.

  • ChrissyChrissy Posts: 439

    Hi MattWilson84!  I just wanted to check in and see if you are still having this issue, or if everything is now working.  If you still need help, we'll be happy to guide you in the right direction!

     

    ChrissyT

    F-Secure Community Manager

This discussion has been closed.