Move Policymanager to other server WITH content

Regular Member

Move Policymanager to other server WITH content

Hello everyone!Smiley Happy

 

We are facing the migration / movement of fspm to a new server. Is there any option to export all preferences as well as all clients?

I don't want to set up the whole thing again including all policies and so on...

 

I guess the only thing I can do is a whole backup of the folders. This procedure is discribed in the manual of fspm.

Are the clients also backupped?!

 

Thanks for some hints!

MCITP Windows Server 2008
MCSA Windows Server 2008R2, 2012
MCTS
1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure Product Expert

Re: Move Policymanager to other server WITH content

 (Topic moved to "Management Products and Portals")

 

The manual indeed has this information, check Creating the backup + Restoring the backup in the PM 10 admin manual. The backup does include everything that is relevant: policy domain structure, hosts, their preferences etc. etc.

 

Starting with PM 10, even the policy file public/private signing keys are embedded in to the (H2) database.

 

(Meaning if the PM version used here is v. 9, don't forget to copy admin.pub/admin.prv also to the new server!)

 

You also have to figure out a policy for how to introduce the new PMS to the existing clients but in case the clients are using a DNS-name, simply change the relevant DNS record to point to the new Server IP. 

 

Hope this helps!

 

Best Regards,
Peter

View solution in original post

10 REPLIES 10
F-Secure Product Expert

Re: Move Policymanager to other server WITH content

 (Topic moved to "Management Products and Portals")

 

The manual indeed has this information, check Creating the backup + Restoring the backup in the PM 10 admin manual. The backup does include everything that is relevant: policy domain structure, hosts, their preferences etc. etc.

 

Starting with PM 10, even the policy file public/private signing keys are embedded in to the (H2) database.

 

(Meaning if the PM version used here is v. 9, don't forget to copy admin.pub/admin.prv also to the new server!)

 

You also have to figure out a policy for how to introduce the new PMS to the existing clients but in case the clients are using a DNS-name, simply change the relevant DNS record to point to the new Server IP. 

 

Hope this helps!

 

Best Regards,
Peter

View solution in original post

Regular Member

Re: Move Policymanager to other server WITH content

i don't need to change IPs or Hostname on the clients. I'll use the same IP so nothing must be changed.


Thanks for your help. It agrees to my consideration how to move the fspm... Hope it will work for me.

MCITP Windows Server 2008
MCSA Windows Server 2008R2, 2012
MCTS
Regular Member

Re: Move Policymanager to other server WITH content

Am I misunderstanding something, or are you trying to migrate/copy the policy hierarchy?

 

That can be done during/after installing the new policy manager server (PMS). If you upgrade the PMS on the same server, you will be asked if you want to upgrade the current installaton. If you are performing a fresh install on a new server you can run a simple command that will migrate the old policy hierarchy to the new server.

 

First, map the folder with the old PMS installation as a network drive on the new server. Then run the command

 

<F-Secure installation>\Management Server 5\bin\fspms-migrator-launcher.exe

 

That will launch the migrator that will guide you through the migration process. Remember to copy the keys from the old server!

 

Note: The Admin guide states that the migration will not change anything on the old server, so you can roll back if necessary. On one of my two migrations, the old install was corrupted somehow and could not be rolled back. It wasn't a big deal for me as I managed to fix the new PMS installation, but if I wanted to I could not roll back. I hope this was just me, and not a problem others experience.

Superuser

Re: Move Policymanager to other server WITH content


Popeye wrote:

Note: The Admin guide states that the migration will not change anything on the old server, so you can roll back if necessary. On one of my two migrations, the old install was corrupted somehow and could not be rolled back. It wasn't a big deal for me as I managed to fix the new PMS installation, but if I wanted to I could not roll back. I hope this was just me, and not a problem others experience.



There is a domain recovery tool that would fix a broken PM9-commdir. But after a couple of weeks the old commdir is pretty useless, depending on the size of your installation and your own activity in the PMC. Most important is BACKUP the H2-databases, but do not forget to stop PMS before the backup!!!

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Tags (3)
Scholar

Re: Move Policymanager to other server WITH content

Hi

 

I am migrating policy manager 10 from one server to a new server.  I have copied the H2 database (with  PMS stopped) and have changed the DNS record that the clients use to now point to the new policy manager server.  However, all of my clients are now booting with errors saying:

 

An error occurred when trying to use the key that is in the file C:\Program Files\F-Secure\Common\admin.pub.

 

F-Secure Management Agent: The file C:\Program Files\F-Secure\Common\policy.bpf did not pass signature verification. The file may have been manually modified. If the problem persists, please contact the system administrator.

 

I expected that this was because the keys were not transferred but how can this be if they are now in the H2 database?

 

For now I have changed the DNS back to point at the old server but I need to get this resolved.

 

Thanks

 

Matt

Superuser

Re: Move Policymanager to other server WITH content

Hello,

 

There is a menu within F-Secure Policy Manager Console to replace the signing key pair (admin.pub and admin.prv):

Tools / Server Config / Keys / Replace Keys. You may need to use that.

 

Sincerely: Tamas Feher, 2F 2000, Hungary.

Scholar

Re: Move Policymanager to other server WITH content

Hi

 

I have just imported the keys but I still have the errors...

Superuser

Re: Move Policymanager to other server WITH content

Hello,

 

You need to distribute policies after changing the keys.

Scholar

Re: Move Policymanager to other server WITH content

Hi

 

Thanks for this.  I have distributed policies but this hasn't helped as the clients can't connect to the management server anymore.  Once I change the DNS record to point at the new management server and restart the client computer the policy file cannot be read and F-Secure reverts to the default policies and the management server address is blank (http://) so there is no way for the client to actually talk to the new server.  As soon as I revert the DNS record to point at the old management server and restart the client F-Secure works fine again.