ePolicy Orchestrator server backup and disaster recovery procedure
Technical Articles ID:
KB66616
Last Modified: 11/8/2023
Environment
ePolicy Orchestrator (ePO) 5.x
Summary
This article provides information about the backup and disaster recovery process for the ePO server.
IMPORTANT:
This procedure is provided for use by network and ePO administrators. We don't assume responsibility for any damage incurred because the article is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
It's preferable to use the built-in Disaster Recovery feature. Only use this article if a snapshot isn't created, and a manual recovery is needed.
For information about the Disaster Recovery feature, see the ePolicy Orchestrator 5.10 Installation Guide.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
The agent uses the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these values, make sure that the agents can locate the server. The easiest way is to retain the existing DNS record and change it to be directed to the new IP address of the ePO server. After the agent successfully connects to the ePO server, it downloads an updated Sitelist.xmlwith the current information.
You can also use this procedure if you want to migrate the ePO server to another system. But, it's preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
Make sure that you restore the same version of ePO Server and Update.
For a smooth recovery, don't perform a backup while the server is in the process of installing an extension.
Mandatory pre-checks before you perform a manual disaster recovery:
Port check:
Open the ePO console, Server Settings, Ports page and make a note of the ports for the new ePO installation.
Check the custom cert for ePO console:
Open the ePO console with the hostname and check whether the URL is mapped to (Not Secure / Secure icon) the console to login.
Click on the icon to view the certificate.
Check the details as the common Name is ORION_CA_hostname / custom name.
NOTE: We recommend that you perform disaster recovery with default cert. Otherwise, the communication interrupts from Apache to Tomcat on port 8443 and fails to regenerate cert (ssl.crt).
SQL Build and Collation check:
If you perform a disaster recovery with the same SQL server and instance, you can ignore this check.
For a new SQL install, check whether the collation name is same as the old ePO name from the SQL server.
To check the collation name from the old SQL server, run the SQL script provided below:
SELECT SERVERPROPERTY('collation') as SQLServerCollationName
SELECT[NAME] AS DatabaseName,[collation_name]
FROM sys.databases
WHERE [name] IN (DB_NAME(),DB_NAME()+'_EVENTS')
Check whether the SQL version complete build is same or higher than the new SQL install.
To check the old SQL server build, run the SQL script provided below:
Select @@VERSION
Installation path check:
The installation path is same as that for the old ePO, including the drive letter, folder, and sub-folder.
These examples indicate that the new ePO installation path is different from the old ePO installation path. This mismatch leads to the ePO login failure due to an incorrect path.
Choose the ePO Installer based on the Cumulative Update (CU) running from the old ePO:
If the old ePO is between 5.10 RTW (base version) and CU15, use the LR6 base package.
The ePO installer zip file name is EPO510_2428_68_LR6.zip.
Make sure that the same CU version is installed with a new installation of ePO for the disaster recovery activity.
Contents:
Click to expand the section you want to view:
Before backing up
Shut down the ePO Application Server service (Tomcat) when you perform the backup. If you can't, make sure that no one is performing the following actions during the backup:
Installing, uninstalling, or upgrading an extension
In ePO 5.10 and later, threat event information is split into its own database, so you must back up both databases. Carry out the backup process on both the main database (default name ePO_ePO_server_name) and the events database (default name ePO_ePO_server_name_Events).
Incase ePO manages DLP, backup the DLP policy from Menu, DLP Settings, Backup & Restore.
You must also back up the following folder paths:
NOTE: The default 64-bit installation paths are listed below. But, your installation might differ. For example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to the required files used by the ePO software extensions
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
Contains products that are checked in to the Master Repository
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
Stores the agent-server communication and Repository Keys that are unique to your installation. If you fail to restore this folder, all client systems are unable to communicate with the ePO server, and you have to redeploy the agent to every system. Also, you must also check in all deployable packages again.
SSL certificates needed to authorize the server to handle agent requests
Console certificates
IMPORTANT: Optional folders to backup:
NOTE: The folders below are only created when using the certificate migration process.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystoreTemp
The folder above contains four keystore files. It's created during the certificate migration process by clicking the Regenerate option.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystoreBackup
The folder above is created when you click Activate during the certificate migration process. The keystoreBackup folder contains the complete backup of the server\keystore folder.
WARNING: Failure to back up and restore the folders above requires a reinstallation of ePO. It might also require a clean database installation and redeployment of agents to all client systems.
Delete the ePO database on the SQL Server. If you don't know how to perform the MSSQL operation, see this related Microsoft article or contact Microsoft Support.
If you're restoring ePO to the same system, uninstall ePO. Make sure that there's no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.
NOTE: If you rename the existing ePO folder and leave the old directory in place, it might interfere with the new installation. So, we recommend that you remove the old directory completely.
NOTE: You can verify the ePO update level. Look at the Version field in the backed-up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\). Then, cross-reference it with the details mentioned in KB51569 -Supported platforms for ePolicy Orchestrator.
Apply any additional updates, hotfixes, or POCs to ePO that were previously applied. If you previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor. This step includes any hotfix releases that were previously installed.
IMPORTANT:
In an ePO 5.10 environment that has had a Cumulative Update applied, make sure that you apply the same update version to the newly installed ePO server. If you don't apply the same version, the ePO Application Server service is unable to start.
If you're restoring an ePO 5.10 Update 10 environment, log on to the ePO console, upgrade the following extensions, and then apply the CU10 update:
McAfee Agent (MA): Upgrade to MA 5.7.2 or later. This action also removes the Product Improvement Program extension.
Endpoint Upgrade Assistant (EUA): Upgrade to EUA 2.9.0.17 or later.
Stop and disable all ePO services:
Click Start, Run, type services.msc, and click OK.
Right-click each of the following services and select Stop:
ePolicy Orchestrator Application Server
ePolicy Orchestrator Event Parser
ePolicy Orchestrator Server
Double-click each of the following services and change Startup type to Disabled:
ePolicy Orchestrator Application Server
ePolicy Orchestrator Event Parser
ePolicy Orchestrator Server
NOTE:Restore the database so that you don't require the ePO database configuration to be updated; for example, same name, host, and port. Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orionwith the new information before you start the server.
IMPORTANT:In ePO 5.10 and later, threat event information is split into its own database, so you must restore both databases. Carry out the restore process on both the main database and events database.
Rename the following folders. For example, rename the extensions folder to extensions_old. Then, replace them with the corresponding folders that were backed up earlier in step 2:
IMPORTANT: If you're restoring an ePO 5.10 environment, select the option Change password, and confirm the password for the account used to access SQL, even though it hasn't changed. Verify that the password is accepted by using the Test Connection option. If the connection is successful, click Apply to save the password, and restart the ePO application server service. This step creates a new password hash based on the new ePO server's unique key.
Try to log on to the ePO console. If you're unable to log on, review all steps performed in this article and make sure that they've been properly completed. If you can't resolve the console logon issue, contact Technical Support for assistance before you continue.
If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
NOTE: You must successfully log on for the rest of the recovery steps to work.
Rename the SSL.CRTfolder (see path below) to SSL.CRT.OLDand manually create an empty folder namedSSL.CRT in the same path. If you don't, the setup fails to create a new certificate:
Here: ePO_server_name— Your ePO server NetBIOS name Console_HTTPS_port — Your ePO console port (default is 8443) Admin_username — Administrator (use the default ePO administrator console account) Password — The password to the ePO administrator console account Installdir\Apache2\conf\ssl.crt— Your installation path to the Apache folder. Make sure that you enclose this path in double quotes. The default installation path is:
This command fails if you've enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. For more information about UAC, see this Microsoft article.
This command is case-sensitive. The ahsetup.log provides information about whether the command succeeds or fails. It also states whether it uses the files stored in thessl.crt folder.
NOTE: The ahsetup.logis stored in ePO_install_directory\Apache2\conf\ssl.crt.
Start the following services:
ePolicy Orchestrator Event Parser
ePolicy Orchestrator Server
Look in DB/logs/server.log and make sure that the Agent Handler (Apache server) starts correctly. It must state something similar to the following:
I #4108 NAIMSRV ePolicy Orchestrator server started.
If it doesn't, there's an error similar to the following:
E #4736 NAIMSRV Failed to get server key information