Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Migrating PolicyServer to NSF configuration

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • Endpoint Encryption
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP SP3 32-bit
Learn how to move the PolicyServer from a single server to NSF configuration.
Requirements to migrate:
  • Distinct VLANs or physical networks for the following:
    • Load Balanced Application Server communications
    • Application Server to SQL Cluster communications
    • SQL Cluster heartbeat communciations
  • Four (4) configured Windows 2003 Servers:
    • Two (2) servers with Microsoft Application Server role
    • Two (2) servers with shared storage and Microsoft Clustering Services
  • Installed Microsoft SQL Server 2005 on MSCS Cluster in Active/Passive Configuration
To prepare the PolicyServer for migration:
  1. Adjust the following policies to avoid interruption of client operations:
    • MobileSentinel > Common > Compliance > Synchronization Timeout (5 is the recommended value)
    • MobileSentinel > PC > MobileSentinelSyncInterval (1440 is the recommended value)
    • Full Disk Encryption > Common > Login > AccountLockoutPeriod (180 is the recommended value)
  2. Make sure that the clients received the new settings.
  3. Stop the PolicyServer Windows Service to prevent further policy modifications, database changes, or lost audit logs during the migration.
To migrate the PolicyServer:
  1. Back up the Endpoint Encryption databases.
  2. Copy the backup to the currently active SQL cluster host.
  3. Restore the databases using the SQL Management Studio.
  4. Make sure that the databases can be viewed in the SQL Management Studio Object Explorer.
  5. Recreate the SQL Login account and associate it to the existing SQL database users by running SQL queries on both databases. Right-click the database and select New Query.
  6. Install the PolicyServer Windows Service on the two (2) Windows Servers with Appliation Server role using the new IP addresses, SQL Login name, and password specified during the database restoration.
  7. Use the PolicyServer MMC Snap-in to connect to each of the new servers, identified by IP address, to verify the functionality of the new PolicyServer application servers.
  8. Configure a new web service on your Load Balancer identifying both new PolicyServers as real servers.
    • Only TCP port 80 (or other port chosen during installation) is required for each real server. Other ports (such as 3389 for management via Remote Desktop) are optional.
    • Configuration of a layer 7 health check is recommended for determining availability of any given front end. The URL for layer 7 health check is http://<real-server-ip>/mawebservice2/service.asmx. The method for layer 7 health check is GET.
    • Use of Sticky Connections or Session Pinning is recommended for most installations.
    • Load balancers should be configured for Route-Path deployment whenever possible. When the server address cannot be changed or multiple subnets are unavailable, use Direct Server Return.
  9. Use the PolicyServer MMC Snap-in to connect to the load balanced service, identified by the VIP address, to verify functionality of the load balanced configuration.
  10. Change the DNS Alias record which corresponds to the FQDN of the original PolicyServer to reference the Load Balancer VIP.
To verify the migration:
  1. Use the PolicyServer MMC Snap-in to connect to the PolicyServer identified by FQDN of the Load Balancer VIP to verify functionality of the DNS configuration.
  2. Disable one of the application servers (either via the management console of the load balancer, or by disabling the PolicyServer Windows Service) and retest connectivity from the PolicyServer MMC Snap-in to verify correct load balancer functionality. Repeat for the second application server.
  3. Using the Microsoft Cluster Administrator MMC Snap-in, force a fail-over to the passive SQL cluster node and reconnect the PolicyServer MMC Snap-in to verify functionality of the SQL cluster.
  4. Using a Full Disk Encryption (FDE) client logged into Windows, open the FDE tray application and choose Update Policies. Using the PolicyServer MMC Snap-in, verify a log entry corresponds to the Policy Update
  5. Using FDE client freshly restarted and connected to LAN via wired ethernet, verify the connectivity shield appears in the FDE pre-boot.
  6. Authenticate to the FDE pre-boot and confirm PolicyServer audit logs reflect the authentication.
  7. Reset all policy values modified during preparation to their original preferred values, store a backup of the database, and decommission original servers.
Configure; Deploy; Install; Upgrade; Migrate
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.