Server domain migration

Server domain migration

So I got this case in my lap this week and wile waiting on support to get back to me I would check if anyone has some tips around this:

 

So customer are updating their domain from "OldCompany.org" to NewCompany.org"
Evry request to https://OldCompany.org is now routed to "https://NewComapny.org" in their firewalls and load balancer, I got message that the connections is traced and firewalls changed for this and no drops are recorded at the moment.

From this step the Admin Utility was updated and changed on following:
- Primary Agent Adress: NewCompany.org : 5494
- Secondary Agent Adress: OldComapny.org : 5494
- Device Management Adress: NewComapny.org : 443
- Management Service Address: NewComapny.org : 443


- Fully Qualified Domain Name/IP Address: NewCompany.org : 5494
- Alternate Fully Qualified Domain Name/IP Address: "Server IP"

As I can se this gave a bunch of error messages for the Deployment Server but after changes in their Firewall all test and System Healt says OK.

It was also tested by generate a new Certificate and change Deployment Server Extension & Web Console from OldCompany.org to NewComapny.org

 

All test and System Healt is OK, Root Certificate is listed whit 2x Certificates.
Management Servers in MobiControl is listed whit OldCompany.org whit old IP as inactive and NewCompany.org as active whit correct IP
So it is listed twice?

OldCompany.org/MobiControl is no longer working but NewCompany.org is OK, NewComapny.local is OK, no issues around SSL certificate and it is certified by server and not using wildcard by LB/Firewalls as it did before.

So issue one is, if we try enroll a new unit whit a new add device rule on their very strict network we are not able to enroll by ID or URL, URL is not being validated.
Trying same enrollement from Internet it is all ok, unit are enrolled.
Tracing this now there is no drops in the network due to firewall rules or routes.

Issue 2, when trying Remote Control the connection is dropped.
Tracing outgoing from server we cannot find any drops.

Checking the log on the unit we find that log says unit tries the enrollment for NewCompany.org but switches over to OldCompany.org before getting connection for enrollment.

From server ports and internet access is checked, reaching Soti services and such.
Added some error messages from server logs:

 

2018-08-15 13:48:42,296 (0x00000e90) [INFO] CWinLogFile::WriteAllLog() SSL: Connection info: Protocol=00000040, Exch=0000AA02 (1024), Hash=00008004, Cipher=00006610 (256)
2018-08-15 13:48:43,296 (0x00001ae0) [ERROR] CCommDeploymentSrvWorker::VerifyClient() VerifyClient: Unverified client certificate ffffffff (Remote certificate not provided), device 359998043396839 on connection 20
2018-08-15 13:48:43,421 (0x00001ae0) [INFO] CertificateInstaller::InstallDeviceCert() Generate certificate for device 359998043396839
2018-08-15 13:48:43,921 (0x00001ae0) [INFO] CertificateInstaller::InstallDeviceCert() [CertificateInstaller::InstallDeviceCert] Certificate (id=10002788) pushed to device (id=359998043396839)
2018-08-15 13:48:44,296 (0x00001ae0) [INFO] CSOTIDatabase::ErrorCodes __cdecl CSOTIDatabase::SetDeviceInstalledCertList() SetDeviceInstalledCertList: Certificate: 10002788 for device '359998043396839' is not reported in snapshot
2018-08-15 13:48:44,609 (0x000012ec) [INFO] CWinLogFile::WriteAllLog() New connection entry, index=21, name=*, host=10.46.15.254, sock=5276, port=61054
2018-08-15 13:48:44,609 (0x0000108c) [ERROR] CWinLogFile::WriteAllLog() ConnThread: index=21 (): 0 byte received, socket closed



### 2018-08-15 21:20:36.077 ERROR [167]: ************************************************************************************************************ * Exception: No connection could be made because the target machine actively refused it 138.xxx.xxx.xxx:5495 * ************************************************************************************************************ [EndpointNotFoundException: Could not connect to net.tcp://NewComapny.org:5495/mc/cache. The connection attempt lasted for a time span of 00:00:01.0000174. TCP error code 10061: No connection could be made because the target machine actively refused it 138.xxx.xxx.xxx:5495. ] Server stack trace: at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout) at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) Exception rethrown at [1]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at System.ServiceModel.ICommunicationObject.Open() at Soti.MobiControl.Caching.Implementation.CacheFactory.GetProxyServiceCacheClient(Server server) at Soti.MobiControl.Caching.Implementation.CacheFactory.Create(CacheConfiguration cacheConfiguration) at Soti.MobiControl.Caching.Implementation.CachingServiceEngine.UpdateCaches(IEnumerable`1 cacheConfigurations) at Soti.MobiControl.Caching.Implementation.CachingServiceEngine.UpdateConfiguration() at Soti.MobiControl.Caching.Implementation.CachingServiceEngine.ConfigureService() { [SocketException: No connection could be made because the target machine actively refused it 138.xxx.xxx.xxx:5495] at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.Sockets.Socket.Connect(EndPoint remoteEP) at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout) } ************************************************************************************************************ ### 2018-08-15 21:20:36.077 ERROR [167]: CachingServiceEngine: Will attempt to configure caching service again in 1 minute.



### 2018-08-15 13:39:45.013 ERROR [37]: 

********************************************************
* Exception: Device '358625050992967' does not exists. *
********************************************************
[AccessControlException: Device '358625050992967' does not exists.]
   at Soti.MobiControl.Controllers.DeviceIdentityMapper.GetId(DeviceIdentity deviceIdentity)
   at Soti.MobiControl.Controllers.DeviceIdentityMapper.GetId(String deviceId)
   at Soti.MobiControl.Api.Implementation.RequestExtensions.CreateContext(Request request)
   at Soti.MobiControl.Api.Implementation.Com.DeviceConfigurationFacade.CreateDeviceContext(String deviceId)
   at Soti.MobiControl.Api.Implementation.Com.DeviceConfigurationFacade.GetConfiguration(String deviceId)

********************************************************


### 2018-08-15 13:47:47.617 INFO  [3]: [ProgramTrace.RefreshSwitchSection] The configuration section 'system.diagnostics' has been reloaded successfully.

### 2018-08-15 13:47:47.617 DEBUG [3]: [ProgramTrace.PopulateSwitches] Current diagnostics switches: General = Error, DeploymentServer = Error, APNS = Error, Database = Error, Enrollment = Error, Schedule = Error, Management = Error, PrinterAdministration = Error, AccessControl = Error, DeviceEnrollmentProgram = Error, DeviceEnrollmentProgram.Integration = Error, VolumePurchaseProgram = Error, VolumePurchaseProgram.Integration = Error, Caching = Error

### 2018-08-15 13:48:43.421 ERROR [34]: GetCertificateByTemplateId called with template id : 0 and device id : 359998043396839

### 2018-08-15 13:48:43.452 ERROR [34]:   GetCertificateByTemplateId : key provider creates only public key : False

### 2018-08-15 13:48:43.484 ERROR [34]:   GetCertificateByTemplateId : generated certificate has private key : True

### 2018-08-15 14:00:25.147 INFO  [3]: [ProgramTrace.RefreshSwitchSection] The configuration section 'system.diagnostics' has been reloaded successfully.

### 2018-08-15 14:00:25.162 DEBUG [3]: [ProgramTrace.PopulateSwitches] Current diagnostics switches: General = Error, DeploymentServer = Error, APNS = Error, Database = Error, Enrollment = Error, Schedule = Error, Management = Error, PrinterAdministration = Error, AccessControl = Error, DeviceEnrollmentProgram = Error, DeviceEnrollmentProgram.Integration = Error, VolumePurchaseProgram = Error, VolumePurchaseProgram.Integration = Error, Caching = Error

### 2018-08-15 14:18:00.280 ERROR [34]: GetCertificateByTemplateId called with template id : 0 and device id : 359998043396839

### 2018-08-15 14:18:00.311 ERROR [34]:   GetCertificateByTemplateId : key provider creates only public key : False

### 2018-08-15 14:18:00.343 ERROR [34]:   GetCertificateByTemplateId : generated certificate has private key : True

### 2018-08-15 14:25:38.704 INFO  [3]: [ProgramTrace.RefreshSwitchSection] The configuration section 'system.diagnostics' has been reloaded successfully.

### 2018-08-15 14:25:38.720 DEBUG [3]: [ProgramTrace.PopulateSwitches] Current diagnostics switches: General = Error, DeploymentServer = Error, APNS = Error, Database = Error, Enrollment = Error, Schedule = Error, Management = Error, PrinterAdministration = Error, AccessControl = Error, DeviceEnrollmentProgram = Error, DeviceEnrollmentProgram.Integration = Error, VolumePurchaseProgram = Error, VolumePurchaseProgram.Integration = Error, Caching = Error
  • 15 August 2018
  • SOTI MobiControl
  • 3 Answers
  • 0 Upvote
  • 1 Follower
  • 1.9K Views
    • 3 Answers
    • 0 Upvote
    • 1 Follower

3 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 17 August 2018

What platform(s) of devices do you have in your server?  How many devices of each platform are enrolled before the migration?

 

 In general, domain name cannot be migrated without device re-enrollment in most cases.  Have you talked to anyone in Soti about what you want to do?

 

  • 0
  • 0
Øystein, Stakvik | posted this 17 August 2018

Only Android 5 units today enrolled whit Android+, test server that has been migrated is only running whit 7 units.
The production server has not been migrated yet but are running 1500 devices whit Android 5, spread out all around the country.
So re-enrollment may be a big challenge.

The server guys did keep OldCompany.org open and will be routed to the NewComapny.org and then hit the Secondary Agent Adress that is set to OldCompany.org.

Not sure if this is working, however new enrollmenst over internet as on their guest ssid or whti SIM card is working, units are enrolled whit new add device rule, however it is only using OldComapny.org connection, it tries NewCompany.org but no connection.

Checking network we are not finding any drops on the unit when tracing.

I'm awaiting confirmation for a session whit Soti but it is not confirmed yet.

  • 0
  • 0
Raymond Chan | posted this 17 August 2018

If you have only Android+ devices, there may be some chance of migrating without requiring re-enrollment, provided all the required steps are done properly.  But even so ,all your devices will likely display warning message about incorrect certificate(s), and manual confirmation to go ahead to connect to the migrated server is needed for each device.   I did something similar a few years ago for Android 4.x devices.  I'm not sure there are any new changes in newer Android versions that make such migration easier, worse or even impossible.

 

Soti professional service team may have smarter way to help you out.

 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback