ITMS Administrator Group

Hello,

Here is the scenario. The plan is to merge 4 child NS and 1 parent NS into one global server. We need to move  100+ site servers from one NS to the other NS. I imported the communication profile from destination server to the child servers in order to use the redirection in Targeted Agent Settings.

The only doubt I have is about Certificates Rollout settings on the target server. The clients communicate via https and CEM is implemented as well. I do not want the agent to lose the connection whether it is in LAN or DMZ. I use the standard ports: 444 for intranet and 443 for CEM. The table explains the behaviour and processing.

So my understanding of the table is: because the HTTPs ports on existing Site servers equal to settings on the target SMP server, https overwritting is supposed to be disabled. The binding will remain untouched and a new certificate will be installed on existing site server. The communication with client will not be interrrupted.

Can someone confrim my reasoning, please ?

Thanks

Tomasz

Hi Tomasz,

In the referenced article, the therm "existing HTTPS binding on the site server" means actually the binding which was created not by SMA before configuring the automatic certificate rollout. This "Force" parameter is intended not to break any configuration which was manually done on the Site Server, when rolling out the automatic configuration.

If Your current Site Servers have binding created by SMA after previous configuration then those bindings are "SMA own" and they would be overwritten when new configuration arrive, regardless of "Force" parameter. This means that SMA is owning those bindings and maintain them in compliance with the latest configuration.

Regarding the communication profiles: Those are intended to allow the agent to communicate with the server using proper certificates, names etc. So if you have imported parent NS communication profile to the child Site Servers, then they will be able to communicate with the parent NS. Still, in order child clients to be able to communicate with the parent NS, they also should have the parent NS communication profile.

Regards,
Roman.

Hi Roman,

Thank you for your reply.

We do not do any manual binding configurations on the Site Servers.

Based on your explanations, so if I tick "Install intranet certificate" and "Install CEM certificate" on the parent NS , the Site Server binding will be automatically overwritten by SMA according to new NS settings. The "Force" parameter is not applicable at this scenario because binding are SMA owned.

Is my undestanding correct, please ?

My plan is move site by site using the imported communication profiles. First I am going to move Site Server then computers from the same site. At the very end I will migrate the central SMP Site Servers and all remaining computers.

Regads,

Tomasz

>>Is my undestanding correct, please ?
Yes, that is correct.

While your migration need to keep in mind that when child SS is moved to parent NS, the child agents will not work with that SS anymore. Means if some PackageServers are moved from child to parent, then child clients will be downloading packages only from other child PS-es or from the child NS directly if no other PS is available on the child.

One of the approaches to that kind of migration on big environments sensitive to the infrastructure configuration change is to create new Site Servers (exact copy of child ones) under parent NS, then move clients to parent NS then delete old Site Servers. In that way the clients are always using the same infrastructure and the same amount of SS-es.
Another approach is to move SS-es and agents by chunks, e.g. move quarter/half SS-es to parent, then move quarter/half agents to parent, and so on.
In the case when all SS-es are moved to parent NS, the child clients will direct all the load to the child NS, until they are moved to the parent NS also.

All those scenarios are valid and selection actually depends on your environment, configuration and free resources available.

Regards,
Roman.