Update - I used the method from link 2 (clear all policy from proxy). Note that we have a Management Center with both proxies added and their policies (VPM and Local) backed up. Basically, I issued the policy reset command on each proxy and then was able to remove the realms and domains, change the name, rejoin domains and recreate the realms, and finally push VPM/Local to both proxies successfully.
Original Message:
Sent: Jan 31, 2024 07:43 AM
From: JS_2022
Subject: Leave domain and rename proxy
Thanks Jacob. Not sure I fully understand the implications of doing a policy wipe.
In my MC I have the VPM and Local in their respective slots. We do have a CPL layer in the VPM. So based on this, I assume that if I wipe the policy, wouldn't I just be able to re-apply the VPM and Local policies via the MC?
Original Message:
Sent: Jan 30, 2024 06:52 PM
From: Jacob Miles
Subject: Leave domain and rename proxy
Hi JS,
I think you have it summarized pretty well:
- In order to change the AD custom hostname, you need to leave the domain.
- In order to leave the domain, the domain cannot be referenced anywhere. The domain is most commonly referenced in the realm, and you would need to dereference the domain from the realm to leave the domain.
- In order to dereference the domain from the realm, you either need to assign the realm a different joined domain (which is not very common), or delete the realm object.
- In order to delete the realm object, the realm cannot be referenced in policy. This includes not just authenticate and force authenticate objects, where you choose the realm, but also includes user, group, etc. objects of users from that realm that could be anywhere in policy.
- In order to ensure the realm is not referenced in policy, you have the two choices as you have mentioned: either disable or delete the rules and then reenable / remake the rules after joining the domain again with the new hostname and building the new realm.
A word of caution I would leave on the policy reset option is to verify you have all the policy in Management Center before going that route. Many customers I see today use Management Center for the VPM slot of policy, but still post some or all of their CPL rules in the Local Policy file slot vs using a CPL Layer in the VPM. If you do a policy reset, it clears all policy slots (VPM, Local, etc), not just the VPM.
I hope that helps!
Original Message:
Sent: Jan 30, 2024 11:05 AM
From: Jeff Saunders
Subject: Leave domain and rename proxy
We need to rename our 2 ISG proxies in the Authentication Realm/Domain. I have reviewed the following 2 articles:
Link 1
https://knowledge.broadcom.com/external/article/168811/steps-to-leave-and-rejoin-a-domain-for-i.html
Link2
https://knowledge.broadcom.com/external/article/165995/clear-all-policy-from-a-proxysg.html
We have a Management Station (version 3.3.4.1) and both proxies and their associated policy are managed by this MC.
Can we not just do one of the following:
- (Ref link 1) disable ALL rules in the policy that point to the Realm/Domain temporarily, install the policy, then leave the domain, rename the proxies, and rejoin, and then enable all Realm/Domain rules and push policy?
OR
- (Ref link 2) clear the policy from both proxies (assuming this does not affect the config of the proxies - network, logging, etc), leave the domain, rename the proxies, and rejoin, and then push the policy that is saved in mgmt center to the proxies?
Or is there another, efficient way of doing this?