Change a DLP agent from one Endpoint Server to another
search cancel

Change a DLP agent from one Endpoint Server to another

book

Article ID: 171181

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce

Issue/Introduction

There are times when an agent needs to be redirected to a different Symantec Data Loss Prevention (DLP) Endpoint Server or an agent needs to have its Endpoint Server priority list changed.

Cause

There are several methods of changing the Endpoint Server or modifying the Endpoint Server list for a DLP agent - choose the one that best fits your needs from the table below.

Resolution

 

Changing the Endpoint Server through the Enforce Server console

  1. Browse to System > Agents > Overview and click the number under the green check to view the agents in good standing.
  2. Select the Agents you want to change endpoint servers.
  3. Click the Change Server button.
  4. Add the information for the endpoint servers. Note that secondary and tertiary servers can be added by using the plus button.
  5. Click Ok.

A task running icon (Clipboard with play button) will now appear next to the agent. Once the change is successful you will see an event for that agent that reports "Change Endpoint Server task execution succeeded" in the agent details.

 

Changing the Endpoint Server through a script

This Method is used if the agents are not communicating to the DLP Endpoint server.

Locate the agent install files .zip (see DLP Agent installers File Information) that was used when generating the agent install package. Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder.  

Once the tools are in the DLP Endpoint Agent folder use the follow examples to build a script to change the server settings.

Using Vontu_Sqlite3

The vontu_sqlite3 tool can be used with the following method that echos a single command into the utility. Note that the password must also be supplied. Below is how the syntax of the batch file is structured

echo Update CONFIGURATION set Value="<EndpointServer>:<port>" where NAME="ServerCommunicator" and SETTING="SERVER_HOST_AND_PORT_LIST"; | vontu_sqlite3.exe -db=cg.ead -p=<agent_tools_password>

Below is an example of setting a primary endpoint server name of 192.168.2.1 on port 10443 and an Alternate Endpoint Server host of ENFORCE on port 10443 where the tools password is protect.

echo Update CONFIGURATION set Value="192.168.2.1:10443;ENFORCE:10443" where NAME="ServerCommunicator" and SETTING="SERVER_HOST_AND_PORT_LIST"; | vontu_sqlite3.exe -db=cg.ead -p=protect

 

Using Vontu_sqlite3 Tool (manually)

Vontu_sqllite3 is available for both Windows and Mac clients.

This method is used if the agents are not communicating with the DLP Endpoint server.

Locate the agent install files .zip that was used when generating the agent install package (see DLP Agent installers File Information). Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder. We specifically need the vontu_sqlite3 tool. 

For Reference the default agent install locations are:

Mac OSX: /Library/Manufacturer/Endpoint Agent/
Windows: c:\Program Files\Manufacturer\Endpoint Agent

Once the tools are in the DLP Agent folder run the following commands:

vontu_sqlite3 -db=cg.ead

Apply the tools password as needed. Then use the following commands in the vontu_sqllite3 tool to update the configuration (Note these are case sensitive). Be sure to change the value to direct to your sever and port: 

Update CONFIGURATION set VALUE="192.0.2.1:10443" where NAME="ServerCommunicator" and SETTING="SERVER_HOST_AND_PORT_LIST";  
.exit


Now reboot the system or use the service_shutdown -p=<agent_tools_password> command to stop the DLP Endpoint Agent. You can then start the Endpoint agent. 

 

Using a new agent install package

This method is typically only used if the computers are no longer connected and the previous methods are not viable.
Example: You have several Mac clients that need to be reinstalled. You can use this method instead of manually running the vontu_sqlite3 utility on each computer.

Note that you cannot upgrade an agent to a version it already has or older. For example, you cannot upgrade DLP agent 16.0 MP1 to 15.7 MP2 or 15.8 MP1 or upgrade to an earlier hotfix agent of the same GA release.

Follow these steps to use an agent install package to redirect the agents.

  1. From Enforce go to System > Agents > Agent packaging
  2. Put in needed values and specify the new Endpoint Server (See Generating agent installation packages (broadcom.com))
  3. Generate the install package
  4. For Mac agents, you must repackage the client in OSX. See Installing the DLP Agent for macOS (broadcom.com)
  5. Uninstall the current agent on the computers. See Uninstall and remove the Symantec DLP Endpoint Agent (broadcom.com) for details
  6. Restart the client
  7. Install the new agent on the client. See Installing Symantec DLP Agents (broadcom.com)

If you meet the prerequisites of an upgrade, then you can do an agent upgrade with an updated Endpoint Server list. See Upgrading Symantec DLP Agents (broadcom.com).