There are CPPM deployment were the nodes are located in different geographical location and connected with limited bandwidth between the nodes. So in a cluster if publisher is upgraded first and when the subscriber node is getting upgrade then the clients connected to subscriber authenticated on publisher then the Onguard update check process will find the availablity of new version of Onguard installer and will try to download it from the publisher and this causes huge bandwidth usage could lead to any network down situations in case if the bandwidth is also shared by other applications across the geographical location.
We can make the setting on publisher and other nodes to ignore the Onguard agent update. Once the Clearpass upgrade is completed on all the nodes then roll back the Onguard settings from ignore to Download and install.
Then block the firwall on the client network from reaching the publisher so the Onguard agent controller channel will fall back to its domain Clearpass node.
- Prior to upgrade we need to make the following settings on all the nodes to avoid downloading the Onguard update.
- Navigate to Administration » Agents and Software Updates » OnGuard Settings » and set Agent action when an update is available: Ignore.
- This will just let the onguard agent to connect to the publisher and not to download the newer version of Onguard installer.
- Once all the subscriber is upgraded we need to make the following settings on the subscriber node.
- Block the port for the client network from the subscriber geographic location to reach publisher for 10 minutes [default wait time it 160 second is wait period].
- Then on the subscriber node navigate to Administration » Agents and Software Updates » OnGuard Settings » and set Agent action when an update is available: Download and install. Save the settings.
- This will force onguard client to disconnect from publisher and will restart the session to establish control channel with domain subscriber and that will also download the Onguard installer from the subscriber node.
We can verify the from the firewall that the clients are not causing huge download from the publisher.
We can also verify that the Onguard agent upgraded using the new installer that was downloaded from the subscriber.