Security

Hey All,

Quick question. Right now we have our Clearpass servers on an EMC SAN and Cisco UCS blades. We just got a new Hyperflex system setup and have most of our servers moved to the new system. Our EMC, Vcenter, etc. is visible to the new Hyperflex system and it's Vcenter etc. We just want to move the Clearpass servers from the old EMC SAN and Vcenter instance to the new Hyperflex/Vcenter. We have been moving others servers via Vmotion with no issues. That's what we are hoping to do here. Just shut down Subcriber and move it and power it on. Then shut down publisher and move it and power it back on. Our other solution would be to take clones of each and move the clones to the Hyperflex. Then shut down the current servers and power on the clones. I can't find any documentation on this and would just like to know if anyone has done this and how they have gone about it. I'm hoping it will be a pretty simple process just like vmotioning other servers has been. But, would like to know it works or what does work before we plan downtime to do this. Any help or advice is appreciated :).

Thanks!

Even VMotion should work, as long as you follow the Tech Note CPPM and VMware vMotion V1 in this location.

If you can bring down the VMs before you move them, the risk appears to be even lower. I have moved ClearPass VMs (shut down) even with the standalone converter from one ESXi to another without problems.

In case you appreciate a specific view of your situation, you can contact Aruba TAC for validation of your migration plan.

Thank you for the reply! We are going to schedule downtime to perform this, so shutting them down is no problem. I read through the tech note you attached, thank you for that. The only difference I see is we are going to be migrating our Clearpass servers to a new host and new storage. In the guide it only changes the host. Have you migrated Clearpass servers to a new host and datastore? Just want to have a good plan for how to do this. 

Thanks again!

I have used the VMWare Standalone converter to move ClearPass appliances from one ESXi to another and that worked fine for me. I'm not familiar with your tooling, but if you can VMotion to another cluster is appears even much more advanced. If you have a path back, for example if you clone the VMs to the new cluster, I would give it a chance.

What I have done as well is backup ClearPass, and import it into a fresh one. Then reinstall certificates and re-join domain (and I believe there are few more settings that don't survive backup/restore on another appliance, but these are most important).

Our clearpass servers are already virtual, we are just moving the current virtual servers from one Cluster that is using Cisco Blades and EMC SAN Storage to a cluster that is a Cisco Hyperflex with it's own nodes and storage. So we are just wanting to take the current clearpass servers from one clusters hosts and storage to a new cluster hosts/storage. At this point I'm thinking clones might be a better bet and then we can always just turn the clones off and go back to "old" servers if we run into issues.

Hey All,

So one of our summer projects is moving these servers to our new hardware via vmotion. I want to make sure this is the correct order. We plan to shut off the subscriber, clone it just to be cautious. Move the subscriber to the new hardware/cluster. Power subscriber on and make sure publisher and subscriber are communicating. 

Next power off Publisher, clone it and move it. Power on and make sure they are communicating. In this scenario once Publisher is moved and powered back on will it take over it's main duties being the publisher, or will we have to force that? Also, when we power down publisher will our users lose connection? Is this something we should plan after hours or can we do it during the day without causing any issues to our users? Sorry for all the questions, appreciate all of your assistance :).

Thanks!

We have done this in our UCS vmWare environment and it was pretty painless. I backed up the configuration just to protect myself, and the server admin cloned the servers just to protect himself, then we stopped the subscriber and did a SAN to SAN move of the VM files and re-inventoried it on the far side and started it up.

We were trying to mimick what we might have to do in a DR state where servers wouldn't have the polite system shutdown before the metor hits.

The subscriber came up and happily started talking to the publisher and after about an hour we repeated the exercise with the publisher.

We have a MAC address/UUID change on the NICs bother the publisher and had to fiddle with them to get it happy again - there's a tool on the CPPM server for that, but our server admin just changed the numbers on the vmWare side and restarted the server.