How to upgrade and update your PSM and MFA Deployment

New versions of the MyID MFA and PSM solutions are continuously being released and are made available for download from the Intercede website. Depending on your current software version, the new version can be deemed to be either an update typically where the version Major and Minor release numbers are the same as what you currently have deployed and the MyID database schema has not changed or an upgrade, where the Major and Minor release version are newer or the MyID database has changed.
Typically, updates can be performed in-place at your convenience allowing for disparate MyID Agents  and Authentication servers operational within your environment.

For example, if you currently have V5.0.6947.0 deployed, an in-place update of all agents and servers to V5.0.6947.2 can be done sporadically in any order that fits your schedule.

 

NOTE: When updating or upgrading servers, we recommend performing the action one server at a time and only look to update/upgrade additional servers once the server you are currently performing this action is completed and fully tested to be operational.

 

In order to perform an Upgrade successfully (for example upgrading V4.1.xxxx.x deployments to V4.2.xxxx.x or V4.2.xxxx.x to V5.0.xxxx.x) without potentially impacting your environment, there is a step by step process that must be followed. All MyID agents are designed to be backward compatible so a V5.x agent can communicate with a V4.2 Authentication Server however, a V4.2 agent cannot communicate with a V5.0 Authentication server. As such, before Authentication Servers are upgraded, the deployed agents must first be upgraded. 

Agents may have new Group Policy objects, so before deploying the new agent, pushing the Group Policy objects accordingly may be required. 

Once the agents have been fully upgraded, then the Authentication servers can be upgraded. 

Below is a step-by-step consolidated list for the recommended upgrade process (Please ensure that each step has been fully tested before moving onto the next step):

  1. Push any new MyID MFA and PSM agent Group Policy Objects (GPO) to the servers and workstations where the agents are installed (Refer to Agent Installation and Configuration Guides for more information).

  2. Upgrade ALL MyID PSM and MFA agents and ensure that they are reading the GPOs configured in Step 1 and can communicate with the existing Authentication Servers. 

  3. Once all the PSM and MFA agents have been upgraded, the Authentication Servers can be upgraded. To upgrade the Authentication Servers, a sub-process needs to be followed, this being:

    • Manually uninstall all but one (1) Authentication Server so only a single Authentication Server remains in your Active Directory forest.

      Do not continue until there only a single Authentication Server left within your Active Directory forest.

    • An in-place upgrade can be performed on the last remaining Authentication Server. Please ensure that the Internet Information Server Port bindings are maintained as before and any NPS clients are not overwritten.

      Please ensure that the Directory Configuration wizard is rerun with the "Reprocess user data to latest storage version" and reboot when the wizard is complete.

      Using the on-server Self-service Portal, test that you are able to login with pre-existing MFA users and/or valid and invalid passwords are accepted and rejected per PSM defined policies.
  4. Once the primary Authentication Server has been successfully upgraded and proven to be fully operational, the latest Authentication Server version can be installed on all the previous Authentication servers that were uninstalled in Step 3 (above).
    Ensure that the Directory Configuration Wizard is rerun on these new servers. For the additional Authentication servers, the "Reprocess user data to latest storage version".  

    As with the installation of the primary Authentication Server, ensure that the IIS port bindings and NPS clients are maintained.

    Test the new server using the on-box Self-service Portal.

    Please refer to the relevant Agent and Authentication Server's Installation and Configuration Guides for additional information. 

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.