Proofpoint | ObserveIT On-Premises Insider Threat Management

Agent Auto Upgrade

The Agent Auto Upgrade lets you upgrade Agents directly from the ObserveIT Web Console. Upgrading with Agent Auto Upgrade is simple. You have control over which endpoints to upgrade and when to schedule the upgrade. So when a new version of ObserveIT is released, you can easily trigger upgrades and start taking advantage of the new features.

From 7.9, Agent Auto Upgrade is available for Windows Agents only. You can use Agent Auto Upgrade to upgrade Agents from 7.1 and up.

From version 7.10, you will no longer need to use a 3rd party deployment tool. The upgrade is completed and deployed from the Web Console. When upgrading to 7.10, you will still need to deploy with a 3rd party tool, such as Microsoft SCCM.

HTTP as communication protocol between the agent and the Application Server is no longer supported. Since Agents Auto Upgrade provides remote installation using highly secure credentials, it must be deployed using HTTPS or a higher security protocol.

Agent Auto Upgrade supports rollback in case of failure after a number of attempts. So, if an upgrade is not successful, the previous Agent continues monitoring the endpoint. For example, if you were trying to upgrade from version 7.8 to version 7.9 and the upgrade failed, the Agent 7.8 would continue to monitor the endpoint.

You install the Updater on each endpoint before the first time you use Agent Auto Upgrade. (See Installing the Updater for Agent Auto Upgrade.)

Upgrade Sets

An Upgrade Set includes the endpoints you want to upgrade and when you want that to happen. You can monitor the status of endpoints in the Upgrade Set. For example, you can review how many endpoints in the Upgrade Set have been successfully/unsuccssfully upgraded.

(See Creating Upgrade Sets.)

Endpoint Upgrade Status

You can view the upgrade progress for each endpoint. This way you know which endpoints have successfully updated, which have not and why not. In addition, you can view the upgrade history for each endpoint.

(See Endpoints Upgrade Status.)

Agent Auto Upgrade Load Balancing Algorithm

The load balancing algorithm was developed to avoid stress when upgrading a large number of endpoints at once and ensure stability when monitoring the endpoints.

ObserveIT limits the number of Agents that are upgraded at the same time. The order in which the Agents are upgraded is selected randomly from all the endpoints that are waiting to be upgraded.

Agent Auto Upgrade Flow

  1. When a new version of ObserveIT is available, you download it from the ObserveIT Support Portal and complete the server-side upgrade process. (Upgrade the ObserveIT Database, ObserveIT Web Console and Application Server components.)

    When you upgrade the server-side components, the Agent installation package is automatically saved to the version management service which keeps track of which version you are using.

    When downloaded, installation folders for the Agent must be located at the same level as the database folder (in the Root directory and not on your Desktop).

  2. From the Web Console (ConfigurationAgent Auto Upgrade), create an Upgrade Set. In an Upgrade Set, you configure when you want to upgrade the Agents and on which endpoints. (See Creating Upgrade Sets.)

    The first time you use Agent Auto Upgrade, you'll need to install the Updater on each endpoint. See Installing the Updater for Agent Auto Upgrade.

    An Updater can be installed on an endpoint with or without an Agent.

  3. The Updater (located on each endpoint) is continually communicating with the Application Server.

    The Updater identifies when a new Upgrade Set has been assigned to its endpoint.

  4. Agent Auto Upgrade silently upgrades the endpoints according to what you configured in the Upgrade Set.

    In addition, if you have set the Agent up with a password, the Agent Auto Upgrade will automatically use the password when upgrading.

    If you have multiple Application servers, you must use the same password on each Application server if you want the Agent Auto Upgrade to automatically use the password when upgrading.

  5. You can monitor and review the status of the Upgrade Set and the upgrade status of specific endpoints. (See Agent Auto Upgrade Set Status and Endpoints Upgrade Status.)

If you have more than one Application Server, before using the Agent Auto Upgrade, you should configure the load balancer by updating the Application Servers Load balancer address. For information about configuring the load balancer, see Securing the Load Balancer.

Related Topics:

Installing the Updater for Agent Auto Upgrade

Endpoints Upgrade Status

Creating Upgrade Sets

version 7.12.2