Migrating to Symantec Client Security 3.1
|Article:TECH101788|||||Created: 2006-01-03|||||Updated: 2007-01-14|||||Article URL http://www.symantec.com/docs/TECH101788|
You need to migrate to Symantec Client Security 3.1
Migrating to Symantec Client Security 3.1 This document discusses migration to Symantec Client Security 3.1 from previous versions of Symantec Client Security, Symantec AntiVirus, or Norton AntiVirus Corporate Edition.
Symantec AntiVirus servers can be upgraded from previous builds of 10.1.x to the latest Maintenance Release (MR) without uninstalling. To prevent problems when migrating from Symantec AntiVirus 10.0.x to the latest build of 10.1.x, Symantec Technical Support recommends that you uninstall any older versions of Symantec AntiVirus software on NetWare platforms. To preserve the PKI certificates if the NetWare server is; the primary server, temporarily promote a secondary server to be the primary server. After the installation, promote the NetWare Server back; as the primary server. This will preserve communication between the Symantec AntiVirus servers and clients for that server group. As a safeguard, this procedure can be done when migrating from Symantec AntiVirus 10.1.x to the latest Maintenance Release; of 10.1.x. To upgrade from Symantec AntiVirus 10.1.x; to the latest; Maintenance Release; of 10.1.x on; NetWare platforms. From the Symantec AntiVirus CD, run Setup.exe to install Symantec AntiVirus to your NetWare server. In the Welcome panel, click. Update Symantec AntiVirus server, and then click Next. In the Select Computers panel, click the NetWare server on the left side and click Add Enter the Username and Password for the Server Group, click and then click Finish.
Before you begin
This section gives the information that you need to know in order to plan the migration. This information includes supported and unsupported migration paths, and factors that can affect the success of the migration.
This document is meant only for migrations in which a previous version of Symantec AntiVirus, Symantec Client Security, or Norton AntiVirus exists on the network or on individual computers. If no previous versions of Symantec antivirus products are already installed, read Symantec Client Security 3.1 installation walk-through for administrators.
Things to know to ensure a successful migration
The following is a list of critical information that you need to know in order for your migration to succeed.
- You cannot change your Symantec Client Security network topology during migration. The current primary server must remain the primary server, and secondary servers must remain secondary. If you want to make changes to the topology, migrate first and then make the changes.
- Before you migrate the primary server of the server group, make sure that the server group password contains six or more characters. If you need to change the password, allow time for all secondary servers in the server group to receive this change before you start the migration.
- The system clocks of all computers must be set to within 24 hours before or after the system time of the primary server. If this time requirement is not met, servers and client communication will fail.
- Symantec AntiVirus 10.1 scans in real time for any security risks that are associated with adware and spyware. This functionality can cause conflicts with similar products from other vendors. Before you install antivirus servers and clients, disable or remove similar products from other vendors, especially those products that scan in real time.
- Any computer that will be managed must be migrated after the computer that manages it. That is, you must migrate the primary server before secondary servers, and any server before a client managed by it.
- Symantec System Center must not run on a computer that runs an older version of Symantec Client Security or Symantec AntiVirus.
- You must restart every server that you migrate.
This section lists the platforms that are supported and unsupported during migration to the current version of Symantec Client Security.
Supported and unsupported platforms
Symantec Client Security can migrate seamlessly over the following products:
- Symantec AntiVirus Corporate Edition 8.0 and later
- Norton AntiVirus Corporate Edition 7.6 and later
- Symantec Client Security, all versions
- Symantec Client Firewall 5.0/5.1/7.1
- By default, when you migrate supported versions of legacy Symantec Client Firewall, the settings and rulebases on the legacy versions are also migrated with one exception. The exception is the intrusion prevention system (IPS) settings. The IPS engine in the new version is different than the engine in the legacy versions.
- Legacy Symantec Client Firewall policy files on new versions of Symantec Client Firewall are not supported. Legacy policy files do not contain all of the new settings.
To learn how to create policy files for Symantec Client Firewall 8.x, read Best practices for creating a Symantec Client Firewall policy file.
- For Symantec AntiVirus Corporate Edition 9.0 and later and Symantec Client Security 2.0 and later, custom installation paths are preserved. For example, if you installed the product in C:\Abc\MyAntiVirus\, the latest product files are instaledl in this folder after migration. For all other versions, the legacy product is uninstalled from custom installation paths, and the latest product is installed in the default installation folder.
Symantec Client Security migration is not supported for the following products:
- Symantec AntiVirus 64-bit client, version 9.0
- Symantec AntiVirus 64-bit client version 10.0 does not support Intel® Itanium® 2 processors, which were supported in version 9.0.
- Symantec Client Firewall Administrator
- Norton AntiVirus
- Norton Internet Security
- Norton Personal Firewall
- Norton SystemWorks
- Symantec Desktop Firewall
- Antivirus products from other vendors
Symantec Client Security migration is not supported for the following Administrator tools:
- Symantec System Center
- Symantec Client Firewall Administrator
- LiveUpdate Administrator
- Quarantine Server and Quarantine Console
You must uninstall previous versions of these tools, and then install the latest version.
The following table gives an overview of the migration process for each component of Symantec Client Security:
|Management servers||When you migrate a server, the installation automatically detects whether the server is primary or secondary, and migrates and configures it appropriately. You cannot designate a new primary server during a migration.|
You do not need to uninstall management servers before you install the new version. The overinstall process saves legacy settings, uninstalls the legacy software, and then installs the latest version. Furthermore, server group settings will be lost if you uninstall migration-supported legacy management servers and clients rather than migrating them.
|Clients||When you migrate a client, the overinstall automatically detects the client, and migrates and installs it appropriately. You do not need to uninstall existing clients before you install the new version.|
|Symantec System Center||You cannot migrate the Symantec System Center console with an overinstall. You must uninstall the legacy version, and then install the new version.|
To upgrade the first instance of Symantec System Center in your network, you must uninstall Symantec System Center, migrate a management server to the current version, and then reinstall Symantec System Center.
|LiveUpdate servers||If you have already set up LiveUpdate FTP servers or UNC paths, you do not need to modify them. They are used in the same way with Symantec Client Security.|
|Quarantine Console or Server||You cannot migrate the Quarantine Console or Server with an overinstall. If either is installed on any server or client that you plan to migrate, uninstall the legacy software first.|
Overview of the migration process
Migration to the current version of Symantec Client Security includes the following steps:
- Create a migration plan
Before you begin to install the Symantec Client Security client, server, and administration upgrades, you should have a solid understanding of your network topology and a streamlined plan to maximize the protection of the resources on your network during the upgrade. Symantec strongly recommends that you migrate the entire network to the current version rather than managing multiple versions of Symantec Client Security.
- Uninstall legacy Quarantine Console, Quarantine Server, and Symantec Client Firewall Administrator
If legacy Quarantine Console, Quarantine Server, or Symantec Client Firewall Administrator is installed on any computer that you plan to migrate, uninstall the legacy software first.
- Uninstall Symantec System Center
The legacy Symantec System Center must be uninstalled before you start the migration.
- Migrate the primary server
Overinstall Symantec Client Security on the primary server, then restart the computer.
- Install the new Symantec System Center
Symantec System Center must be installed in order to complete the server migration.
- Unlock the server group and promote the server to primary
The first authentication steps to take place when you promote the server to primary. This completes the infrastructure needed in order to migrate the rest of the network.
- Back up the server group root certificate
After you unlock the server group for the first time, it is vital to back up the server group root certificate. The backup allows recovery in case of catastrophic failure of the primary server.
- Migrate secondary management servers in the server group
Using the new version of Symantec System Center, you can migrate secondary servers in the unlocked server group.
- Migrate clients in the server group
After all management servers in the server group are migrated, deploy the new version of Symantec Client Security to clients.
- Migrate servers and clients in other server groups
Migrate servers and clients in other server groups by migrating the primary server first, then the secondary servers, and then the clients. You can perform this server migration remotely by using the new version of Symantec System Center.
- Install optional components
If you uninstalled Quarantine Console, Quarantine Server, or Symantec Client Firewall Administrator, install them again. If you want to use Reporting, install it at this time.
Migrating the first server and Symantec System Center
This section describes the migration of the first server and Symantec System Center, and the creation of the platform from which to migrate the rest of the network.
To migrate the first server
- Uninstall the legacy Symantec System Center from any computers that have it installed, and restart those computers.
WARNING: In the next step, do not install the server from the menu that starts automatically, and do not run Setup.exe from the root folder of the CD. Use the Setup.exe file given in the next step to avoid migration problems.
- From the Symantec Client Security CD, go to \Rollout\AVServer\Server\Winnt, and run Setup.exe.
- In the Symantec Client Security panel, click Install Symantec Client Security > Install Symantec Client Security server.
- Click Update, then click Next.
- In Enter Server Group Password panel, accept or change the user name that will be used to administer the existing server group.
- Type the password for the user name you entered, and then click Finish.
If this is a migration from Symantec AntiVirus Corporate Edition 9.x or earlier, this dialog creates a new password.
- When installation completes, restart the server.
To upgrade Symantec System Center
- From the Symantec Client Security CD, run Setup.exe.
- On the Install Symantec AntiVirus menu, click Install Symantec System Center.
- Respond to the prompts until the installation completes.
- Restart the computer.
To unlock the migrated server group
- Start Symantec System Center.
- In the left pane, right-click the migrated server group, and then click Unlock.
- In the Login dialog box, type the user name that you entered when you migrated the primary management server, type the password that you used to unlock the server group in the legacy version of Symantec System Center, and then click OK.
Back up the server group root certificate
This step is quick but vital. You must back up the server group root certificate after you unlock the server group for the first time. Otherwise, the server group and its settings will not be recoverable if the primary management server fails.
To back up the server group root certificate
- In Windows Explorer, open the Symantec Client Security program folder.
- Copy the Pki folder to removable media.
The contents of the Pki folder should be only a few KB in size.
- Store the Pki folder in a safe location.
In the event of a catastrophic server failure, you will need these files to recover client-server communication.
For more information, read Steps to minimize recovery time in the event of a server failure.
Migrating servers and clients
After you migrate the management infrastructure to the current version of Symantec Client Security, migration of the rest of the network is a straightforward task. Any of the various installation methods available will perform the migration. The most common methods are listed here.
Migrating management servers
There are several ways to install the Symantec Client Security server software to supported Windows and NetWare operating systems, including third-party deployment options such as Active Directory. Uninstalling Windows servers is generally not required before you install the Symantec Client Security server software, provided that the server is not damaged.
Before you migrate management servers
No matter which process you follow to migrate servers, read and understand the following information:
- If a legacy instance of the Symantec System Center, Quarantine Console, or Central Quarantine Server runs on a computer that you plan to migrate, uninstall this software before migration.
- Verify that the time clocks on all computers on which to migrate software are within 24 hours plus or minus of the time on the primary management server.
- You must migrate servers in the following order:
- Primary management server
- Secondary management servers
Migrating subsequent servers
After you have migrated your first primary management server in your first migrated server group and accessed the primary management server in the Symantec System Center, you can migrate subsequent primary servers by using the deploy feature from the Symantec Client Security CD or by using the AV Server Rollout feature from the Symantec System Center. If you migrate a primary management server in another server group, migrate that server individually. You can then migrate multiple secondary management servers with deployment, but you must select Upgrade instead of Install.
Note: Do not install multiple management servers in a server group before you install and configure one primary management server in a server group.
To migrate servers using the AV Server Rollout
- In the Symantec System Center, on the Tools menu, click AV Server Rollout.
- In the Welcome panel, select Update, and click Next.
- Add the computers you want to migrate, and click Add, and then type the password for the server group.
- When all the computers you wantto migrate are added, click Finish.
- When the update process is finished, click Close, and restart the computers you migrated.
Migrating on NetWare platforms
To prevent problems when you install Symantec AntiVirus 10.0, Symantec Technical Support recommends that you uninstall any older versions of Symantec antivirus software on NetWare platforms.
To uninstall Symantec AntiVirus on NetWare platforms
- On the servers that you want to migrate that run Symantec AntiVirus on NetWare platforms, unload Symantec AntiVirus from the Symantec AntiVirus console on the server by pressing Alt+F10.
- At the command prompt, type the following command:
load sys:sav\vpstart.nlm /remove
- Remove the Symantec AntiVirus files from the server.
- Use the NetWare Administrator (Nwadmin32.exe or Nwadmn95.exe) to remove the Symantec Client Security server object from the NDS tree.
- Remove the Symantec Client Security load line from Autoexec.ncf, if necessary.
To install Symantec AntiVirus on NetWare platforms
- From the Symantec Client Security CD, run Setup.exe to install Symantec Client Security to your NetWare server.
- In the Welcome panel, click Install Symantec Client Security server, and then click Next.
- In the License Agreement panel, click I agree, and then click Next.
- In the Select Items panel, ensure that Server program is checked, and then click Next.
- In the Select Computers window, double-click NetWare services.
- Browse "Novell directory services" until you are at the SYS: volume object level.
If the Novell Client is not installed on the Windows computer, this option does not appear. You must have the Novell Client installed in order to install a management server to NDS.
- Select the server's SYS: volume object, and then click Add.
You are asked to enter a tree name, user name, and password.
The default user name that is supplied is "Administrator" instead of "Admin." Typically, you must change the name to log in correctly.
For further instructions on finding and selecting the server's SYS volume object, read How to "walk the tree" when installing Symantec AntiVirus Corporate Edition to NetWare servers.
- Click Next.
- In the Server Summary panel, do one of the following:
- To accept the default Symantec Client Security installation path, click Next.
- To change the path, select a computer, and then click Change Destination. In the Change Destination dialog box, select a destination, click OK, and then click Next.
- In the Select Symantec AntiVirus Server Group panel, under Symantec AntiVirus Server Group, type a name for a new server group, and then click Next.
- In the Enter Password for the Server Group panel, type a user name, type and retype a password for the user name, and then click OK.
The user name that you type is the user name that administers the server group.
- In the Server Startup Options panel, click Automatic startup, and then click Next.
- In the Using the Symantec System Center Program panel, click Next.
- In the Setup Summary panel, read the message, and then click Finish.
- In the Setup Progress panel, view the status of the server installation, and then click Close when the installation finishes.
WARNING: Do not skip the next step. If you do, Symantec AntiVirus will not be loaded automatically, and client login installations will fail.
- To complete the installation, at the NetWare console, type the following command to load the Symantec AntiVirus NLMs:
load sys:sav\deploy0\vpstart.nlm /install
There are several ways to install the Symantec Client Security client software. You do not need to uninstall existing clients, provided that the client is not damaged. All of the client installation methods, when used to overinstall supported client software, migrate clients automatically. For a full list of supported installation methods, see "About client installation methods" on page 140 of the Symantec Client Security Installation Guide.
Before you migrate client software
No matter which process you follow to migrate clients, read and understand the following information:
- If a legacy instance of Symantec System Center, Quarantine Console, or Quarantine Server runs on a computer that you plan to migrate, uninstall this software before migration.
- Verify that the time clocks on all computers that you plan to migrate are within 24 hours plus or minus of the time on the primary management server.
- If any of your clients run Windows XP, be sure to disable the firewalls that are included with Windows XP, including Service Pack 1 and Service Pack 2.
- The NT Client Install tool in the Symantec System Center is renamed to ClientRemote Install, and now installs Symantec Client Firewall software as well as Symantec AntiVirus client software.
To migrate clients by using the CD
- From the Symantec Client Security CD, run Setup.exe.
- In the Symantec Client Security panel, click Deploy Symantec Client Security.
- Proceed with the upgrade process.
- Restart the computers if necessary.
To migrate clients by using the Symantec System Center
- In the Symantec System Center console, in the left pane, click System Hierarchy or any object under it.
- On the Tools menu, click ClientRemote Install.
ClientRemote Install is available only if you selected the ClientRemote Install tool when you installed the Symantec System Center. This tool is selected for installation by default.
- Continue the installation until complete.
- Restart the computers if necessary.
Other antivirus product client migrations
Since the Symantec Client Security installation does not recognize the presence of other antivirus products, the products must be removed before the rollout. Symantec Client Security includes the Security Software Uninstaller that can detect and remove versions of antivirus software that are not included in the list of supported migration paths. For more information on using the Security Software Uninstaller, see the documentation that is provided for the tool in the \Tools\UNINSTLL directory on the Symantec Client Security CD.
Install optional components
If you uninstalled Quarantine Console or Quarantine Server, install them again now. For more information, read Setting up Symantec Central Quarantine for Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x.
If you uninstalled Symantec Client Firewall Administrator, install it again now. For more information, read the section on Symantec Client Firewall Administrator in Chapter 3 of the Symantec Client Security Installation Guide, which is located in the \Docs folder of the installation CD, or online here. To learn how to create policy files for Symantec Client Firewall 8.x, read Best practices for creating a Symantec Client Firewall policy file.
For information on installation and configuration of Reporting, read Chapter 4 of the Installation Guide.
Article URL http://www.symantec.com/docs/TECH101788