Preparing for and Recovering from Disaster with Symantec Endpoint Protection

Article:TECH105658  |  Created: 2008-01-19  |  Updated: 2011-06-03  |  Article URL http://www.symantec.com/docs/TECH105658
Article Type
Technical Solution


Environment

Issue



What steps should I take to prepare for a hardware or software disaster on the Symantec Endpoint Protection Manager (SEPM)? How do I recover the SEPM from a hardware or software disaster after following these steps?

 


Solution



    Disaster Preparation

    Be sure to back up your database on a regular basis, preferably weekly, and store the backups off site.

    Backups in the default location may be lost when the manager is uninstalled.


    Database backups are located in:

    \Program Files\ Symantec\Symantec Endpoint Protection Manager\data\backup
     

    Warning: When moving the database file to another location, assure the integrity of the copied archive. If the archive is corrupted it will not be possible to restore the database!

    Note: Backups created using the built-in backup utility that are larger than (or that result in a zip file that is) 4 GBs will appear corrupt or invalid to third party zip utilities.


    Create new JavaKeystore backup

    In the SEPM console, under admin and then servers.
    Click on the local site, and then manage server certificate.
    Choose Backup Certificate

    Copy or move the following to another folder:
    For purposes of this document, we will use a target folder named C:\SymBAK

    × The database backup, named <Date>_<Timestamp>.zip (such as 2008-Aug_19-10-27-33-AM.zip)
    × The folder \Program Files\Symantec\Symantec Endpoint Protection Manager\Server PrivateKey Backup



    Create a new text file and save it to C:\SymBAK – we will call it SEPM_Backup.txt

    × Open the \Program Files\Symantec\Symantec Endpoint Protection Manager\Server PrivateKey Backup\server_timestamp.xml file
    × Copy/paste the password string that looks like keystorePass="WjCUZx7kmX$qA1u1" (without the quotations)




    Copy/Paste the Domain ID into the text file

    Go to > Admin > Domains > The Domain ID displays in the main screen; Ctrl-C to copy.

    Paste the Domain ID into the text file, along with identifying information. For example:
    Domain Name – Default
    Domain ID 653769769B408C7D016D756EF6240C2C

    Domain Name – New York
    Domain ID 668942569B408F3E016D756EE6791C4C

    Later, you must enter the identical key if you do not have a database backup to restore.
    It is not required if you have a back up, but it is a best practice.


    Gather additional information about your environment

    Gather the following information about the SEPM and enter it into the SEPM_Backup.txt file:
     

    • Encryption password (set during installation of the SEPM)
    • IP address
    • Host name
    • Site name
    • Website name (if running on a custom website)
    • Website port (if running on a custom port)
    • Database type
    • Database name (sem5 by default)
    • Database account name (sa for SQL, DBA for embedded)
    • Database account password

    If you have a catastrophic hardware failure, the new hardware on which you reinstall the SEPM must have the same IP address and host name as the failed machine.

    Save and close the text file, as it now contains the essential information required for disaster recovery.

    Copy these files to removable media and store in a safe place.


    Depending on database type (SQL or Embedded), your text file should look like:

 

--------------------------------------------------------------------------------------------------



Disaster Recovery

Disaster recovery process requires sequentially completing the following:
 

  1. Reinstall the Symantec Endpoint Protection Manager
  2. Restore the server certificate
  3. Restore client communications


 

  • Prepare for SEPM recovery

Recover the files that were secured in preparation.

If you had a catastrophic hardware failure and had to rebuild the computer, you must assign the original IP address and host name.
This information will be in the SEPM_Backup.txt file.

 

  • Reinstalling the Symantec Endpoint Protection Manager


During the installation, in the Welcome panel, check Install my first site,
Continue until prompted for the pre-shared key.
In the Site Information panel > Encryption Password boxes, enter the <password name> contained in the SEPM_Backup.txt file.


Note: If you are restoring without a backed up database, your restoration will fail if you do not enter the password correctly.


Continue with the installation, creating the same type of database as the previous installation when prompted.


Continue until the "Management Server Installation Wizard - Configuration Completed" panel appears.

When complete, do not run the Migration and Deployment wizard.

 

  • Restoring the server certificate


The server certificate is a Java keystore, containing the public certificate and the private-public key pairs.
You must enter the password that is contained in the SEPM_Backup.txt file.


Log on to the Console
Go to > Admin > Servers > Local Site >
Expand Local Site and Select the Computer Name that identifies the site
Under “Tasks,” Click Manage Server Certificate > Next

In the "Manage Server Certificate” panel, check Update the Server Certificate > Next.

In the "Specify server certificate type" panel, check JKS keystore > Next


Note: If you have implemented one of the other certificate types, select the one that applies.


Browse to your backed up keystore_<timestamp>.jks keystore file > OK


Copy/Paste the keystore password into the Keystore and Key boxes. (Use Ctrl-V)


Click Next > Finish


If you receive an error message indicating an invalid keystore file, you may have entered invalid passwords.
Retry the password copy/paste.

Exit the Console


To restore the certificate, go to Services in Administrative Tools and Restart the Symantec Endpoint Protection Manager service.



--------------------------------------------------------------------------------------------------



Restoring client communications

Restoring client communications depends on whether or not you have a database backup.

If you have a database backup, you can restore this database and then resume client communications.
The advantage to having a database backup is that clients reappear in their groups, and are subject to the original policies.

Without a database backup, you can still restore communication with clients, but they appear in the Temporary group.
You must then recreate your client group(s) and custom policies.



Restoring client communications with a database backup


Go to Services in Administrative Tools and Stop the Symantec Endpoint Protection Manager service.

Create the directory:
\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup

Copy your database backup file into this directory.


Go to your Start menu > Programs > Symantec Endpoint Protection Manager > Database Back Up and Restore.

Click Restore > Select the time stamped backup > OK.
Restore time varies, depending on the size of your database.

When complete, OK and Exit.




Reconfigure the Management Server


Go to your Start menu > Programs > Symantec Endpoint Protection Manager > Management Server Configuration Wizard


Welcome Screen > Check Reconfigure the Management Server > Next

Use the existing ports for the installation and enter the database password when prompted.

Configuration takes a few minutes.

When completed, click Finish.

Log on to the Symantec Endpoint Protection Manager Console.

In the Clients Tab, Right-click your Groups > Run Command on Group > Update Content.

If the clients do not respond after about one half hour, restart the clients.




Restoring client communications without a database backup

For each Endpoint Protection domain, you must create a new domain and insert the same domain ID into the database.
Best practice is to create a domain with a name identical to the previous name.

The Default domain is the System domain.
To recreate the Default domain, Add a new Domain and append some value to the name.
For example, Default_02. After restoring the domains, you can delete the old Default Domain, and rename the new one to Default.


Log on to the Symantec Endpoint Protection Manager Console

Go to > Admin > Domains > Add Domain > Enter the Domain Name

Click Advanced > Copy/Paste the Domain ID from the SEPM_Backup.txt file > OK

Repeat these steps for each domain to recover.



If you use only one domain:

× Administer the newly created Default_02 domain.
× Delete the unused Default Domain
× Rename the new domain to Default



Restart all client computers; they will appear in the Temporary group.


References
To re-connect to an existing SQL database while restoring your #1 SEPM see the following document:

http://service1.symantec.com/support/ent-security.nsf/docid/2010063009544748
Disaster/Recovery- How to rebuild and restore your #1 Symantec Endpoint Protection Manager and re-connect it to your existing SQL database


Technical Information
The information above references information covered in the Installation Guide


    provided under the Documentation folder on CD1 (installation_guide.pdf)


    The keystore file

    The keystore file name is keystore_<timestamp>.jks.
    The keystore contains the private/public key pair and the self-signed certificate.
    The server.xml file name is server_<timestamp>.xml.

    The server certificate is a Java keystore, containing the public certificate and private-public key pairs.
    This password is also in the original server_<timestamp>.xml file.

    During installation, these files are backed up to the directory named:
    \\Program Files\Symantec\Symantec Endpoint Protection Manager\Server PrivateKey Backup

    You can also back up these files from the Admin panel in the Symantec Endpoint Protection Manager Console.


    The password is used for both storepass and keypass.
    Storepass protects the JKS file.
    Keypass protects the private key.
    These passwords restore the certificate



    Domain ID

    Domain IDs are required if you do not have a backup of the database.
    This ID is in the sylink.xml file on the client computers in each domain.
    The string in the sylink.xml file looks like: DomainId="B44AC676C08A165009ED819B746F1".
    You add this ID to a new domain to contain your existing clients.


 




Legacy ID



2008081906512748


Article URL http://www.symantec.com/docs/TECH105658


Terms of use for this information are found in Legal Notices