Disaster recovery best practices for Symantec Endpoint Protection 12.1

Article:TECH160736  |  Created: 2011-05-24  |  Updated: 2014-12-01  |  Article URL http://www.symantec.com/docs/TECH160736
Article Type
Technical Solution

Product(s)

Subject

Issue



You need to prepare for disaster recovery using Symantec Endpoint Protection Manager (SEPM), or recover your SEPM 12.1 environment in the event of a disaster.


Environment



This article applies only to Symantec Endpoint Protection (SEP) 12.1. For SEP 11, read disaster recovery best practices for Symantec Endpoint Protection 11.x.


Solution



Contents

Prepare for disaster recovery

You can recover from disasters, but first you must prepare for them using SEPM.

Step 1: Back up the database

As a best practice, back up the database at least weekly.

  1. Click Start > Programs > Symantec Endpoint Protection Manager > Database Backup and Restore.
  2. Click Back Up. The database backup file is named date_timestamp.zip and is saved to the following directory:

    Drive:\\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup

    Note: The backup process saves the file to the location of the SEPM installation.
 

Step 2: Back up the disaster recovery file

The disaster recovery file includes the following information:

  • Encryption password
  • Keystore files
  • Default domain ID
  • Certificate files
  • License files
  • Port numbers

After installing the management server, back up the disaster recovery file by copying it to another computer in a secure location. As a best practice, store this backup off-site. See Step 4 for more information.

By default, the recovery file is located in the following directory:

Drive:\\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip 

  • The recovery file only stores the default domain ID; IDs for all domains (including the default domain) are stored in the database. If you have multiple domains and need to perform a disaster recovery without a database backup, you must re-add additional domains and their IDs after SEPM is re-installed. See Step 3 for instructions.
     
  • If you update the self-signed certificate to a different certificate type, the management server creates a new recovery file. This file will have the latest time stamp.
     
 

Step 3: (Optional) Save the management server information

If you have a hardware failure, you must reinstall the management server using the IP address and host name of the original management server (which is case sensitive).

To save the management server information:

  1. Create a text file named SEPBackup.txt.
  2. Add to this file the IP address and host name of the management server.
  3. Add to this file all domain IDs beyond the default domain.

    Note:
    If you have multiple domains and perform a disaster recovery without a database backup, you must recreate additional domains and their IDs after SEPM is re-installed. You can find domain IDs in the SEPM Admin view or in sylink.xml files.
 

Step 4: Store the backup data in a secure location off-site

Copy the files you backed up in the previous steps to another computer in a secure location. As a best practice, you should also store this backup off-site.

Perform disaster recovery

If you have a database backup to restore

To perform disaster recovery, follow these steps in sequential order:

  1. If you had a hardware failure, restore the server hardware using the IP address and host name from SEPBackup.txt (from Step 3).
  2. Reinstall SEPM using a disaster recovery file (from Step 2). When the Management Server Configuration Wizard runs, choose Custom configuration and Use a recovery file.

    Note: For Small Business Edition, if the folder does not exist, create the following folder and place the recovery file there before installation.

    <Install drive>\<Install folder>\Server Private Key Backup

    For example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup)
     
  3. Stop the following services:

    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager Webserver
       
  4. Restore the database:

    1. Click Start > Programs > Symantec Endpoint Protection Manager > Database Backup and Restore.
    2. Click Restore.
    3. Follow the on-screen steps to restore the database.

Note: Use the recovery file during the configuration of a new installation. If you use the recovery file to re-configure an existing installation, the SEPM certificate can be restored. However, the existing default domain ID will not change unless you restore a database backup.

Also, if you choose to configure SEPM as a replication partner, the default domain ID in the recovery file will be ignored and SEPM will use the domain ID(s) in the database of its replication partner.

 

If you do NOT have a database backup to restore

You can still perform disaster recovery without a database backup, but the following points apply in this case:

  • All policies must be re-created or imported from other backups (e.g. exported policy files).
  • Clients will be able to communicate with SEPM, but will re-appear in the console only after their next check-in.
  • Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups on the re-installed SEPM by editing "scm.agent.groupcreation=true" to the conf.properties file. This file is located <drive>Program files or(x86)/Symantec/Symantec Endpoint Protection Manager/tomcat/etc.
  • If you originally had multiple SEPM domains beyond the default domain, you must re-create them using the domain IDs from SEPBackup.txt.
 

Re-enabling Federal Information Processing Standards (FIPS) 140-2 compliance

If you are using a FIPS-compliant version of Symantec Endpoint Protection and have FIPS compliance enabled, then after recovering SEPM, you must re-enable FIPS compliance.

Note: This setting is not stored in the disaster recovery file.

Disaster recovery differences between SEP 11 and 12.1

Manually compiled recovery data from SEP 11.x is also referred to as a "recovery file", but it is not possible to directly restore SEP 11.x recovery files within SEP 12.1. Instead, you should install SEP 11.x, import the recovery file, and then upgrade to SEP 12.1.

In SEP 12.1, the SEPM automatically generates and saves the following data in one disaster recovery file: encryption password, keystore files, default domain ID, certificate files, license files, and port numbers.

SEP 12.1 can automatically import this file during the disaster recovery process.




Article URL http://www.symantec.com/docs/TECH160736


Terms of use for this information are found in Legal Notices