Best practices for upgrading to Symantec Endpoint Protection 12.1.2

Article:TECH163700  |  Created: 2011-06-30  |  Updated: 2013-01-02  |  Article URL http://www.symantec.com/docs/TECH163700
Article Type
Technical Solution

Product(s)

Languages

Problem




You plan to upgrade to the latest version of Symantec Endpoint Protection (SEP). The latest version is 12.1.2 (RU2).

 


Solution



The following resources will help you plan and perform an optimal upgrade from previous versions of Symantec Endpoint Protection (SEP) to the current version, while following the recommended best practices and being aware of any potential issues and risks.

 

Benefits of upgrading to the latest version, 12.1.2

Added security over SEP 11

Symantec Endpoint Protection 12.1 provides improved security over Symantec Endpoint Protection 11, including the following enhanced features:

  • Enhanced Client IPS

  • Added Browser IPS

  • Tamper Protection protects against registry, file system and process tampering

  • SONAR realtime behavioral analysis engine protects against new and emerging threats

  • Insight reputation lookup technology

  • Application and Device Control protects more platforms

Increased performance

ScanLess Technology reduces scan overhead on the endpoint by as much as 70% from SEP 11.

Virtualization improvements

Symantec Endpoint Protection includes the following virtualization improvements:

  • A VMware vShield-enabled Shared Insight Cache. Delivered in a Security Virtual Appliance, you can deploy the vShield-enabled Shared Insight Cache into a VMware infrastructure on each host. The vShield-enabled Shared Insight Cache makes file scanning more efficient. You can monitor the Security Virtual Appliance and client status in Symantec Endpoint Protection Manager.

  • For managing Guest Virtual Machines (GVMs) in non-persistent virtual desktop infrastructures:

    • Symantec Endpoint Protection Manager includes a new option to configure the aging period for offline non-persistent GVMs. Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period.

    • Symantec Endpoint Protection clients now have a configuration setting to indicate that they are non-persistent GVMs. You can filter out the offline non-persistent GVMs in the Clients tab view in Symantec Endpoint Protection Manager.

Additional platform support

  • Operating system support
    Symantec Endpoint Protection Manager (SEPM) 12.1 RU2 can now be installed on Windows 8 and Windows Server 2012. The SEP client can now be installed on Windows 8 and Windows Server 2012, as well as Mac OS X 10.8 Mountain Lion and Mac OS X case-sensitive formatted volumes.

  • Browser support
    Symantec Endpoint Protection Manager now supports Microsoft Internet Explorer 10 and Google Chrome through 22.0.1299.79.

 

 

Important information for the latest version

System requirements and Release notes

Please review carefully prior to upgrading:

Upgrade paths and exceptions

Ensure that the version you currently have installed can be upgraded to the new version.

  • Any version of Symantec Endpoint Protection 11.x, 12.0.x, or 12.1.x can be upgraded to 12.1 RU2 Enterprise Edition.

  • Enterprise editions of SEP 11.x or 12.1.x cannot be upgraded to 12.1 RU2 Small Business Edition.

For more information, read the article Supported upgrade paths to Symantec Endpoint Protection 12.1.2.

  

Things to know before getting started

 

Before you upgrade, use the Symantec Help diagnostic tool to determine whether your computers meet minimum system requirements.

You should take the following product-specific suggestions and recommendations under consideration, as well as performing routine maintenance on the computers you wish to upgrade. Maintenance may include disk error checks, defragmentation of the hard drive, or other routine health checks.Here are the recommended methods for uninstalling the Symantec Endpoint Protection client.
 

Insufficient disk space

Ensure that there is enough disk space to perform the upgrade. For a successful SEPM upgrade, you should have approximately three times the size of the database free. For the free space required for the SEP client, consult the System Requirements.

Proxy servers

Ensure that you have made the proper exclusions to your peripheral firewall or proxy to ensure successful communication with all Symantec servers.

Scanning exclusions

You may need to create additional scanning exclusions before you deploy the client upgrade. 

Administering 11.x clients

A Symantec Endpoint Protection Manager (SEPM) with version 12.1 can successfully deploy, administer, and update SEP 11.x clients. A common reason to maintain SEP 11.x clients in a SEP 12.1 environment is because of computers with Windows 2000 or Mac OS X 10.4 installed to them. These legacy operating systems are not supported on any installation of SEP 12.1.

It is recommended that all clients that can be upgraded, should be upgraded so that you can take advantage of the newest protection technologies available in the latest version(s) of Symantec Endpoint Protection. Technologies such as: Browser Intrusion Prevention, SONAR, Insight Lookup, SymProtect, Install on Reboot, ScanLess, Shared Insight, 64-bit Application and Device Control, and much more!

Supplemental Migration Documentation

If you need more detailed information on migrating to specific versions of the 12.1 product line, please see the documents listed below:

 

 

Best Practices

As a best practice, you should always back up the Symantec Endpoint Protection Manager database prior to an upgrade.

AutoUpgrade

In the enterprise version, you can use Upgrade Clients with Package to upgrade existing clients: 

However, the following cautions apply:

  • If you upgrade from 11.x and use Application and Device Control, you must disable the Application Control rule "Protect client files and registry keys." After the clients receive the new policy, you may upgrade using AutoUpgrade.

  • Due to possible bandwidth concerns, it is best to schedule AutoUpgrade for after hours. You can also stage and select a package on a web server when you run Upgrade Clients with Package, or you can use an alternate method to deploy the upgrade package.

AutoUpgrade is enabled by default for SEP SBE, but you can disable it. Go to the Computers page in the management console, right-click your Group, select Properties, and then click Disable Automatic Client Package Updates.

Fresh install of SEPM 12.1

There are some instances in which you want to start fresh with a new install of the SEPM 12.1 on a new server, for example. If you choose this route with a fresh installation of SEPM 12.1.2, you can use the Communication Update Package to connect existing clients, both 11.x and 12.1, to the new SEPM. You can deploy the Communication Update Package the same way you deploy the client: Home > Common Tasks > Install protection client to computers. After they are connected, you can install the SEP client using AutoUpgrade.

To connect existing clients to a new SEPM without sending a full installation package, read the document Restoring client-server communications by using a client installation package.

Versions prior to 12.1.2 require that you use the Sylink Replacer appropriate for the client version (11.x or 12.1). You can obtain Sylink Replacer via Support.

Virtualization

In Enterprise Edition, you can use the Symantec Endpoint Protection clients to protect virtual instances of the supported operating systems. You can install and manage Symantec Endpoint Protection Manager on virtual instances of the supported operating systems.

Best practices for virtualization in Symantec Endpoint Protection 12.1 RU2

Disaster Recovery preparation

Prior to beginning your upgrade, ensure that you have backed up your current SEPM installation using disaster recovery preparation techniques. That way, if the upgrade fails, you can more quickly restore your SEPM to functionality.

The disaster recovery process is slightly different for 11.x and 12.1.x, so be sure to use the correct document for the version you are using. Also, to recover your installation after a failure, due to database schema and other changes, you must reinstall using the exact version you were using previously.

 

FAQs

Q: Where do I get Symantec Endpoint Protection version 12.1.2?

A: You can use your serial number to download it from FileConnect. You get your serial number, which begins with an M, with your licensing information.

If you cannot find your serial number, contact Customer Support Assistance at the regional number on the following web page:

 

Q: How do I upgrade or activate my license?

A: The process is the same for all licenses you receive with SEP 12.1.x. For a walkthrough, read the document Activating your new or renewed Symantec Endpoint Protection 12.1 product license.

To view the video walkthrough:

  1. Go to http://go.symantec.com/education_septc.
  2. On the linked page, click Symantec Endpoint Protection 12.1.
  3. On the expanded list, click Symantec Endpoint Protection 12.1: How to Activate the License.

 

Q: What are the upgrade methods? When should each method be used?

A: There are many methods available to upgrade your clients. The first thing to do is to ensure that the Steps to prepare computers to install Symantec Endpoint Protection 12.1 client document has been reviewed. Next is to decide which method is most appropriate for your situation. Every situation is different, so Symantec provides many different methods for accomplishing this goal:

  • AutoUpgrade: Assign client packages to groups in the manager console, either manually or by using the Upgrade Clients with Package wizard.
    For the Small Business Edition, automatic upgrade is enabled by default. To disable it, go to the Computers page in the management console, right-click your Group, select Properties, and then check Disable Automatic Client Package Updates.
  • Permit product updates in your LiveUpdate Settings policy for a client group in the manager console (enterprise version only).
  • Local installation from product disc or installation media.
  • Run the Client Deployment Wizard from the manager console. It will walk you through the creation of a client package that can be deployed via a web link and email, remote push, or saved for later local installation. In the enterprise version, you also have the option to deploy using third-party tools.

 

Q: What's the recommended migration order? What do I migrate first in my environment?

A: The recommended order is to upgrade all Symantec Endpoint Protection Managers, Group Update Providers, and then the remaining clients as needed.

 

Q: How do I upgrade from Symantec AntiVirus 10.x?

A: For complete instructions, read the document Migrating from Symantec AntiVirus or Symantec Client Security to Symantec Endpoint Protection 12.1 or later.

 

Q: What's new in the latest version? How do old features map to new features? 

A: You can familiarize yourself with all the newest features and information using the documents below:

 

Q: Can I continue to manage Windows 2000 and Symantec Endpoint Protection 11.x clients?

A: Yes, you can. Please see the Administering 11.x Clients section in the table above for more information.

 

Q: How can I generate a list of SEP versions installed in my environment?

A: You can generate this list using Reports.

 

Related Articles




Article URL http://www.symantec.com/docs/TECH163700


Terms of use for this information are found in Legal Notices

Please Sign In

Login using SymAccount.

Knowledge Base Search

Knowledge Base Search

Rate this Article

Help us improve your support experience.

MySymantec

MySymantec

Contacting Support

Contacting Support