General information for upgrading from Symantec Enterprise Protection 5.1 to Symantec Endpoint Protection 11.0

Article:TECH92396  |  Created: 2009-01-16  |  Updated: 2010-08-16  |  Article URL http://www.symantec.com/docs/TECH92396
Article Type
Technical Solution


Issue





 


Solution



The below information is taken from the Symantec Endpoint Protection 11.0 installation_guide.pdf.

About migrating to Symantec Endpoint Protection 11.x

You can migrate Symantec Sygate Enterprise Protection 5.1 and later and Symantec Network Access Control 5.1 and later to Symantec Endpoint Protection 11.x. No other legacy Sygate software is supported for this migration. To migrate older legacy Sygate software versions, you must first migrate them to Symantec Sygate Enterprise Protection 5.1.

Warning:When you migrate from version 5.1, you must select the option Store client packages unzipped to provide better network performance for upgrades for the upgrade to complete successfully.

About migrating Symantec Sygate server and management software

To migrate from a Sygate server to Symantec Endpoint Protection, install Symantec Endpoint Protection Manager and management console for Symantec Endpoint Protection 11.x.

The legacy server and management software that you can migrate consists of the following products:

  • Symantec Sygate Enterprise Protection 5.1 management server, console, and database
    The server components are called Symantec Policy Manager and Symantec Policy Management Console.
  • Symantec Network Access Control 5.1 management server, console, and database
    The server components are also called Symantec Policy Manager and Symantec Policy Management Console.


The legacy product Symantec Sygate Enterprise Protection 5.1 includes all of the functionality that the legacy product Symantec Network Access Control 5.1 provides.The functionality subset that Symantec Network Access Control provides is Host Integrity Policies and Enforcer capabilities.

Note: Time stamp values in Host Integrity Policies may not properly migrate. After the migration, you must inspect all Host Integrity settings that are configured for time values and change them if necessary.

Symantec Endpoint Protection 11.x is similar to Symantec Sygate Enterprise Protection 5.1 with one exception. The exception is that Symantec Endpoint Protection does not include Host Integrity or Enforcer capabilities. If you migrate version 5.1 servers that provide Host Integrity or Enforcer capabilities, you must also purchase and install the Symantec Endpoint Protection Manager for Symantec Network Access Control 11.x. Install the Symantec Endpoint Protection Manager on the migrated servers to regain access to that functionality.

Note: Server migration migrates all existing policies and settings that are configured for the servers and site.

Supported server migration paths

The following software is supported for migration to Symantec Endpoint Protection, Manager and Management Console for Symantec Endpoint Protection:

  • Symantec Policy Manager and Management Console 5.1
    To gain access to the Host Integrity and Enforcer features, you must also install Symantec Endpoint Protection Manager for Symantec Network Access Control 11.x.
    If you migrate from Symantec Policy Manager 5.1 MR7 or MR8, AntiVirus policies are removed and not migrated.
  • Symantec Network Access Control Manager and Console 5.1
    You can migrate this software to Symantec Endpoint Protection 11.x.However, to gain access to the legacy Host Integrity and Enforcer features, you must also install the Symantec Endpoint Protection Manager for Symantec Network Access Control 11.x.


Unsupported server migration paths
Symantec Endpoint Protection Manager for Symantec Endpoint Protection migration is blocked when any of the following software is detected:

  • Sygate Policy Manager 5.0
  • Sygate Management Server 3.x and 4.x
  • Whole Security Management Server, all versions


Before you can install Symantec Endpoint Protection Manager for Symantec Endpoint Protection, you must uninstall this software.

Note: If you try to migrate Symantec Endpoint Protection Manager 5.1, and if any of the unsupported software is detected, the migration is also blocked.

About migrating legacy Symantec Sygate client software

The migration goal is to install Symantec Endpoint Protection 11.x.

The legacy agent software that you can migrate consists of the following two products:

  • Symantec Protection Agent 5.1
  • Symantec Enforcement Agent 5.1


Symantec Protection Agent includes all of the functionality that Symantec Enforcement Agent provides. The Symantec Enforcement Agent includes Host Integrity only.

When you migrate the clients that run Symantec Protection Agent or Symantec Enforcement Agent, install Symantec Endpoint Protection to complete the migration.

The Symantec Endpoint Protection 11.x client software includes all functionality that the Symantec Protection Agent and Symantec Enforcement Agent provide and more. If you have Sygate Protection Agents that provide Host Integrity, you do not need to also install the Symantec Endpoint Protection 11.x client on those computers. You do, however, need to install the Symantec Endpoint Protection Manager for Symantec Network Access Control 11.x on the management servers to regain access to that client functionality.

Note: Agent migration migrates all existing settings that are configured for the clients if you export the client installation package for your existing groups. You can then perform automatic upgrades for the clients that belong to those groups.

Supported client migration paths

The following software is supported for migration to Symantec Endpoint Protection:

  • Symantec Protection Agent 5.1
  • Symantec Protection Agent 5.1 with Symantec AntiVirus 9.x and greater
  • Symantec Protection Agent 5.1 with Symantec Client Security 2.x and greater
  • Symantec Enforcement Agent 5.1
  • Symantec Enforcement Agent 5.1 with Symantec AntiVirus 9.x and greater
  • Symantec Enforcement Agent 5.1 with Symantec Client Security 2.x and greater


Unsupported client migration paths

Symantec Endpoint Protection 11.x client migration is blocked when any of the following software is detected:

  • Sygate Protection Agent 5.0
  • Sygate Enforcement Agent 5.0
  • Sygate Security Agent 3.x and 4.x
  • Whole Security Confidence Online Enterprise Edition all versions
  • Symantec Protection Agent 5.1 and Symantec AntiVirus 7.x and 8.x
  • Symantec Protection Agent 5.1 and Symantec Client Security 1.x
  • Symantec Enforcement Agent 5.1 and Symantec AntiVirus 7.x and 8.x
  • Symantec Enforcement Agent 5.1 and Symantec Client Security 1.x


About migrating to Symantec Network Access Control 11.x

You can migrate Symantec Network Access Control 5.1 to Symantec Network Access Control 11.x. No other legacy Sygate software is supported for this migration. To migrate other versions, first migrate them to Symantec Sygate Enterprise Protection 5.1.

About migrating legacy Symantec Sygate server software

Symantec Network Access Control Manager and Management Console 5.1 is the only software that is supported for migration to Symantec Endpoint Protection Manager and Management Console for Symantec Network Access Control 11.x.

Symantec Endpoint Protection Manager for Symantec Network Access Control migration is blocked when any of the following software is detected:

  • Sygate Policy Manager 5.0
  • Sygate Management Server 3.x and 4.x
  • Whole Security Management Server, all versions


About migrating legacy Symantec Sygate client software

Symantec Enforcement Agent 5.1 is the only software that is supported for migration to Symantec Network Access Control 11.x.

Note: Agent migration migrates all existing settings that are configured for the clients as long as you export the client installation package for your existing groups. Then you perform an automatic upgrade for those groups.

Symantec Network Access Control 11.x client migration is blocked when any of the following software is detected:

  • Sygate Enforcement Agent 5.0
  • Sygate Protection Agent 5.0 and greater
  • Sygate Security Agent 3.x and 4.x
  • Whole Security Confidence Online Enterprise Edition all versions
  • Symantec Enforcement Agent 5.1 and Symantec AntiVirus all versions
  • Symantec Enforcement Agent 5.1 and Symantec Client Security all versions


About Enforcer upgrades
Symantec Endpoint Protection Manager supports Symantec Gateway, DHCP, and LAN Enforcers that run on version 6100 hardware appliances only. These appliances support software versions 5.1, 5.1.5, and 11.x. Symantec Endpoint Protection Manager supports software versions 5.1.5 and 11.x only. Symantec Endpoint Protection Manager does not support software version 5.1. Earlier versions of Symantec Enforcer that were provided as software only are also not supported.

If your 6100 Enforcer appliance is running software version 5.1, you must upgrade the software image to version 5.1.5 or 11.x. Symantec recommends that you flash the legacy software image to version 11.x to use the latest version. All Enforcer settings are stored in Symantec Endpoint Protection Server, so Enforcer settings are migrated during server migration.

Server migration scenarios

Please see the following knowledge base document for server migration scenarios: Migrating the Symantec Enterprise Protection 5.1 Server to Symantec Endpoint Protection 11.0

About console user interface and functionality changes post migration

The following user interfaces changes appear after migration:

  • The Start Program menu for Symantec Policy Manager is changed to Symantec Endpoint Protection Manager Console.
  • The installation directory and service name retain the legacy name of Symantec Policy Manager and are not renamed.
  • Legacy OS Protection Policies appear as Hardware Device Protection policies.
  • Several new policy types are available for LiveUpdate Settings, AntiVirus and Antispyware, and so forth. You cannot use the new policies until you migrate your clients.
  • Legacy client installation packages are removed from the database so that they do not appear in the migrated console. However, these packages remain in your legacy package directory.You should export your new client installation packages to a different directory.
  • Report Scheduler is now available from the Reports tab instead of the legacy Server Site Properties dialog box.
  • License Management has been deprecated and is no longer required.
  • Package management is now available from the Servers pane instead of the legacy Client Manager pane.
  • Policy Library components such as Management Server Lists and Network Services are now available on the Policies pane, under the lists of Policies and are identified as Policy Components.
  • The Servers and Administrators tab functionality have been consolidated into the Admin pane.
  • The server migration purges all client installation packages from the database.
    These packages are no longer supported and package removal does not affect the connected clients. This prevents new deployments of the legacy client packages.


Migrating remote management consoles

You migrate legacy remote management consoles by installing the latest remote management consoles on the computers that run the legacy consoles. The legacy Symantec Policy Manager icons and Program start menu are not migrated. When you click the icon or the menu item, however, they display the new Symantec Endpoint Protection Manager logon prompt.

When a legacy remote management console was installed, Sun Java 1.4 runtime may have been installed on the computer if it was not already installed. This new version of the remote management console downloads and installs Sun Java 1.5 to the remote computer. If you do not need Sun Java 1.4 runtime for any other applications, you can remove it with the Windows Add/Remove program utility.

To migrate remote management consoles
 

  1. On the computer on which to install the management console, start a Web browser.
  2. In the URL box, type one of the following identifiers for the computer that runs the policy manager:
    • http://computer_name:9090
    • http://computer_IP_address:9090
    • The default port number for the Web console port is 9090. If you specified a different port during installation, replace 9090 with the port that you specified. You can change the port number by using the Management Server Configuration Wizard.
  3. In the Symantec Policy Management Console window, click Here to download and install JRE 1.5.
  4. Respond to and follow the prompts and log on to the Symantec Endpoint Protection Manager Console.


About configuring migrated and new policies

If you migrated to Symantec Endpoint Protection, the migrated Firewall and Intrusion Prevention Policies contain your legacy settings. There are also additional Symantec Endpoint Protection default policies assigned. You should review the new policies to determine if the settings are appropriate for your environment. If you want to modify the settings,make any changes you that affect your groups before you migrate legacy clients.

For example, if you decide to add Antivirus and Antispyware Protection to your clients during migration, you should become familiar with the Antivirus and Antispyware Policy settings. LiveUpdate Settings and LiveUpdate Content Policies affect both Symantec Endpoint Protection and Symantec Network Access Control. As a result, you should become very familiar with these policies and how they affect your groups and locations before client migration.

For more information about policies, see the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.

About removing the client password protections from group settings

Group settings are migrated and include the group client password protection settings. If you have group settings that enable one or more passwords such as for uninstallation, client migration fails for certain MR releases.As a best practice, you must disable these passwords in your migrated groups with the Symantec Endpoint Protection Manager Console before you migrate legacy client software.
The password protection settings appear in the General Settings for each group.
You can turn on these passwords after migration.

Warning: If you do not disable the uninstallation password, you may have to enter this password on each client computer. If you deploy to 100 or more clients, you may have to email the password to end users.

Migrating legacy Symantec Sygate client software

The easiest way to migrate both Symantec Protection Agent and Symantec Enforcement Agent software is by using the AutoUpgrade feature.All other client software deployment methods are supported, but the Auto Upgrade approach is the easiest way. The migration can take up to 30 minutes. Therefore, you should migrate when most users are logged off of their computers.

Note: You must test this migration approach before you roll out the migration to a large number of computers.You can create a new group and place a small number of client computers in that group.

To migrate legacy Symantec Sygate client software
 

  1. Log on to the newly migrated Symantec Endpoint Protection Manager Console if you are not logged on.
  2. Click Admin > Install Packages.
  3. In the lower-left pane, under Tasks, click Upgrade Groups with Package.
  4. In the Welcome to the Upgrade Groups Wizard panel, click Next.
  5. In the Select Client Install Package panel, in the Select the new client installation package drop-down menu, do one of the following actions:
    • Click Symantec Endpoint Protection <appropriate version> .
    • Click Symantec Network Access Control <appropriate version>.
  6. In the Specify Groups panel, check one or more groups that contains the client computers that you want to migrate, and then click Next.
  7. In the Package Upgrade Settings panel, check Download from the management server.
    • You can optionally stage and select a package on a Web server.
  8. Click Upgrade Settings.
  9. In the Add Client Install Package dialog box, do the following actions:
    • On the General tab, specify a schedule for when to migrate the client computers.
    • On the Notification tab, specify a message to display to users during the upgrade.
    • For details about settings on these tabs, click Help.
  10. Click OK.
  11. In the Package Upgrade Settings panel, click Next.
  12. In the Completing the Client Upgrade Wizard panel, click Finish.





 



Legacy ID



2009021610411748


Article URL http://www.symantec.com/docs/TECH92396


Terms of use for this information are found in Legal Notices