Our Migration to SEP (Union Pacific) - Tell Your Security Story
Over the course of the past year and a half we began a new implementation of Symantec Endpoint Protection across our entire environment. There were some challenges, a few hiccups and ultimately a successful migration. Below you will find the background of the environment we had to migrate, the method of migration we used, the challenges we overcame and finally our approval and enjoyment of all the benefits SEP has given us.
The Background
We work in a rather large company consisting of approximately 18,000 computers (12,000 desktops and 6,000 laptops). All of these machines are distributed across the United States and some in Mexico each connecting via wired LAN, enterprise wireless or VPN through cellular modem. Prior to the SEP migration our security solution was McAfee Enterprise for anti-virus and Sygate Security for our firewall. This solution had, for the most part, served us well but also had some short comings. We had to maintain 2 separate products from 2 separate consoles/manufacturers, we could never seem to get any auto-updates to install successfully with McAfee, were re-wrapping the updates for distribution and we had to look in multiple places for event reporting. We were looking for a product that could not only offer us antivirus, but also a configurable firewall with a strict rule base, all in the same solution. Right about this time, Symantec purchased Sygate and our current license agreement made it a no brainer to start evaluating and ultimately updating our security solution to SEP.
The Planning
Once the decision to switch to SEP was made, we began planning the migration. Many many meetings were held and we involved our data security team (who would own the SEP solution), our packaging team (would be doing packaging, testing and scripting), our client engineering team (would be doing the SEP distribution) and our workstation build team (would be building our new devices). There were multiple items we had to consider, including how we would begin distribution, could our packaging team wrap the SEP install and make it the least intrusive to the user as possible, how would we get to all of our laptops and field locations, and finally, how are we going to uninstall McAfee and Sygate on all of our machines prior to SEP installation? These, and more, were all questions we had to answer and every detail needed to be accounted for. Many of our machines are mission critical and we wanted the least amount of down time and the least amount of user interference possible.
The Strategy
At this point in time, we had just signed a new PC agreement with Dell and were going to also start a new PC upgrade rollout. Also with this new PC agreement, we included a deal to purchase the Altiris Client Management Suite Tier III. We assigned certain members of the above mentioned teams to begin working on the Altiris architecture and rollout, while others continued their focus on the SEP task at hand. Since these rollouts were being handled simultaneously, we would be unable to use all the SEP integration components of the Altiris suite (sad face here). Our current distribution methods included an in-house inventory and distribution solution that worked quite similarly to the SMS or Altiris. An agent was on all of our workstations that would make an HTTP call to send inventory to a web service and check for any tasks it may have based off that inventory. We decided we would figure the best way to use this distribution method for any machines connected via LAN and we would start including SEP in our imaging process for all new builds. This would allow us to get any major LAN connected machines upgraded and gave us a good starting point for our new PC rollout. Any new machine built would have SEP installed and replace a machine (mainly our laptops) that was not regularly connected to the network.
The Challenges/Solutions
As with any new system wide change as big as this, there were going to be many challenges we had to overcome. Our main challenge was how we would get McAfee and Sygate off of the machine, reboot, install SEP, reboot, then validate the install. We had already solved the challenge of our remote locations by including them first in the new PC rollout. So, we were focusing our attention on a package that would be able to take care of our needs. Our packaging team and our client engineering team mapped out a solution to this challenge on paper and began designing the install. The two groups worked together to develop a package and script that would do the following when machine would call in for its tasks:
1. Download the SEP staging script (stub file)
2. Execute the stub file which would:
a. Download the main SEP installation package (rewrapped by our packaging team for silent install)
b. Wait for the user to log off, if not logged off for a certain amount of time, prompt to logoff
c. Upon logoff, take control of the machine
d. Search for and uninstall any McAfee version
e. Search for and uninstall any Sygate version
f. Reboot the machine and auto login
g. Remove user control and give an update screen showing status
h. Install SEP, reboot
i. Validate installation and report back
The Success
This process was not complete without failure, however it did work out great and we had a very low failure rate. With the above script sending updates via HTTP with each step, and documenting any failure points, we were able to have a LAN administrator fix any issues almost immediately. We also dedicated a select few LAN administrators to just take SEP calls and monitor the logs for any failures. We scaled this back after finding that we were not getting as many failures as we thought we may get. The computers that were part of the PC replacement had no problems at all, coming straight from our build facility to the end user with a completely protected machine. Once the SEP rollout was started, we were completely a SEP security shop in about 6 months.
The Satisfaction
Needless to say, all of the teams that worked on this migration were excited to see it work so successfully and more importantly, our machines were no protected by a far better product than they previously were. Everything is now configured via the enterprise servers and our data security team maintains many policies through the console. Never before have they had such an easy time getting these policies to our computers. All of our computers are seamlessly updated with the latest virus definitions and any changes to policies happened almost immediately on the clients. The firewall solution within SEP is also a great great tool. This has allowed us to set up many rules concerning network traffic and the ability to set up different profiles for network connected, wireless connected and mobile users has proved to be oh so valuable to us. I feel this migration was so successful because we:
1. Planned accordingly
2. Involved the right groups and teams
3. Worked through our issues patiently
4. Took the time to configure the environment (clients and servers) correctly
5. Recognized the benefits we would receive from this migration
Making it Better
There were a few things I think could have made this experience better. The first would have been getting our Altiris infrastructure set up so we could utilize all the SEP specific integration points. After visiting manage fusion after already, completing the migration, and seeing how easy the rollout could be, I was wishing we would have done it this way. I also wish there was as good of information and user groups as there are now. Connect has done a good job filling the gap that non-specific user groups leave void. Otherwise, we found the implementation and migration to SEP to be a great step in the right security direction.
Side note: We are now currently migrating to CMS 7. We were finishing up with the version 6 roll out and decided to update servers and reallocate resources to begin moving to 7 right away. Hopefully within the next 6 months we can have our current in-house software catalog of over 2500 packages converted and added to the new native software catalog. Also in this migration was the move to wise package studio for our packaging team. Lots of new technologies coming in the door and we are looking forward to all of them (especially all the virtualization). If anyone has any tips or advice, feel free to send me a message.
Comments
can you please elaborate more
can you please elaborate more on how you had completed uninstallation of McAfee and installation of Symantec at one go;
as last time i did that i faced lot of problem.
your experince will help me next time.
Thanks in advance
Sure!
As stated, we were using our in-house software distribution system which is handled and was written by a few of us. Having a system like this gave us the ability for a lot of control and enabled us to do some cool things like wait for the user to log of and then take control of the machine and do the install or pop up a box allowing them to select the time they wanted the install to happen. In the SEP install, we mainly forced the installation upon them.
A lot of the SEP installation was tuned towards our environment, so I will expand a little on it.
We have a dedicated packaging team that wraps everything using wise, now using wise package studio. This allows us to create a pushable, silent install for machines. This also allows us to do a pretty easy uninstall as long as files to uninstall are not in use. The package for SEP included a a couple other packages that were designed to do a few different things. Since we had our own inventory process, we knew which versions of McAfee and Sygate were installed on our systems and we could tailor to those specific versions. This allowed us to have a "uninstall McAfee" package and an "Uninstall Sygate" package. As the names imply, these packages, when run on a machine, looked for the possible versions of their given product, stopped services and uninstalled the given product.
The main package included these other two packages and when pushed to or ran on a machine the uninstall Sygate package would run, then the uninstall McAfee package would run. If both were successful, the package created an auto-login ID, the the machine up to do the auto-login and used active setup to run the SEP install on the login of that ID, then popped a box to the user stating the machine would reboot and to save all work. If no one was logged in, we just initiated a reboot with no prompt. When the id auto-logged in, the SEP install was started. To make sure users didn't mess with anything, we through a custom visual to the front of their screen, asking them to touch nothing (we found this was sometimes not enough, so we take away keyboard/mouse input too). Finally, the installation of SEP happens, the auto-login flags and ID are removed and the machine is rebooted.
We had logging every step of the way. We kept a hard log on the machine being upgraded and also certain parts of the log to our SQL box via web service. This allowed us to have real-time analysis of what was happening in the environment, how many successful upgrades were happening and gave us a leg up on support. We could transfer tickets to our LAN administrators and proactively fix machines along the way. With 18,000 upgrades, we were bound to run into a few issues. Overall, we had a tremendous success rate and couldn't have been happier with the results.
This is the way we did it, because it worked well for our environment and the system we had written and had been using for 6 years. We knew the ins and outs and how the system functioned and could tweak things along the way as needed. Having the functionality to create the autologin feature and using active setup really helped out.
If you have a packaging team, they should be able to create uninstall packages to assist in an installation like this. Also, a lot of testing for the particular environment comes into play and lots of brainstorming.
Hopefully that answers your question. If not, please feel free to ask any specific questions here or message me and I will be happy to do my best at expanding further.
RS
SEP Deployment server sizing
Thanks for your wonderful insight into the SEP Migration process.
I am looking at moving from a SAV Corp v10 to SEP 11 and need to provide specs for the new SEP management server and console hardware. I have provided the Symantec requirements but I would like to know what worked practically for your company. My organization is about a third of the size of yours, so your specs should scale well as we have a similar environment.
My server spec concern is due to the previous spec server which has be somewhat contrary at times to keep running. This time I want a box that will quietly perform up to server specifications (some dream, hunh?)
Please provide some idea what your production SEP mgmt server specs are.
Would love to follow the path
Very well written sir and more than that very well implemented process again in very impressive manner.
I have a request, would it be possible for you or your organization to share the scripts used to perform these tasks if they do not containany confidential Information, Even partial scripts will help as well. These scripts can be helpful to number of peoples and organizations. Techs can use these scripts as examples or base scripts in order to create new scripts/accomodate changes as per the needs of their environment.
Also at the same time I request other members that if TheSmiz makes these scripts available and use and modify them to meet your needs, please do share them as well so that those again can help others.
May be possible that together we can prepare a customized solution to help the whole community by developing something real nice.
Thanks in advance for everyone for their support.
Scripts
I don't have direct access to the scripts out packaging team created. I will talk with them and see how they feel about sharing and confidentiality levels.
RS
Would you like to reply?
Login or Register to post your comment.