Essentially, We're planning a complicated (to me) migration of our SEP environment and since I've never done this level of SEP work before, I thought I'd paste my plans here and let everybody have a crack at them. All input is appreciated and welcome
Current Environment: SEP Enterprise, 1000 internal network Windows/Mac endpoints, 300 external endpoints (endpoints that are rarely or never plugged into the internal network), 1 SEPM w/integrated Database.
Target Environment: 2 SEPM servers (One internal facing and one Internet facing (for our road warriors). Our hardening/firewall/load-balancer configuration is excellent and not a consideration for this plan.
The plan is in two phases. This discussion is only the 1st Phase. This phase is to migrate to new harware/IP/Servername and migrate from internal to external SQL Database. (Phase 2, is to bring up the second SEPM and configure for road warriors.)
Since I couldn't find any documentation outlining exactly what we are attempting, I shamelessly copied bits and pieces from various plans, pasted them all into this single plan. Question is, will it work? Please let me know what you think.
The Evil Plan:
Procedure: (Steps)
1. Update Clients with a new Management Server List. (Done: 05/06/13 - The New-SEP-Server is priority 1 and Old-SEP-Server is priority 2)
2. Sever and stop all communications with the client computers before backing up the database. To do this, stop and disable the Symantec Endpoint Protection Manager Service on Old-SEP-Server.
3. Back up the Database with the Symantec Endpoint Protection Manager Database Back Up and Restore tool (Start > Programs | Symantec Endpoint Protection Manager | Symantec Endpoint Protection Manager Tools | Database Back Up and Restore | Back Up).
4. Create the same folder path on the new server where the database resides on the old server. Move the database backup files to the new folder on the new server. (used only for DB restoration to SQL DB)
5. Backup the Certificate and copy the Recovery_timestamp.zip to another location. Extract both keystore.jks and settings.properties from the Recovery_timestamp.zip. Open settings.properties with Notepad.Verify that the Old-SEP-Server services are off and disabled.
6. On New-SEP-Server-1, install Symantec Endpoint Protection Manager with the Microsoft SQL Server database.
7. Log on to the New-SEP-Server-1 SEPM and restore the keystore.jks file. To do this:
a. Click the Admin tab, and then click Servers.
b. Under View Servers, expand Local Site, and then click the computer name that identifies the local site.
c. Under Tasks, click Manage Server Certificate.
d. In the Certificate dialog box, click Next | Update the Server Certificate | Next | JKS Keystore (JKS) | Next.
e. Click Browse, and then browse to and select your extracted keystore.jks file.
f. In the settings.properties file that you opened in Notepad, copy the keystore.password and then paste it, using Ctrl + V, into the Keystore Password and Key Password boxes. The only supported paste mechanism is Ctrl + V.
g. Click Next until you have completed restoring the certificates, and then log out of the Symantec Endpoint Protection Manager.
8. Stop the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
9. Restore the database with the Symantec Endpoint Protection Manager tool (Start | Programs > Symantec Endpoint Protection Manager | Symantec Endpoint Protection Manager Tools |Database Back Up and Restore | Restore).
10. When the database is restored, the Management Server Configuration Wizard starts. (Do not select the recovery file.) Note: While reconfiguring the management server, you may receive the warning, "The management server name already exists. Do you want to replace it with the new server?" Click Yes. Otherwise, the Symantec Endpoint Protection Manager lists the server name twice.
11. When configuration is complete, log on to Symantec Endpoint Protection Manager.
12. Upgrade clients to latest Release Update.
13. Configure any new groups and new policies required and assign as necessary.
14. Review All Policies and tune as required.
Thank you. I look forward to any comments.
-Lane-