Video Screencast Help

How to export/import DLP policies and incident database in two different version of DLP without DLP upgrade

Created: 05 Mar 2012 | 2 comments

We have a client, who want to port (not upgrade) the DLP Enforce Sever 10.5 (Running over Windows 2003 32 bit machine) and its Oracle 10 g database (Two Tier implementation). As the Windows 2003 and Oracle 10 g is the not standard platform, the IT operations wants to build a new Enforce Server 11.5 over Red Hat Linux 64 bit machine. As this will be a new Enforce server 11.5 (11.0->11.1->11.5), how would one migrate the policies and old incident logs from the old Oracle 10 g database.

When you upgrade the DLP Enforce Server , the Symantec upgrade wizard handles the migration of the polices of other contents (Step 1) and migrates the incident log from Oracle 10.0 g to 11.g when you upgrade the Oracle Database (Step 2) . But our circumstances are different. We have to install a fresh copy of the DLP enforce Server 11.0 over a new hardware that support 64 bit Red Hat Linux and a new Oracle 11.0 g Oracle Server also on a new hardware hat support 64 bit Red Hat Linux.

How would one work about it. How would you export and import polices and incident database between different version of Enforce Server and Oracle Server database , running on two different OS platform . We have few ideas but all of them are crude and may risk loss of data.

Any suggestion !

Comments 2 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

You're going to have to upgrade the existing system first, and there's no "easy" way around it.  For instance, you will have to:

(1) Upgrade the existing DLP system to DLP 11.

(2) Export that database.

(3) Import that database into your 11g Oracle environment.  Test to make sure everything looks right.

(4) Install Enforce on the new 64 bit server pointing to the new database, careful to use the same release that you upgraded to in step 1.

(5) Upgrade your detection servers manually.

(6) Install your new detection servers on the new hardware.

(7) Configure the new detection servers.

(8) If applicable, do any further DLP release updates on the entire system.

(9) Change routing on other systems where applicable to use the new detection servers (i.e. change your outbound SMTP connectors on Exchange to go to the new servers; recable your taps or spans from the old network monitors to the new ones; change the ICAP services on your proxies; redeploy agents to use new Endpoint servers).

That's probably the "crude" solution you're already considering, but it's the best option (IMO).  Your current environment is fully compatible with DLP 11 in the short term, so anything past step 1 is easy to back out from if there are issues, as you'd have the original system in place (albeit on DLP 11). 

Backout beyond that is bringing back the 10.5 database from your backup, and reinstalling everything on 10.5 (preseving the schema, of course).

~Keith's picture

Keith ,

Thanks for the response. You are right. This is replacement of the platform rather than upgrade by any definition. Our crude solution is exactly what you have itemized. The only concern or risk, we are worried about is the migration/porting of the policies, rules, customize contents etc. . How much of that will be exported and ported to version 11.0 upgrade. The scenario that all such customize content need to manually configure is just scary!