Endpoint Protection

Hello all , I need to know if we can configure management server list only with SQL instance or when we are using replication partners ? At the moment we have 2 SEPMs configured as replication partners running on embedded database now due to some reason we need to add another third SEPM server with embedded database in the envoirement and need to move some specific clients to this new SEPM as their primary server. Now we intended to add a new Management server list for this group in which the new SEPM will be the primary node for this group ? Now what I need to know is can we add MSL in this way or MSL is supported with SQL or Replication partners only ? And we cannot simply add new SEPM server and move clients this way ? Your replies would be appreciated . Thanks

you can play around with MSL as much as you want and it is not depended on DB (SQL or Embedded).

Thanks for your reply Praveen . So what I am intending to do is this . Please confirm if it's do-able and will work without any problem. 1) Install new SEPM having the same version as the old one ( fresh installation on a sql instance ) 2) take backup from the old SEPM and restore on the new SEPM server running on a sql instance 3) export client server certificate from the old SEPM sever and import it into the new SEPM server 4) on the old SEPM server create and assign a new MSL having the new SEPM as priority one and apply it to a group on old SEPM to migrate clients to the new SEPM server . Is this process gonna work ? Am I missing something ?

Guys basically in this scenario we would be migrating two physical SEPMs with embedded database configured for replication to new virtual servers. Now due to some restrictions we cannot do any manual work on endpoints like replacing sylink.xml file or pushing a communication update package from the new SEPMs to migrate clients to new SEPMs. The most optimum option I feel I have at the moment is play with MSL as I stated above and steps I would need to perform. I am thinking if i do these steps I can achieve it please share your suggestions if this can be achived by this 1) Install new SEPM having the same version as the old one ( fresh installation on a sql instance ) 2) take backup from the old SEPM and restore on the new SEPM server running on a sql instance 3) export client server certificate from the old SEPM sever and import it into the new SEPM server 4) on the old SEPM server create and assign a new MSL having the new SEPM as priority one and apply it to a group on old SEPM to migrate clients to the new SEPM server . Is this process gonna work ? Am I missing something ?

The MSL is designed to assign SEPM priority for the clients so they know where to go or where you want to direct them. It's not dependent on the DB type. It's more to get the clients where you need them to go.

everything looks good and doable , but please put a new MSL in your new SEPM as the priority 1 and add the other servers to priority 2

again as i said earlier it will work, hope you are planing to have the new SEPM with new host name and IP in that case you need to add the new SEPM's host name and IP address as priority one in new sepm and the remaining server's IP as secondary so that clients will still have a fall back mechanism just in case something has to happen

Yes Praveen the new SEPM will have a new hostname and IP adress so I believe once I follow the steps as I stated above new clients would be migrated to the new SEPMs without replacing any slink file .

Yes it should work like a charm, as a matter of fact we have also proposed a very similar plan to our client where we wanted to segregate factory PC from the regular PC. To be on the safer side do it on a pilot test PC where you have control so that and then move into full fledged movement, buy this way you will can always control the damage should something happen.

Why don't you install new SEPM as a new replication partner?

wouldn't it make the new sepm as a secondary SEPM and thus preventing it from being a primary server even in future ?

Yes Praveen you are right . If we add this new SEPM server as a third replication partner so in the future we wouldnt be able to use this SEPM as a primary server becuase we intend to scrap old SEPMs

Guys please correct me if I am wrong If I add a third server as a replication partner and then decommission the first two servers. Now if I try to add a new SEPM server and try to add it as a replication partner would it to be possible to do ? I read somewhere that I won't be able to make the third sepm as a replication partner again

Even I have read it somewhere that's why I am confident in saying that the new sepm cannot act as primary. Let me see if I can get the link

I believe that's correct because it works like primary and secondary architecture & b'coz of that in future you won't be able to do the replication if decommissioned primary SEPM.

So I believe I should rule out the replication partner option for the new SEPM becuase we intend to decommision the old SEPMs once the things are up and running and in smooth shape.  Hence that leaves me with the only option I stated earlier . I tried to play it with my lab envoirement even though I applied the new MSL list of the new server on the old one but it didnt work as planned.

 

 

 

 

 

 

Hello Guys I tried this in my lab but it didn't work

 

Action Plan 1

I installed a new SEPM server having the same version as the old 1 but with a diffrent IP and hostname.

On the old SEPM server I created a MSL list to add this new second server at priority 2

I stopped the service on old SEPM clients were trying to connect to new SEPM server but they were not showing in new SEPM console

I even tried to replace the server certificate on the new SEPM server with that of OLD server but even then clients were trying to connect to new SEPM but they were not showing in the console.

 

Action Plan 2

I installed a new SEPM server having the same version as the old 1 but with a diffrent IP and hostname.

On the old SEPM server I created a MSL list to add this new second server at priority 2

I took the backup from old SEPM and restored it on the new server I also updated server certificate on the new Server with old one

I stopped the service on old SEPM clients were trying to connect to new SEPM server but they were not showing in new SEPM console

I even tried to replace the server certificate on the new SEPM server with that of OLD server but even then clients were trying to connect to new SEPM but they were not showing in the console.

 

What Am I missing here how can I make it succuesful. Your replies would be appreciated. Thanks

hmm sounds strange, by they way while installing the SEPM did you try to use the receovery file from old SEPM ??

Hello Praveen initially I didn't it was completely a fresh installation without any database restore or recovery file . Once the installation was complete I updated the server certificate on the new SEPM server with that of old server. Then I created a MSL list on the old server with the new SEPM server placed at priority 2 stopped the SEPM service on the old server but it didn't work. Though the endpoints were trying to connect to the new server but they were not showing in the console.

 

In the second option I restored the Database on the new server with a recovery file but even then it didn't work.

 

Am I missing something ? or not doing it in the right way.

Thanks and Regards

Hello Praveen initially I didn't it was completely a fresh installation without any database restore or recovery file . Once the installation was complete I updated the server certificate on the new SEPM server with that of old server. Then I created a MSL list on the old server with the new SEPM server placed at priority 2 stopped the SEPM service on the old server but it didn't work. Though the endpoints were trying to connect to the new server but they were not showing in the console.

 

In the second option I restored the Database on the new server with a recovery file but even then it didn't work.

 

Am I missing something ? or not doing it in the right way.

Thanks and Regards

While doing the fresh installation on the new server do you want me to use recovery file or not ? and once the installation is complete restore the backup from the old server and update the server certificate on the new server with that of old server ?  Once this is done update the MSL on old server then it will work ?

Thanks

try with the recovery file as it will take care of everything for you.

Thanks for your reply praveen it worked but clients are appearing in the default group on the new SEPM.  Do I have to restore the backup on new one so that clients start showing in their corresponding groups as they were appearing in the old server instead of default group ?

Thanks

edit your conf.properties at the line "scm.agent.groupcreation=false", change it to true so that the client will create the excact group structure as existing SEPM.

Hi,

By editing conf.properties you will just get group structure. But you will be missing policies.

Follow disaster recovery method & Create a new MSL.as per following

1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Article: https://support.symantec.com/en_US/article.TECH160736.html) to backup and reinstall SEPM on MACHINE_2
2. Log in to the old SEPM on MACHINE_1
3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
4. Click Add> Priority and a new Priority would get added named as "Priority2"
5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
6. Clients will then move from old SEPM to new one gradually
7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
9. Uninstall SEPM from MACHINE_1