hi all

 

1st time post and im hoping to get some advice on what the best practice is for upgrading our SEP environment.
a little background about the current setup

SEP v11.0.6200.754
VM server 2008 sp2 
 

i need to upgrade our SEP to v12 (still to confirm exact version)
VM server 2012R2

ive done a bit of research and it seems like i have a few options to choose from and id like to know what symantec recommend as best practice for this sort of work.

 

1. install v12 on new server and manually configure policies and settings.
2. upgrading existing environment to v12, install v12 on new server, setup replication.
3. export policies from v11 and import into v12 on the new server.

once the server is up, update all the clients in the office to the new version and point them to the new SEP server.

i have a couple of questions in regards to exporting policies... how accurate is this process?
do policies get corrupted? can exported policies be checked for any corruptions? 

i ask this because my boss wants me to do them from scratch but im concerned about user input and settings being missed.
current environment is working so id like to think that exporting policies is the best solution.

with replication between 2 servers, how does this work and what sort of settings get replicated?
do policies get replicated?

 

let me know if you require any more details

 

 

many thanks!

 

 

Adam.

 

 

 

 

 

The latest version is 12.1.5 Go thru this http://www.symantec.com/docs/TECH224034 Policies shouldn't get corrupted although if going from 11.x to 12.1 you will probably want to recreate since its a different version Yes you can replicate policies and content between the two. See here http://www.symantec.com/docs/HOWTO26797

Latest SEPM version is SEPM 12.1.5

see below articles

How to move Symantec Endpoint Protection Manager from one server to another server

Article:TECH199292

|

Created: 2012-11-02

|

Updated: 2013-03-19

|

Article URL http://www.symantec.com/docs/TECH199292

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

SEP 12.1 RU5 (12.1.5000.5337) is the latest version. SEP release history is available here:https://www-secure.symantec.com/connect/blogs/symantec-endpoint-protection-release-details

As you said there are couple of ways to complete migrate.

Check this article: How to move SEPM from one server to another server.

https://www-secure.symantec.com/connect/articles/hot-move-sepm-one-server-another-server

What's the total number of SEP clients? New VM will have same IP address and hostname? If you could provide this info it would be easy to suggest best option to go.

Manually creating or setting policies is a difficult process, this would be my approach

==Part 1======

SEP v11.0.6200.754 --Upgrade to the version you need ( 12.x)
Take backup of your existing SEM5.db

by fallowing disaster recovery

http://www.symantec.com/business/support/index?page=content&id=TECH160736

=====Part 2=====

If 2012 has same name and IP

Install SEPM 12.x ( same verion as part 1)

restore the DB

If name and IP is different then client wont communicate, update the communication file using this method

http://www.symantec.com/business/support/index?page=content&id=TECH199124

==============

 

 

hi Chetan

there are under a 1000 SEP clients.
New VM will have a new hostname and IP... i do not believe there are any plans to use the old hostname/ip.

 

 

 

Use option 3

How to move Symantec Endpoint Protection Manager from one server to another server

Brian

 

thanks for the info... your comment about recreating policies is my main concern.... and this is what im trying to understand as to what is best practice for this.
is there a massive difference between policies in v11 and v12 ?

 

my understanding is that replication will copy all settings, policies, clients to the new server.. 
so in theory replication should confirm that there are no corruptions.

 

does that sound right?

 

 

You shouldn't need to re-create unless there were issues in the past. Going from 11.x to 12.1 some settings in the polivies change, they migrate over fairly well but you should still go thru and verify.

Yes, replication will copy everything over but there is no alert or anything like that you would get if a policy is bad.

ok ill check it out.

 

so to use replication have to upgrade the existing install to the same version.
otherwise will have to create a new MSL.as file or use the sylink.xml method...

i cannot find sylink.xml on the current server with sep v11...

 

 

Thanks for the updates.

I would suggest to upgrade the existing SEPM to the latest version i.e SEP 12.1 RU5 

After successfull upgrade perform the replication with new server.

How to install the Symantec Endpoint Protection Manager(s) for replication

http://www.symantec.com/docs/TECH105928 

After successfull replication, stop the SEPM services on the OLD server.

Monitor the new server status & if everything goes well decommision old SEPM server.

Note : If you wish to move SEPM from one machine to another with the help of replication, Replication is an option, decide whether to go or not.Beacuse if you do replication and remove the old server that is the Primary SEPM , in future if you want to do replication you will not be able to do so.

Refer this article: https://www-secure.symantec.com/connect/articles/replication-and-considerations

Both need at the same version for replication to work. From here you can create an MSL and assign to the groups of clients you want to point to either SEPM.

You can export manually:

Exporting the client-server communications file (Sylink.xml) manually

ok great... that makes more sense... thanks for clarifying 

i will keep researching

 

thanks

 

i managed to find the file eventually... but its good to know that it can be exported manually.

 

 

thanks Chetan

thats good info there

 

 

one more quesiton, how do i confirm that the database is embedded and not on a seperate sql server?

In the SEPM >> Admin >> Servers tab check under your local site. You should see your DB and it will show the type, either embedded or SQL
 

under localhost i can see database server

 

name localhost
database address localhost
type adaptive server anywhere
version 9.0.2.xxxx
database sem5
 

i cannot see any reference to SQL, so i think its safe to assume this is embedded?

 

 

 

 

 

yes, 

if you go to services.msc u will see embedded database service

It's embedded

awesome... many thanks for your help.

 

Welcome

Chetan

 

do you have a guide i could follow for upgrading existing SEPM to the new version? 

 

edit:

never mind found it!

 

https://www-secure.symantec.com/connect/articles/sepm-11x-sepm-121-upgrade-process-graphical-overview-embedded-database

 

 

Also this:

Upgrade or migrate to Symantec Endpoint Protection 12.1.5

Good to know you found it & I also bet this can be a good article to follow

https://www-secure.symantec.com/connect/articles/sepm-11x-sepm-121-upgrade-process-graphical-overview-embedded-database

There is important note for you because it's an Embedded database.

Note: The SEP 12.1 SEPM upgrade installer requires three times the current database size (sem5.db) if upgrading from pre-12.1 SEPM with the embedded database only.

great info... thanks!

 

couple of more quesitons that have popped into my mind.

 

1. once ive upgraded our existing installer to v12 will the clients who are running v11 still work?
2. once migration has finished and both servers new and old are running v12... can i manually migrate clients over to the new server ?
i would like to do this to confirm that everything is working before putting all our clients onto the server... and then finding out its failing.

1. Yes, t12.1 can manage 11.x clients

2. Yes. Just create an MSL and put the SEPM you want the clients to report to as Priority 1 and apply to the groups

excellent.. thanks!

 

will discuss with my boss and will post back if i have any more questions or queries... which is bound to happen :)

 

thanks for all your help so far

 

 

Happy to help :) Post back if you need anything else!

Hi,

1. once ive upgraded our existing installer to v12 will the clients who are running v11 still work?

--> A Symantec Endpoint Protection Manager (SEPM) with version 12.1 can successfully deploy, administer and update SEP 11 clients, if necessary.  This mixture of versions is usually a temporary condition as endpoints in the organization are upgraded to SEP 12.1.  In the case of Windows 2000 Server or Windows 2000 Professional endpoints, it may be necessary until computers running the legacy OS are retired

2. once migration has finished and both servers new and old are running v12... can i manually migrate clients over to the new server ?
i would like to do this to confirm that everything is working before putting all our clients onto the server... and then finding out its failing.

--> Yes, need to assign MSL as per the requirements.

Creating and assigning a management server list for a Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH103175

 

quick question..

 

how long does an upgrade take from v11 to v12 ?

 

 

Going to 12.1.5 SEPM, it may take 2 hours due to the new content compression functionality. This is a one time step though and won't be as long going to new 12.1 versions.

Hi,

If we talked about SEPM, In my test environment it did not take more than 30 mintues to complete an upgrade. However you can keep some buffer time to finish SEPM upgrade.

If we talked about SEP client it may take 2-3 days to compete 1000 clients upgrade with auto upgrade feature. Push deployment (CDW method) may give more faster result. 

ok great, thanks

 

im working on a upgrade plan and i was wondering if there is any particular order you would recommend in doing the upgrades, installs and replications?

 

so far my plan is

 

1. Upgrade existing install on xxxxxxx v11.0.6200.754 to v12.1.5
2. install v12.1.5 on new server xxxxxxxx
3. set xxxxxx as primary SEP
4. setup replication 
5. confirm settings and policies
6. migrate single users
7. confirm everything is ok
8. once its all finished upgrade clients

 

would that be a viable action plan?

 

 

Don't forget to back everything up!

During second step instead of fresh install you can directly install as a replication partner. Rest looks good.

ah yes... backup database.. anything else?

 

also as the servers are VM, will doing a snapshot before upgrade be enough?

 

oh.. i didnt know that the primary version can install a replication partner.. i assume thats fairly straight forward?

do you have a guide for this?

How to add "Replication Partners" and Schedule Replication

Thats the best part , dont forget :)

You need to backup the database

doesnt this say to install sep on the new server anyways?

 

 

Follow the steps below to add a replication partner

1. On the machine you wish to be a replication partner, install Symantec Endpoint Protection Manager.

 

 

im confused by this 1st point?

Yes, if that's done, you can move to the next step.

#Edit

Let me clear it.

Do not change any setting on primary SEPM. Only change MSL settings once additional SEPM installed successfully.

Install SEPM on new VM, while installing SEPM it will ask you whether you wish to install as a fresh SEPM or additonal SEPM to an existing site OR replication partner.

 

ok great, that makes more sense

 

i still have to do an install on the new server but i can then run the management server configuration wizard on the old server to install a new site and point it to the new server.. that will then setup replication and so on.

 

 

thank you

i think its starting to make more sense now

 

ill get there

 

thanks for being patient with me and all my questions!

 

 

Screenshot is attached for reference.

thank you for confirming

thats the option i had in mind :)

 

planning to do the upgrade sometime next week so will probably have some more questions before then.

 

thanks everybody for your help so far.

 

hi all

 

i am going to be performing my upgrade tomorrow and i have another query..
i was just told that theres another SEP server on the network and im curious how this will impact my work.
hopefully this wont complicate the upgrade

so the environment looks like this

server1 (primary) v11.0.6200.754
server2 (secondary) v11.0.6200.754

server3 (new VM, will be primary)

upgrade plan 

upgrade server1 to v12.1.5
install v12.1.5 on server3
setup replication for policies and settings between server1 and server3
move pilot users to server3

 

my query is..
what are the implications of leaving server2 online during the upgrade of server1 ?
can server2 be left alone and online or should it be turned off...
and finally should i upgrade server2 ?

 

thanks

 

 

 

 

Chetan

with the MSL... that keeps a server as the primary so the clients know how where to connect to right?

 

how do i move 1 client over to the new server.. is that possible?

 

 

edit: think i got it..

 

create a new MSL policy pointing to the new server.
in the clients create a new group called eg. Pilot
add clients to the pilot group and assign new MSL to this group

 

 

That's correct.

Server 2 won't make any impact thought you kept it online. 

If they're independant of one another, there will be no impact.

ok great good to know

 

so i can keep server2 running and not worry about it causing any problems.

 

thanks for your help
 

 

You're correct.

You are welcome sir, feel free to PM me if faced any issue during an upgrade.

Hi,

Is there any update?

OR

If issue has been resolved mark thread as 'SOLVED' with the answer that best helps you.

One thing you need to be aware of is that v11 is EOL, which means Serevr 2 will not be downloading any new contents from LiveUpdate and any clients connecting to it will be out of date also.

Is there any update?

OR

If issue has been resolved mark thread as 'SOLVED' with the answer that best helps you.