Endpoint Protection

Greetings!
The help in transfer of clients from one server SEPM on another is necessary to me.
Now we have a virtual server with installed SEPM 11 RU6 MP2 with embedded database. (OS Windows 2003 Std) to it are connected about 200 clients SEP.

Recently have installed new "hard" server Windows 2008R2 Std. It is necessary to transport on it clients from a virtual server.

Prompt how most correctly to carry out moving of clients? Perhaps who similar already did?

Any help is welcomed!

Hi,

There are two methods to move Symantec Endpoint Protection Manager (SEPM) from one machine to another:

Method 1: if the SEPM server keeps the same IP and host name, you can refer to "Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager"

http://www.symantec.com/business/support/index?page=content&id=TECH102333&locale=en_US.

Method 2: if the new SEPM server has a different IP and host name, there are two alternatives:

1. Use replication to install a new SEPM and keep the policy the same with old SEPM. See "How to move Symantec Endpoint Protection Manager from one machine to another" 

2. Install a new SEPM, then use the Sylink file to establish communication between the new SEPM and the existing SEP client.

Few helpful links:

http://www.symantec.com/business/support/index?page=content&id=TECH104389

http://www.symantec.com/business/support/index?page=content&id=TECH92556

easiest thing is to use the sylink replacer tool

install a new sepm...then use the tool, pretty easy will take only ten mins

https://www-secure.symantec.com/connect/downloads/sylink-remote

Hi;

I used sylinkreplacer for this issue. And work fine. I attached it. You must use this tool with an user which have administrave credatials on clients.

Regards.

Attachment(s)

sylinkreplacer_0.zip   1.58 MB 1 version

Hello,

You don't need to configure the clients incase, the new server where the Symantec Endpoint Protection Manager is going to be installed has the same ip and servername.

However, incase of worst incidents where the clients don't report back to the new Symantec Endpoint Protection Manager; you always can use Sylink Replacer as the Best Tool which will replace the sylink file on all Symantec Endpoint Protection machines and make them report back to the new Symantec Endpoint Protection Manager.

'Using the "SylinkReplacer" Utility'
> Web URL: http://www.symantec.com/business/support/index?pag...

Restoring communication to clients with a new Sylink.xml file

http://www.symantec.com/business/support/index?page=content&id=TECH106288&locale=en_US 

Hi!

 I can not use SylinkReplacer - there is no access to a subnet of clients (clients - ATM)

I want to use methods as it is told here: http://www.symantec.com/business/support/index?page=content&id=TECH104389
 In my case new SEPM differs from old SEPM - IP address and host name.
 Transfer by a replication method doesn't approach - as in the future is planned to add to new SEPM the partner in replication.

I want to use a method Disaster Recovery method - "Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager" - http://www.symantec.com/business/support/index?page=content&id=TECH102333

Confuses the paragraph-  >>If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name....

How to me to be in this case? It is possible to tell about necessary actions more in detail? 

its not necessary to run sylink replacer on the same machine (SEPM)

you can log in to any one of the ATM machines and then run it..hope from that subnet u have access to all machines.

The best way is install new server.Shutdown the old one.Provide the old server IP address and name to new server.Install SEPM.Follow the disaster recovery procedure....

No, I can not make it. It is forbidden by safety rules. Everyone АТМ is isolated.

Name of the new server and IP address should be others! In it a problem...

Who will have new ideas? 

Hi

Could you please rephrase it "Name of the new server and IP address should be others! In it a problem..."

I am sorry I am not getting exact meaning of it.

I think you can go with this procedure

1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
2. Log in to the old SEPM on MACHINE_1
3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
4. Click Add> Priority and a new Priority would get added named as "Priority2"
5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
6. Clients will then move from old SEPM to new one gradually
7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
9. Uninstall SEPM from MACHINE_1

Ref:How to move Symantec Endpoint Protection Manager from one machine to another

I already wrote earlier here - new server SEPM should have another IP the address and host name, to save possibility of adding of the replication  partner in the future.

In article "Best Practices for Disaster Recovery with Symantec Endpoint Protection" - confuses the paragraph: 

...If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name....

Can you go through the link which I provided?

It says

I read this article.

In article "Best Practices for Disaster Recovery with Symantec Endpoint Protection" - confuses the paragraph: 

...If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name.... 

 I write it in the fifth time. More detailed help is necessary to me on Disaster Recovery. You understand me?

Yes I am getting you.As far as I know it is like this.The disaster recovery aticle is basicaly made for a situation that SEPM got crashed and needs to rebuild from backups.Here there is no second SEPM and clients having the infomation (IPaddress ,Name) and certificates of old SEPM.So the new SEPM shold have same IP address and Name as old one.In the article which I provided the link we are overcoming this dificulty by adding the new server details to MSL.So the clients will get the information about the new SEPM also.Is it clear now? 

Yes, thanks for your help . ..

 So,
1. I install SEPM on the new server.
2. I recover the server certificate.
3. I recover embedded database.

Further:  

4.Log in to the old SEPM on MACHINE_1
 5.Click Policies > Policy Components > Management Server Lists > Add Management Server List
 6.Click Add> Priority and a new Priority would get added named as "Priority2"
 7.Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
 8.Clients will then move from old SEPM to new one gradually
 9.Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
 10.Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
 11.Uninstall SEPM from MACHINE_1

 

Steps are like this

1.Install SEPM in new server

2.Restore the Data Base backup and certificates.

3.Reconfigure the server using managemant server configuration wizard

Further

4.Log in to the old SEPM on MACHINE_1
 5.Click Policies > Policy Components > Management Server Lists > Add Management Server List
 6.Click Add> Priority and a new Priority would get added named as "Priority2"
 7.Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
 8.Clients will then move from old SEPM to new one gradually
 9.Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
 10.Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
 11.Uninstall SEPM from MACHINE_1

Please cast a look at the below video and check the notes under it:

https://www-secure.symantec.com/connect/videos/changing-sepm-server-name-and-ip-address#comment-5313881

I have used the Disaster Recovery method to perform a migration.

Section B) http://www.symantec.com/business/support/index?page=content&id=TECH104389&locale=en_US

which leads to the disaster recovery method here:

http://www.symantec.com/business/support/index?page=content&id=TECH102333

The result of this is that the new SEPM server can see the clients and they are active (green dots).

However, the new server is unable to distribute content to the clients.

Examining the sylink.xml file on a client reveals that the 'new management server list' is correct, ie it shows the new server as the priority 1 and the old server as priority 2. The problem is that the certificate is from the old server instead of the new one.

Support have so far recommended using the SylinkReplacer tool which is a workaround. The obvious downside being that all the clients must be online (though this can also be added as part of a login script).

Either way, it doesn't seem a great way to migrate SEPM. Using the replication method is not useful either since it's a one way process (the new replica cannot be then set to replicate to a 'newer' server later on).