Endpoint Protection

Hi everybody,

I want to apply some automation tasks to do my clients, and I hope some of you will share their knowledge and experience with me :-)
I try to give you as many informations as i can, so I'm afraid this Post is gonna be a long one.

The Goal:
I want the Clients to move to a new SEPM and update themselves from MR5 to RU6MP2 completely automatically (BTW: In other AV-Products, you will find a "Move client to Server" option where you can enter an IP-Adress and the client moves. Why is this not implemented?)

But first of all, some Informations on WHY I have to do it:

as some of you might remember I had a few strange Problems with our MR5 SEPM in the past (from clients not reporting correctly to outdated AV-Definitions, Software-Updates not working etc.). When we (here at the company) realized that the person who initially setup this SEPM lost the DB-Encryption-Password, we all agreed that it would be best to install a new, up to date, SEPM and move the clients there.

Systems:
"Old" SEPM: SEP 11.0.5002.333 German language; lots of different Domains (because initially we didn't really understand what "Domains" really mean for the functionality of the SEPM)

"New" SEPM: SEP 11.0.6200.754 English; All clients should be consolidated into one SEPM-Domain

Those two Servers are not and should not be connected to eachother, as we want to get rid of the old one ASAP

Client-System: Windows XPSP3 (while some are, unfortunately, still SP"..), Some Windows7 32 and 64bit Test-Machines
Server systems: Windows2003R2SP2, Windows2008, Windows2008R2
Clients + Servers = araound 4500Machines total

ATM we do not have any sort of Software-Distribution other than a Login-Script (I know this is NOT really a software-distribution, but I just wanted to mention it ;) )

What I tried so far (sorry this post is getting even longer...):

1. Import the english RU6MP2 Update Package to MR5, Apply an Installation-Package to a Group. Wait a few days. -> Nothing happened

2. Create an Installation-Package from english RU6MP2. Apply an Installation-Package on a Group, set "download-Package from" Option to the new SEPMs IIS-Server. Wait a few days -> Nothing happened

Conclusion: The SEPM wont Update Clients with packages other than its own (guess this has to do something with signatures...)

3. Tried SylinkDrop to move some Clients to new SEPM -> Success

4. Created an INSTALL-Group on the RU6MP2 SEPM, applied an Install Package( english RU6MP2) to the MR5-Cleints. Wait a few days -> Nothing happened.

At this point it seemed kinda strange to me that my Clients did not want to update at all. so I startet investigating this Issue.
unfortunately I could not find anything unusual in the event-logs. It seemed the clients are downloading the package, but just do not start installing it.

I then triedthe following, just out of curiousity:
I imported a new RU6MP2 Package GERMAN language to the "old" SEPM. Applied the Install-Package to a group and set the "Download Client-Updatefrom" location to an ENGLISH client-Package on the new RU6MP2-SEPMs IIS.
-> It worked!

Conclusion: SEPM only updates Clients with its own language-Setting. In Fact, if it "thinks" the Clients-Package has the right language-Setting. It upgraded my 11.0.5002.333 German Clients to 11.0.6200.754 English without complaining.

BUT:
I seems like, during this upgrade process, it does not exchange the Sylink.xml, as my upgraded Clients are still connecting to the MR5 SEPM instead of the new one. This is especially confusing as the Process works flawlessly when I fire up a manual client upgrade (using setup.exe) on one of the MR5-clients. When I do this, the clients upgrade themselves and connect to the new SEPM.
So WHY don't the Clients exchange the Sylink.xml when they are upgraded by the SEPM?

At this point I decided to post all that stuff in the forums for your advice/input.
Maybe someone has an even better Idea for switching Servers and Software at once.

Thanks in advance for your help and suggestions

Stephan

will this help

http://www.symantec.com/business/support/index?page=content&id=TECH106489&key=54619&actp=LIST

The best way will be this.

How to move Symantec Endpoint Protection Manager from one machine to another 

But the disadvantage will be still you will have all domains. So if it is mandatory for you try like this

in old SEPM

go to Clients-->policies--->general settings-->security settings-->security settings and uncheck the option enable secure communication

Create a new management server list in that add old server as first priority and new server as second priority and assign. Then check whether the clients are reporting to new server or not..

You may use this article for creating and assigning management server list.

Creating and assigning a management server list for a Symantec Endpoint Protection Manager

Hi,

Situation is little complicated.

Just for inoformation database password can be recover.There are possible options through which you can recover encrypted database password.

If you are moving your clients from one server to another server you succedded only at following situation. Make me correct if i am wrong.

1) Manual replace of Sylink.xml - 

2) Manual install of Setup.exe -  

These two options are working and we do follow same procedure in day to day.

I would suggest migrate all the clients to new server & then go for Auto-upgrade.

http://www.symantec.com/business/support/index?page=content&id=TECH96789&actp=search&viewlocale=en_US&searchid=1297963008628

Sylink replacer tool is quite easy to restore communication I would like to suggest to go with that.

Following articles may help you:

http://www.symantec.com/connect/forums/migration-clients-other-server-sepm

http://www.symantec.com/business/support/index?page=content&id=TECH104389 

Hello,

Few Suggestions:

1) Migrating to MR5 to RU6MP2 completely automatically is not recommended. Recommended step is MR5 to RU6a to RU6MP2

2) As I understood you are Moving clients to new SEPM.

3) "Move client to Server" option where you can enter an IP-Adress and the client moves. --> Symantec could do this with the help of MSL, incase a replication was set to the new server.

4) Understod the whole process, however an easier way to update could have been.

The new Server which was bought up could have been with the same IP address and the same HOST name.  ---> however, this would require a Disaster recovery and that requires Encryption password.

If a different encryption password is used when performing disaster recovery without a database backup it will be required to replace the communication settings on all clients (by either using Sylink Replacer or reinstalling the clients).

However, check this:

The Encryption Password and Symantec Endpoint Protection 11 (SEP11)

http://www.symantec.com/business/support/index?page=content&id=TECH93119&locale=en_US

How to move Symantec Endpoint Protection Manager from one machine to another

http://www.symantec.com/business/support/index?page=content&id=TECH104389&actp=search&viewlocale=en_US&searchid=1300446368283
 

Conclusion:

Replication could have been a better Choice.

Incertain cases, if the you have MACHINE_2 will have IP and hostname as MACHINE_1 same clients wouldn't connect, in that case, you could have just inserted the domain Id to the SEPM and connected all the clients reporting to the Domain. Check the steps to get the domain ID of the client

Either you can copy it from NEW SEPM Server --you will see a message that client is trying to connect to "xxxxxxxxxxxx" domain id.

OR

on the SEP client computer,

open the sylink.xml file from

\Program Files\Symantec\Symantec Antivirus or Symantec Endpoint Protection

Open the Sylink.XML file with notepad
and you will see the domain id something like this
<ServerSettings DomainId="7C6968400A32025E01DF280BC7C27AE0"> -->this is your domain id.

Adding a domain

http://www.symantec.com/business/support/index?page=content&id=HOWTO26957&actp=search&viewlocale=en_US&searchid=1300447588664

Hello,

Check this,

Startup Scripts and SylinkDrop…Better Together

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

Firstly please do not upgrade directly from RU5 to RU6MP2, It is unsupported  path.

Now in opinion what we need to do

1. Take the backup of the database and the server private key using Disaster recovery
2. Create a new machine with the same name and ip address. (Do not join the machine to the network).
3. Install SEPM RU6  on the machine
4. Restore the  database backup taken
5. Join the machine to the network
6. Stop the SEPM service on the other machine
7. Wait for some time, the clients would move to the new SEPM Ru6
8. Once the clients report , use auto upgrade to update the clients to RU6
9. Migrate the SEPM from RU6 to RU6MP2
10. Use auto upgrade to update the clients to RU6

I have tried these steps on quiet a few occasion and it has given me the desired results

Hope this helps, these steps save a lot of time and reduce your work

Thank you for your Suggestions,

just to point out one Thing: When I am talking about Updating, I ONLY talk about Updating Client-Software, not the Server-Part. AFAIK this is ok. Am I wrong?

On number 4: I forgot to mention that the new Server is in a different location (central Datacenter) and therefore needs to have a different IP-Adress than the MR5 SEPM. Sorry, missed that.

Thank you for your Suggestions,

just to point out one Thing: When I am talking about Updating, I ONLY talk about Updating Client-Software, not the Server-Part. AFAIK this is ok. Am I wrong?

On number 4: I forgot to mention that the new Server is in a different location (central Datacenter) and therefore needs to have a different IP-Adress than the MR5 SEPM. Sorry, missed that.

Hi AravindKM,

thanks for your hints. ATM I am playing around with ManagementServer Lists. I setup a list with the RU6MP2 Server as Priority1 and the MR5 as Priority2.

So far, the clients dont connect to the new SEPM. Need to wait for the next restart ;-) But from my understanding, this seems promising.

Do I maybe need the Same OU-Structure/Folders on the Ru6MP2 SEPM? (So the Clients know where to connect to?

Hi Chetan,

I know this is a bit "special", and I know it is not the usual "supported path" :-)

But there must be a way to make the Clients do a full setup (including the replacement of the Sylink.xml) initiated from Server-Side... I even tried modifying the folders containing the files for policy-serialnumbers. But then the system replaced them or, when i protect them, just dont update :-)

Do you unchecked (Clients-->policies--->general settings-->security settings-->security settings and uncheck the option enable secure communication)?.If same group is not available it is suppose to report to default group.If this testing is a failure you may import the server certificates from old server and try.We will hope for the best...

Hello,

Well, In your case, I would have recommended Replication as an Easiest and Painless Option.

However, now in your case, The question will arise how will the clients know that the SEPM is now installed on a different location with a Different IP address?

Ofcourse, only when we change the certificates on those Clients ---> I mean to say Sylink.xml.

Check the Link provided.

Startup Scripts and SylinkDrop…Better Together

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

Hope that helps.