Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Re:Strategy for moving SEPM 12.1 clients to another server

Created: 09 Jun 2013 • Updated: 18 Feb 2014 | 53 comments
This issue has been solved. See solution.

Hi,

I need to deploy Symantec End point protection 12.1 in my environment along with Symantec Net Access Control 12.1 & Symantec System Recovery Desktop in my  organization.

Scenario is like this currently we are getting license and Live updates from another company Symantec Endpoint protection manager which is also 12.1 now we want  to deploy the  Symantec  Endpoint protection server in my company you can check the scenario from Pic 1 & Pic 2.

Issue is : We have approx 1000 client in my company (company A) which are getting updates from company B what will be the best option through which we will move all existing clients to get updates and licensed from the new Symantec Endpoint Protection Manager.

 

Regards

GeekGadget

Operating Systems:

Comments 53 CommentsJump to latest comment

gnkev's picture

HI,

you just need to move you configuration to the new SEP Manager?

are you using an SQL db?

if both are yes, install sep console on the new Manager, then configure SEP with the existing DB (that is the one you are using) from the "run the configuration wizard" in start menu=> sepm => run confiruation wizard.

 

Or you can use replication (if condition/requirement are met)

http://www.symantec.com/docs/TECH104389

.Brian's picture

If you only need to point the clients to another SEPM, than try the linked KBA below:

Restoring client-server communications with Communication Update Package Deployment

Article:HOWTO81109  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO81109

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AjinBabu's picture

HI, 

You can create a replica server from Site B to Site to site A once all clients are reported on site A you can break the communication.

or

http://www.symantec.com/docs/HOWTO81109

 http://www.symantec.com/docs/TECH171767

or 

Step-up a new SEPM site on company A and replace existing clients Sylink.xml using Sylink replacer.

Regards

Ajin

raju123's picture

What of the version you are running in your SEPM and Client?

If you are running with SEP 12.1 RU2

then use the below article to replace the sylink communication

https://www-secure.symantec.com/connect/articles/sep-12-ru2-and

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

Article:TECH199124  |  Created: 2012-10-30  |  Updated: 2013-02-15  |  Article URL http://www.symantec.com/docs/TECH199124

 

Chetan Savade's picture

Hi,

Thank you for posting in Symantec connect.
 
I would be glad to answer your question.
 
After checking attached JPG files it seems it's not very difficult task.

In any case actually no need to uninstall SEP clients. You can restore the communication and install the new license.

I have note down your question here:

Q .It is possible to upgrade the existing clients in company A which are connected in company B symantec server to get authenticated with new license with newly installed SEPM server 12.1 in company environment A without uninstalling previous clients and also receive updates from server  A

--> Is there any relationship between Symantec servers (SEPM's) installed in environment A & B (old environment). 

OR

It's a fresh intsall?

If yes, please specify it.

In environment A what would be the source of update of now? (Internet or Symantec environment B server or any other option), please specify it.

About license related query can refer this article:

How to manage license file when there are several Symantec Endpoint Protection Managers in place?

http://www.symantec.com/docs/TECH164392

If it's a fresh install of Symantec server in environment A and not needed any relationship with environment B server then can restore the communication using Sylink replacer tool.

Helpful article: https://www-secure.symantec.com/connect/articles/sep-121-and-license-concept

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Thanks Chetan and other for your reply, Chetan the details you ask for are as follows :

"Is there any relationship between Symantec servers (SEPM's) installed in environment A & B (old environment)."

There will be no relationship in between the old and new SEPMs , It's a fresh install

currently we have the client pacakage EXE  which we deploy in our company and have no privileges on the SEPM which is in company B.

"In environment A what would be the source of update of now? (Internet or Symantec environment B server or any other option), please specify it."

With our new SEPM we will get update directly through Symantec Live server there will be no role of company B in licensing and updates.

So Please guide me what will be the smart way to accomplish this task as I mentioned that we have approx 1000 clients in our environment.

Chetan all these clients at diffrent remote location in my company A are in WORKGROUP environment not in Domain environment.

Regards

GeekGadget

Rafeeq's picture

moving clients between SEPM is easy, you just need to update the communcation file Sylink.xml

using the deploy communciation settings of SEPM. As your SEPM will not be depending on any LU or license. You are of your own. Just move the clients using Comm settings.

Just take care of the ports ( I do not see any firewall  if there are any)

http://www.symantec.com/business/support/index?page=content&id=TECH102416

 

geekgadget's picture

Rafeeq in my environment we have firewall at the edge through which traffic move to Internet,please guide the process by which we can relace the old sylink.xml with the new one which is created by new SEPM and I suppose there will be not much emphasis on ports.

Regards

GeekGadget

Chetan Savade's picture

Hi,

Have you exported the package from the new SEPM?

If yes then no need to replace Sylink.xml, Simply push the new packages.

If SEP is already deployed on all those clients and just want to replace Sylink.xml then yes need to use Sylink replacer tool.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

Use this link to replace sylink from new sepm to other clients which are managed by diff sepm

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

 

http://www.symantec.com/business/support/index?page=content&id=TECH199124

geekgadget's picture

Thanks Rafeeq for the link but I need clear some points mentioned in this document
related with my environment.

1.We need to provide the Admin password which is of old SEPM , If this condition is yes then is there any way we can by pass this step because we don't have Admin credentials of company B SEPM.

2.I think to save the pacakage and provide it in my internal website as a link to execute at various locations

 

Chetan Savade's picture

Hi,

Thanks for the update.

It's possible to deploy the package by providing internal website link.

It's a workgroup environment then need to check these articles.

Best Practices for Central Deployment and Management of Symantec Endpoint Protection (SEP) in a Workgroup environment
 
 
How to install Symantec Endpoint Protection in a workgroup environment
 
 
Also refer this article if faced any communication issue.
 
Which Communications Ports does Symantec Endpoint Protection use?
 
http://www.symantec.com/docs/TECH163787 
 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

Yes you need to have the admin password so that you can do the remote push.

we cant by pass this coz it needs those creds so that it can map a drive, copy the sylink and recycle the service. if its in work group then local admin password should be specified.

or else

You can call suppport

get the sylink replacer tool . Run it from any Company B server ( even this will check for appropirate permission, logged in user should have admin rights) 

all the rights are explained here

http://www.symantec.com/business/support/index?page=content&id=TECH163112

 

2) Yes

======================

Above method is easy , you can export policy from company a and import in new SEPM, 

other ways require replication, management server list, its little complicated than this

somethign like this one

http://www.symantec.com/business/support/index?page=content&id=TECH103175

Chetan Savade's picture

Hi,

Do you have any update on this?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Hi ,

Thanks Chetan/Rafeeq for your valuable information regarding this task, I had test this migration of clients

from company B to the new SEPM which will be in my company and the results are good.

Initially I test this thing in my lab environment in the following way as you can see from the screen shots.

1.Create one XP VM and install client pacakge of company B.

2.Create another 2008 serverVM with SEPM in my testing domain on private IP address and create a config pacakage with Syslink and it's EXE.

3.Run this Syslink on the Client XP which have company B client install it prompt for the password and I provide the password of company B.

4.After that this client is showing in the new SEPM as given in the screen shot.

*********************************************************************************************

Please guide me regarding one thing in my environment we are using multiple IP ranges on diffrent location in WAN environment I need to clear doubt that whether I have to define these IP ranges in SEPM or not.

 

Regards

GeekGadget   

Change status of Client on other Server.JPG Status of Added client in Symantec server.JPG
Chetan Savade's picture

Hi,

Thanks for the update.

Q. Please guide me regarding one thing in my environment we are using multiple IP ranges on different location in WAN environment I need to clear doubt that whether I have to define these IP ranges in SEPM or not.

--> It's not required. If communication ports used by SEP are open and allowed then there shouldn't by any other concern even though it's on different subnet/WAN link. 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

Not needed, Not like SCCM where you specifiy boundry

client will find out sepm using the ip in the sylink.xml. it will  have all the ips assigned to the nw card in sepm.

if you they are able to reach though ip and port ( 8014 usually) then they will communicate.

geekgadget's picture

What is the purpose of Host Groups ? Here we define the IP ranges.

 

Regards

Geek Gadget

 

New Host.JPG
Rafeeq's picture

that is useful when you want to add too many hosts inside a firewall policy.

ex blacklisting lot of domains 

to make it simple you define a host group,when adding to the firewall, just add the host group..

http://www.symantec.com/business/support/index?page=content&id=TECH91252

 

Chetan Savade's picture

Hi,

Article shared by Rafeeq should answer your query.

Are you able to manage clients through the new SEPM?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Hi Rafeeq/Chetan ,

In my environment we will about to deploy Checkpoint Firewall along with Multi domain management server and Event Appliance I need to know can we redirect all logs of SEPM to the Event Appliance of Check Point which have 4 TB of stoarge with it.

Regards

Geek Gadget 

Chetan Savade's picture

Hi,

We have public KB but it's all about Syslog server.

SEPM can forward it to syslog server. 

http://www.symantec.com/docs/HOWTO55417

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

pete_4u2002's picture

you may want to check with the checkpoint if it has agent collector for SEP.

geekgadget's picture

Hi,

Please clear one of my query which is like that.

Suppose we create the custom package by selecting some options for clients rather than the full protection of clients on the previous server and now we want to move the clients to another server by the help of sylink where we want all security features on the clients packages.

Then in this case what features will be effective on clients after moving to another server by the help of Sylink will all remains features which are left in intially will be effective after moving to the new server.

 

Regards

Geekgadget

pete_4u2002's picture

it will have same features unless it is been modified with new features.

geekgadget's picture

Please guide me how to modify these features , so that they can have full security features by communication with the new server.

 

pete_4u2002's picture

How to change the Symantec Endpoint Protection (SEP) client feature set from SEPM? How to modify the SEP client installation from the Console?

Article:TECH203923  |  Created: 2013-03-15  |  Updated: 2013-04-03  | 

Article URL http://www.symantec.com/docs/TECH203923

 

How to change the Installed Feature Set on Symantec Endpoint Protection 12.1 Clients

Article:HOWTO58966  |  Created: 2011-08-17  |  Updated: 2011-08-22  |  Article URL http://www.symantec.com/docs/HOWTO58966

 

geekgadget's picture

Thanks for the info I will go through them and let you know if have any issue.

 

Regards

Geekgadget

geekgadget's picture

Dear Chetan/Rafeeq,

I have deployed Symantec Endpoint Protection 12.1.4 in our production and by the help of SylinkDrop.exe clients are moving sucessfully from Company B to company A (new server)

Now I have a query regarding the License issue of Server as in the License Bundle
we have the following one :

1.SYMC NETWORK ACCESS CONTROL 12.1 PER USER I/O ESSENTIAL 12 MONTHS  for 1000   clients.                        

2.SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION  4.0 I/O STD LIC for Clients.  

3.SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 PER USER I/O ESSENTIAL 12 MONTHS for  1000 Clients.    

As you can see from the printscreen attached with this, Symantec Network Access Control isn't used yet.

So I need to know which installation package I need to deploy for Sym NAC and Symantec Recovery Desktop and what is the procedure for their installation and I think they have install on the same Window server 2003 on which I have install Endpoint protection 12.1.4 because it's a part of same SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0

Regards

Geekgadget

License Printscreen.JPG
Chetan Savade's picture

Hi,

Which package you had downloaded from fileconnect? I mean SEPM is installed with SNAC or not?

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Hi Chetan,

I have downloaded the following package from the file connect I think SNAC is not in it.

Symantec_Endpoint_Protection_12.1.4_Part1_Installation_EN.exe
with the following Version.

SEP Client Version 12.1.4013.4013
SEPM Version 12.1.4013.4013
SIS Version 12.1.4013.4013

Plz check the Package which I have downloaded from the portal.

Regards

Geekgadget
 

Symantec Product Download.JPG
Chetan Savade's picture

Yes, SNAC it not in it.

If you are entitled for SNAC then must install SNAC package to get the benefits of it.

In this case you will have to uninstall SEPM and install SEPM with SNAC.

You can continue with this setup but can not use SNAC features.

Sorry to say but there is no way to upgrade existing SEPM with SNAC feature. It's a completely new SEPM package.

Do you see SNAC package available to download?

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Thanks Chetan for your valuable feedback , In my scenario as I already mentioned that we have to move 1000 clients from company B to our company. I am planning after your feedback in the following manner which is mentioned below please guide me whether it's the feasible way or not and what kind of issue I may face.

1.Firstly I think that I should move all clients to our SEPM so that there will be no dependency with other company.

2.In second step I should uninstall my existing SEPM and install SEPM+SNAC and used the database of my current SEPM so that all clients should move at once to the new setup will this be possible.

My Queries :

1.Should I have to install new client package on computers for using SNAC on them because currently I have to just run the SylinkDrop.exe and the client systems which are configured with company B they just move to my SEPM.

2.If I have to just use "SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 I/O STD LIC" with my existing setup without using SNAC how can I configure it along with my existing SEPM please share the links related with it because System recovery comes in Protection suite 4.0 Ent edition.

Regards

Geekgadget

 

 

Chetan Savade's picture

Hi,

1.Firstly I think that I should move all clients to our SEPM so that there will be no dependency with other company.

2.In second step I should uninstall my existing SEPM and install SEPM+SNAC and used the database of my current SEPM so that all clients should move at once to the new setup will this be possible.

--> If Database is SQL then I think it's possible. In case of Embedded database it's as good as fresh install. You can send

1.Should I have to install new client package on computers for using SNAC on them because currently I have to just run the SylinkDrop.exe and the client systems which are configured with company B they just move to my SEPM.

--> You need to push a fresh new package. Use Client Deployment Wizard (CDW) to accomplish it.

2.If I have to just use "SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 I/O STD LIC" with my existing setup without using SNAC how can I configure it along with my existing SEPM please share the links related with it because System recovery comes in Protection suite 4.0 Ent edition.

--> I am sorry I have absolutely no idea about Symc system recovery desktop. However I will try to find out how can I assist you on the same.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Thanks Chetan for your reply , as you mentioned that I can use the same database if it's on SQL server for SNAC , so can I do the following things.

(All Clients) in Embedded database - > SQL server database , means to say that can I move the data from embedded database to SQL server , if it's possible then in this case it will solve my problem.

Embedded database - > SQL server database - > SNAC

Please give your feedback for this strategy.

Regards

Geekgadget

 

 

Chetan Savade's picture

It should work this way becuase we can convert Embedded database to SQL.

however let me confirm with my teammates.I will update you.

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Good news for you.

No need to uninstall existing SEPM, you can add SNAC features into the existing SEPM.

I just tested on my VM machine and it worked. I am not from SNAC team so never did this before.

Try the following steps:

Download Symantec_Network_Access_Control_12.1.4_Full_EN.exe from https://fileconnect.symantec.com/

Run Setup.exe

Select Install Symantec Network Access Control

Next choose Install Symantec Endpoint Protection Manager.

It will open "Welcome to the Management Server Upgrade Wizard. 

Choose Next.

Then Finish.

Verify Host Integrity is now an option under Policies.

Verify SNAC 32 bit and 64 bit packages are available under Admin --> Install Packages

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
geekgadget's picture

Thanks a Lot Chetan for your support I will try this and let you know about the result.

Regards

Geekgadget

Chetan Savade's picture

Is there any update?

If issue is resolved, don't forget to mark your thread as 'SOLVED' with the answer that best helps you.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Chetan please give a day or two after that I will update the thread and marked as Solution.

Regards

Geekgadget

Chetan Savade's picture

No problem.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Sorry to bother you again, is there any update?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Hi chetan currently we have move around 600 clients to our server around 300 - 325 are left so after the complete migration I am planning to move to NAC. by this way we have our databse and  take the backup so in case if we face any issue in moving to NAC so we can revert back to the intal one.

I will update you as soon as I move the clients and update the SNAC in our envirinment.

Regards

Geekgadget

ticmirex's picture

@Chetan Savade

i have some problems with my enpoint protection manager 12.1

i create a new virtual machine to do a fresh install, i don't want to migrate the old policies, in basics words, i only need the clients in my new server with new policies (old serial number).

.Brian's picture

You can move the clients over to the new SEPM if on 12.1.2 or higher, see here:

Restoring client-server communications with Communication Update Package Deployment

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Can refer the article shared by Brain.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

geekgadget's picture

Thanks all for your support and specially to Chetan.

Regards

Geekgadget

Chetan Savade's picture

Thank for the update and feedback  Happy to help. smiley

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<