Hi,

I need to deploy Symantec End point protection 12.1 in my environment along with Symantec Net Access Control 12.1 & Symantec System Recovery Desktop in my  organization.

Scenario is like this currently we are getting license and Live updates from another company Symantec Endpoint protection manager which is also 12.1 now we want  to deploy the  Symantec  Endpoint protection server in my company you can check the scenario from Pic 1 & Pic 2.

Issue is : We have approx 1000 client in my company (company A) which are getting updates from company B what will be the best option through which we will move all existing clients to get updates and licensed from the new Symantec Endpoint Protection Manager.

Regards

GeekGadget

HI,

you just need to move you configuration to the new SEP Manager?

are you using an SQL db?

if both are yes, install sep console on the new Manager, then configure SEP with the existing DB (that is the one you are using) from the "run the configuration wizard" in start menu=> sepm => run confiruation wizard.

Or you can use replication (if condition/requirement are met)

http://www.symantec.com/docs/TECH104389

If you only need to point the clients to another SEPM, than try the linked KBA below:

Restoring client-server communications with Communication Update Package Deployment

HI, 

You can create a replica server from Site B to Site to site A once all clients are reported on site A you can break the communication.

or

http://www.symantec.com/docs/HOWTO81109

 http://www.symantec.com/docs/TECH171767

Step-up a new SEPM site on company A and replace existing clients Sylink.xml using Sylink replacer.

Regards

Ajin

What of the version you are running in your SEPM and Client?

If you are running with SEP 12.1 RU2

then use the below article to replace the sylink communication

https://www-secure.symantec.com/connect/articles/sep-12-ru2-and

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

Hi,

In any case actually no need to uninstall SEP clients. You can restore the communication and install the new license.

I have note down your question here:

Q .It is possible to upgrade the existing clients in company A which are connected in company B symantec server to get authenticated with new license with newly installed SEPM server 12.1 in company environment A without uninstalling previous clients and also receive updates from server  A

--> Is there any relationship between Symantec servers (SEPM's) installed in environment A & B (old environment). 

OR

It's a fresh intsall?

If yes, please specify it.

In environment A what would be the source of update of now? (Internet or Symantec environment B server or any other option), please specify it.

About license related query can refer this article:

How to manage license file when there are several Symantec Endpoint Protection Managers in place?

http://www.symantec.com/docs/TECH164392

If it's a fresh install of Symantec server in environment A and not needed any relationship with environment B server then can restore the communication using Sylink replacer tool.

Helpful article: https://www-secure.symantec.com/connect/articles/sep-121-and-license-concept

moving clients between SEPM is easy, you just need to update the communcation file Sylink.xml

using the deploy communciation settings of SEPM. As your SEPM will not be depending on any LU or license. You are of your own. Just move the clients using Comm settings.

Just take care of the ports ( I do not see any firewall  if there are any)

http://www.symantec.com/business/support/index?page=content&id=TECH102416

Thanks Chetan and other for your reply, Chetan the details you ask for are as follows :

"Is there any relationship between Symantec servers (SEPM's) installed in environment A & B (old environment)."

There will be no relationship in between the old and new SEPMs , It's a fresh install

currently we have the client pacakage EXE  which we deploy in our company and have no privileges on the SEPM which is in company B.

"In environment A what would be the source of update of now? (Internet or Symantec environment B server or any other option), please specify it."

With our new SEPM we will get update directly through Symantec Live server there will be no role of company B in licensing and updates.

So Please guide me what will be the smart way to accomplish this task as I mentioned that we have approx 1000 clients in our environment.

Chetan all these clients at diffrent remote location in my company A are in WORKGROUP environment not in Domain environment.

Regards

GeekGadget

Rafeeq in my environment we have firewall at the edge through which traffic move to Internet,please guide the process by which we can relace the old sylink.xml with the new one which is created by new SEPM and I suppose there will be not much emphasis on ports.

Regards

GeekGadget

Use this link to replace sylink from new sepm to other clients which are managed by diff sepm

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

http://www.symantec.com/business/support/index?page=content&id=TECH199124

Thanks Rafeeq for the link but I need clear some points mentioned in this document
related with my environment.

1.We need to provide the Admin password which is of old SEPM , If this condition is yes then is there any way we can by pass this step because we don't have Admin credentials of company B SEPM.

2.I think to save the pacakage and provide it in my internal website as a link to execute at various locations

Yes you need to have the admin password so that you can do the remote push.

we cant by pass this coz it needs those creds so that it can map a drive, copy the sylink and recycle the service. if its in work group then local admin password should be specified.

or else

You can call suppport

get the sylink replacer tool . Run it from any Company B server ( even this will check for appropirate permission, logged in user should have admin rights) 

all the rights are explained here

http://www.symantec.com/business/support/index?page=content&id=TECH163112

2) Yes

======================

Above method is easy , you can export policy from company a and import in new SEPM, 

other ways require replication, management server list, its little complicated than this

somethign like this one

http://www.symantec.com/business/support/index?page=content&id=TECH103175

Hi,

Thanks for the update.

It's possible to deploy the package by providing internal website link.

It's a workgroup environment then need to check these articles.

Hi,

Have you exported the package from the new SEPM?

If yes then no need to replace Sylink.xml, Simply push the new packages.

If SEP is already deployed on all those clients and just want to replace Sylink.xml then yes need to use Sylink replacer tool.

Hi,

Do you have any update on this?

Hi ,

Thanks Chetan/Rafeeq for your valuable information regarding this task, I had test this migration of clients

from company B to the new SEPM which will be in my company and the results are good.

Initially I test this thing in my lab environment in the following way as you can see from the screen shots.

1.Create one XP VM and install client pacakge of company B.

2.Create another 2008 serverVM with SEPM in my testing domain on private IP address and create a config pacakage with Syslink and it's EXE.

3.Run this Syslink on the Client XP which have company B client install it prompt for the password and I provide the password of company B.

4.After that this client is showing in the new SEPM as given in the screen shot.

*********************************************************************************************

Please guide me regarding one thing in my environment we are using multiple IP ranges on diffrent location in WAN environment I need to clear doubt that whether I have to define these IP ranges in SEPM or not.

Regards

GeekGadget   

Hi,

Thanks for the update.

Q. Please guide me regarding one thing in my environment we are using multiple IP ranges on different location in WAN environment I need to clear doubt that whether I have to define these IP ranges in SEPM or not.

--> It's not required. If communication ports used by SEP are open and allowed then there shouldn't by any other concern even though it's on different subnet/WAN link. 

Not needed, Not like SCCM where you specifiy boundry

client will find out sepm using the ip in the sylink.xml. it will  have all the ips assigned to the nw card in sepm.

if you they are able to reach though ip and port ( 8014 usually) then they will communicate.

What is the purpose of Host Groups ? Here we define the IP ranges.

Regards

Geek Gadget

that is useful when you want to add too many hosts inside a firewall policy.

ex blacklisting lot of domains 

to make it simple you define a host group,when adding to the firewall, just add the host group..

http://www.symantec.com/business/support/index?page=content&id=TECH91252

Hi,

Article shared by Rafeeq should answer your query.

Are you able to manage clients through the new SEPM?

Yeah it clear my point regarding the using of this feature.

Hi Rafeeq/Chetan ,

In my environment we will about to deploy Checkpoint Firewall along with Multi domain management server and Event Appliance I need to know can we redirect all logs of SEPM to the Event Appliance of Check Point which have 4 TB of stoarge with it.

Regards

Geek Gadget 

you may want to check with the checkpoint if it has agent collector for SEP.

Hi

Please refer the link below

http://www.symantec.com/business/support/index?page=content&id=TECH199292&actp=search&viewlocale=en_US&searchid=1372070399663

Regards

Hi,

We have public KB but it's all about Syslog server.

SEPM can forward it to syslog server. 

http://www.symantec.com/docs/HOWTO55417

Hi,

Please clear one of my query which is like that.

Suppose we create the custom package by selecting some options for clients rather than the full protection of clients on the previous server and now we want to move the clients to another server by the help of sylink where we want all security features on the clients packages.

Then in this case what features will be effective on clients after moving to another server by the help of Sylink will all remains features which are left in intially will be effective after moving to the new server.

Regards

Geekgadget

it will have same features unless it is been modified with new features.

Please guide me how to modify these features , so that they can have full security features by communication with the new server.

How to change the Symantec Endpoint Protection (SEP) client feature set from SEPM? How to modify the SEP client installation from the Console?

How to change the Installed Feature Set on Symantec Endpoint Protection 12.1 Clients

Thanks for the info I will go through them and let you know if have any issue.

Regards

Geekgadget

Dear Chetan/Rafeeq,

I have deployed Symantec Endpoint Protection 12.1.4 in our production and by the help of SylinkDrop.exe clients are moving sucessfully from Company B to company A (new server)

Now I have a query regarding the License issue of Server as in the License Bundle
we have the following one :

1.SYMC NETWORK ACCESS CONTROL 12.1 PER USER I/O ESSENTIAL 12 MONTHS  for 1000   clients.                        

2.SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION  4.0 I/O STD LIC for Clients.  

3.SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 PER USER I/O ESSENTIAL 12 MONTHS for  1000 Clients.    

As you can see from the printscreen attached with this, Symantec Network Access Control isn't used yet.

So I need to know which installation package I need to deploy for Sym NAC and Symantec Recovery Desktop and what is the procedure for their installation and I think they have install on the same Window server 2003 on which I have install Endpoint protection 12.1.4 because it's a part of same SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0

Regards

Geekgadget

Hi,

Which package you had downloaded from fileconnect? I mean SEPM is installed with SNAC or not?

Hi Chetan,

I have downloaded the following package from the file connect I think SNAC is not in it.

Symantec_Endpoint_Protection_12.1.4_Part1_Installation_EN.exe
with the following Version.

SEP Client Version 12.1.4013.4013
SEPM Version 12.1.4013.4013
SIS Version 12.1.4013.4013

Plz check the Package which I have downloaded from the portal.

Regards

Geekgadget
 

Yes, SNAC it not in it.

If you are entitled for SNAC then must install SNAC package to get the benefits of it.

In this case you will have to uninstall SEPM and install SEPM with SNAC.

You can continue with this setup but can not use SNAC features.

Sorry to say but there is no way to upgrade existing SEPM with SNAC feature. It's a completely new SEPM package.

Do you see SNAC package available to download?

Thanks Chetan for your valuable feedback , In my scenario as I already mentioned that we have to move 1000 clients from company B to our company. I am planning after your feedback in the following manner which is mentioned below please guide me whether it's the feasible way or not and what kind of issue I may face.

1.Firstly I think that I should move all clients to our SEPM so that there will be no dependency with other company.

2.In second step I should uninstall my existing SEPM and install SEPM+SNAC and used the database of my current SEPM so that all clients should move at once to the new setup will this be possible.

My Queries :

1.Should I have to install new client package on computers for using SNAC on them because currently I have to just run the SylinkDrop.exe and the client systems which are configured with company B they just move to my SEPM.

2.If I have to just use "SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 I/O STD LIC" with my existing setup without using SNAC how can I configure it along with my existing SEPM please share the links related with it because System recovery comes in Protection suite 4.0 Ent edition.

Regards

Geekgadget

Hi,

1.Firstly I think that I should move all clients to our SEPM so that there will be no dependency with other company.

2.In second step I should uninstall my existing SEPM and install SEPM+SNAC and used the database of my current SEPM so that all clients should move at once to the new setup will this be possible.

--> If Database is SQL then I think it's possible. In case of Embedded database it's as good as fresh install. You can send

1.Should I have to install new client package on computers for using SNAC on them because currently I have to just run the SylinkDrop.exe and the client systems which are configured with company B they just move to my SEPM.

--> You need to push a fresh new package. Use Client Deployment Wizard (CDW) to accomplish it.

2.If I have to just use "SYMC SYSTEM RECOVERY DESKTOP FOR SYMC PROTECTION SUITE ENTERPRISE EDITION 4.0 I/O STD LIC" with my existing setup without using SNAC how can I configure it along with my existing SEPM please share the links related with it because System recovery comes in Protection suite 4.0 Ent edition.

--> I am sorry I have absolutely no idea about Symc system recovery desktop. However I will try to find out how can I assist you on the same.

Thanks Chetan for your reply , as you mentioned that I can use the same database if it's on SQL server for SNAC , so can I do the following things.

(All Clients) in Embedded database - > SQL server database , means to say that can I move the data from embedded database to SQL server , if it's possible then in this case it will solve my problem.

Embedded database - > SQL server database - > SNAC

Please give your feedback for this strategy.

Regards

Geekgadget

It should work this way becuase we can convert Embedded database to SQL.

however let me confirm with my teammates.I will update you.

Thanks for your support.

Regards

Geekgadget

Good news for you.

No need to uninstall existing SEPM, you can add SNAC features into the existing SEPM.

I just tested on my VM machine and it worked. I am not from SNAC team so never did this before.

Try the following steps:

Download Symantec_Network_Access_Control_12.1.4_Full_EN.exe from https://fileconnect.symantec.com/

Thanks a Lot Chetan for your support I will try this and let you know about the result.

Regards

Geekgadget

Is there any update?

If issue is resolved, don't forget to mark your thread as 'SOLVED' with the answer that best helps you.

Chetan please give a day or two after that I will update the thread and marked as Solution.

Regards

Geekgadget

No problem.

Sorry to bother you again, is there any update?

Hi chetan currently we have move around 600 clients to our server around 300 - 325 are left so after the complete migration I am planning to move to NAC. by this way we have our databse and  take the backup so in case if we face any issue in moving to NAC so we can revert back to the intal one.

I will update you as soon as I move the clients and update the SNAC in our envirinment.

Regards

Geekgadget

@Chetan Savade

i have some problems with my enpoint protection manager 12.1

i create a new virtual machine to do a fresh install, i don't want to migrate the old policies, in basics words, i only need the clients in my new server with new policies (old serial number).

You can move the clients over to the new SEPM if on 12.1.2 or higher, see here:

Restoring client-server communications with Communication Update Package Deployment

Can refer the article shared by Brain.

Thanks Brain for the info.

Regards

Geekgadget

tranks +Chetan Savade  and +Brain

Thanks all for your support and specially to Chetan.

Regards

Geekgadget

Thank for the update and feedback  Happy to help.