Hi,

SEP version 11.0.600

Currently all SEP clients are unmanaged and planning to upgrade to SEP 12.

We are planning to change all the clients from umanaged to managed and also upgrade to SEP 12.  We already have SEPM 11.0.6 installed. Some users are remote and use VPN.

What are the best possible options I have to accomplish the above tasks ? I want to carry out this upgrade smoothly and without interruption the users.

Appricate your help.

Thanks,

Lama

Simply install SEPM 12.1.4 and from there you can push out a new sylink to the users

Restoring client-server communications with Communication Update Package Deployment

This should get them reporting into the SEPM in order to be managed by it.

You can than upgrade your client using the autoupgrade feature in the SEPM

Best practices for upgrading to the latest version of Symantec Endpoint Protection 12.1.x

Thanks Brian.

I have to basically follow these steps:

1) I already have SEPM 11.0.6 and need to upgrade to SEPM 12.1.4.

2) Push out a new sylink to the users which should get the clients report to the SEPM

3) Upgrade the clients using the autoupgrade feature in SEPM.

Any thing else I need to be aware of ? I would appreciate all your help.

I am still at the planning phase and working with Symantec for upgrade licenses.

Thanks,

Just make sure to read the best practice guide as it goes into excellent detail on how to do the upgrade. Also, don't forget to take a backup before the upgrade in case something goes wrong

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Do a fresh install of SEPM 12.1 RU4 Enterprise Edition, can refer this video to know more about it.

Video refers to SEP 12.1 RU2 version but will be preety same with SEP 12.1 RU4 as well.

https://www-secure.symantec.com/connect/videos/sepm-1212-sep-121-ru2-fresh-install-using-embedded-database

After successful SEPM upgrade push the new package from SEPM to 11.0.6 clients or perform auto upgrade.

To perform auto upgrade refer this article:

https://www-secure.symantec.com/connect/articles/sepm-121-auto-upgrade

Reboot is manadatory to complete successful upgrade. Can plan upgrade accordingly.

SEP 12.1 employs a side-by-side, replace on reboot installation strategy. Side-by-side means that new files are written to a new folder, referred to as a silo, isolated from the existing operational folder. Because the two versions are separated from each other, during a migration the older software is left running unchanged until the next reboot.

The primary benefit of side-by-side installation and replace on reboot is that the system continues to be protected by the existing software until the new version is in operation after the reboot.

This technique enables you to change the normal portion of the installation path during a migration, when applicable. 

How do you like your apple pie? With Ice Cream, with Whipped Cream, with both?

Any number of folks here will give you about 10 different ways this can all be accomplished and all of them would be correct.

The real question is about how many clients are we working with here and what type of time table do you have to work with. I agree with getting clients linked up to the console first (no matter what version of SEP they are running). Administration of SEP clients (including their policies and installation management) is far easier when you have pieces in place and they are all communicating with the console.

What I would advise first is to pre-configure your policies first, create your group/SEPM-GPO structure (generally, a workstations group and a servers group is sufficient). When you are creating policies, have separate policies for servers and workstaitons (different access and modification of the SEP client has different needs based on the role the endpoint - meaning, I am fairly restrictive towards end-users on workstations [usually only granted local admin and domain user access] and non-restrictive towards servers [only domain admins may login to these machines]).

After policies are complete, use the built-in tools to restore client-server communications and sort those clients out. Once that is done, create your install settings and options and then assign those install packages to each of their respective groups with their upgrade settings.

Just make sure that you set up the group communications mode to a pull mode with adequate time for them to download policies and a well enough random download window. For the folks over VPN, I would not suggest using VPN to force the package onto them - rather a location on a share drive (use a basic install package - no definitions included, LiveUpdate will run once the install completes and will use externall HTTPS and should not tie down VPN) and have them do that manually...

After going through plenty of deployments over a wide variety of networks - a greater understanding will come if we know what you have to work with...

Thank you Gentlemen. "Wisdom comes with experience" .

Number of clients  are 200-250. Regarding time table, I have enough time on hand. First I would like to gather as much information possible, test it for a good period of time and do the deployment. My motto is to do it once but do it right.

Keep coming from the pros.

Thanks,

Well the two killers here are to consider are this:

Once the client is joined to the new SEPM - it's policies and actions are dictated by that console - meaning if a bad policy or if something arrises there on that end, that can be a focal point of disaster; so simply skipping over the testing on this area isn't such a hot idea.

At that phase, when you are ready for the migration from 11.x to 12.1 RU4 that obviously sets in a different set of problems, namely deployment success/failures, engine changes that could result in other issues - however most modern and common applications have been successful in over-all migrations w/o any issues. Actually, I find that most overall upgrades are the easy part, it's the policies that are the 'hard' part - what comes out of the box are fair on 12.1.x, but they aren't production sets by any means. 

Back to the deployments though, the SEPM is great for the masses, but I generally factor in (and I did this back in my consulting days) a 10% exception/failure rate for upgrades - so a couple things to keep handy with you:

++Cleanwipe 12.1 RU4 (It is now part of the Part 2: Tools download) useful for pulling any defunct clients out or for failed migrations (just requires one reboot to purge out the client, however cannot be ran via script, must be ran locally [or console remote session])

++A Network share install package (both a 32-bit and 64-bit client of 12.1.4 - pointing to the Default group with Full Server install feature set, which contain the more common techs of SEP, this can be changed later in the SEPM, the content type: Basic - if there were bad defs in there, after install LU would just run, and it keeps the size of the packages down)

The only thing that I would watch out for is (and this is more predominately on the older WinXP/2003 machines) old NIC card drivers, SEP doesn't play well with old NIC drivers - I recommend visiting the chipset manufacturers website to get drivers (such as BroadCom, Intel, etc) and not so much the OEMs (HP, DELL, etc) but if you do not have a choice on that, any updates are good updates there.

Also when choosing feature sets - I know in the past support has done a great job of not defending the need for the advanced protection components of SEP and we have allowed on frequent occasions in here and on third party sites, to scare our clients in using our advanced features..."Oh just install AV only and you will be okay..." - Gosh if that were true, I'd be using Microsoft Security Essnentials or Free AVG at home - why would we even need to pay for AV...Proper configuration is what is needed - please do yourself a favor and prevent doo-doo duty having to clean up messes from after the facts...run full feature sets on those client workstations, configure the FW rules if you have to. Run full feature sets on Servers, I can understand if you have datacenters where you need blazing speed, or if a fileserver isn't liking the firewall, but only take off what you HAVE to.

Anti-Virus and Anti-Spyware, Download Insight (kind of misleading, should just be called reputational insight, it is not limited to just your traditional browser downloads), Email Client (workstations), Intrusion Prevention (life saver), Application and Device control (great for not USB blocking, but threat containment and system hardening) - this is a minimum install level - I would encorage usage of our Firewall (just make sure that you set ALL of the blocking rules to log everytime a rule is matched for blocking - that way you can filter legitmate rules back in if need be)

Thank you Tony K.

How do I avoid forcing the package to the clients connected via VPN ?  Can this be done via SEPM ?  I would think of creating groups but there is no way for me to figure out how many users are remote.

Thanks,

It would need to be done by creating a separate group for your remote users.

@_Brian.How do I figure out the remote users at a give point of time so that I don't push the package to those clients?

Do your VPN clients come in with a different IP address scheme?

For example, they may have a different IP addressing scheme which will allow you to separate them out.

@_Brian. Yes, when clients are connected via VPN they get different IP addresses than the internal clients. 

SEPM does not have any specific report for remote clients. 

1) create new group, use this tool to move all the remote clients to new group using IP.

http://www.symantec.com/business/support/index?page=content&id=TECH157429

Do not assign the package to this group

2) Follow this document whie performing upgrade on slow wan links.

https://www-secure.symantec.com/connect/forums/deploying-sep-client-installation-package-over-wan

Than I would suggest creating a new group and moving them to this group and do not assign a package to it. Will they be back on the LAN any time soon?

This is by far the best option stated above here - however real challenges start to happen if clients are connecting via VPN one day then on another back into LAN network.

Now if that is the case - you may have to look into 3rd party tools to help with deployments if a particular group cannot adhere to remaining in one location or another.

Yes, once the deployment is complete it will communicate to SEPM 

Thanks Tony.

Yes, I see the challanges because the users connecting via VPN and LAN keep on changing.

I already have Dell KACE setup in my infrastructure and I can use it to deploy the SEP clients. After deploying the clients, will all the clients report to the SEPM automatically?

Thanks,

Yes, over tcp 8014

Yes they will - the reason being is because during an upgrade, unless specified through the install options, communications and logs and policies are preserved...the MSI (Microsoft Installer) only upgrades the engines itself.

So as long as the client is already communicating with the SEPM, then you have nothing to worry about there.

Hello All,

I have installed SEPM 12.1 on my lab and currently testing the deployment scenerios.  After deploying SEP client, it is not reporting to SEPM unless I deploy the communication update package. Am I doing something wrong ? Is there a way to deploy a client and it reports to SEPM automatically?

Thanks,

Does you have open firewall port 8014 ?

Troubleshooting Client Communication with SEPM

It should auto-connect over tcp 8014. If you go to the client, does it show connected to the SEPM, does it have the green dot?

@James & Brian,

8104 is open as I am able to telnet to SEPM server on port 8014. I did the push deplpoyment and via web link as well. The client does not show green dot even after reboot. I had to manually push the Communication settings to the clients after which the green dot appears and polices are being applied too.

Thanks,

I would enable sylink debugging to the see client/server communication to narrow down the issue

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

Do you have a proxy in place?

Export a package  ( uncheck single exe option)

open the sylink.xml file

check the ip, port, 

check this sylink against the which is not working. it wil be here

C:\Documents and Settings\All Users\Application data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Config

==============

@Brian: no proxy

@Rafeeq: sylink.xml from the export  package is pointing to correct SEPM IP but sylink file on client does not contain those server settings.

If I export a package and install it on the client machine, it does report to SEPM and has a green dot on the SEP client. The exported client package was  deployed using Add Client->Select Deployment Type->Existing Package Deployment and select the exported package.

Issue seems to be when I deploy client using Add Client->Select Deployment Type->New Package Development.   I guess the communication settings are no included with this option.

Any thoughts?

Thanks,

They should be in there...export the package and check the sylink file, open it up and verify it points to the SEPM

@_Brian,

I tested two scenarios:

1) Clients Tab->Select Deployment Wizard-> New Package Deployment->Select Group and Install Feature sets->Save Package. Skyline file generated does not point to SEPM  and also client installed using this package is installed as umanaged client.

2) When I export  a client install package from Admin->Export a Client Install package -> with settings, the sylink file points to SEPM and the installation works fine as managed client.

Therefore, when I deploy using Clients Tab->Select Deployment Wizard-> New Package Deployment, it is deployed without any server settings and as unmanaged.

Thanks

When you use New Package Deployment do you use the same package as what you exported from going to Admin >> Export...?

You're picking the same package essentially..

When I use the New Package Deployment,I get two install packages option by default - one for windows and one for mac.  I have attached the screenshots. This package might be without the custome settings. 

Attachment(s)

new deployment.docx   89 KB 1 version

Could you create a new custom package and reset the communication, policies, logs, etc., export it and try the install again.

http://www.symantec.com/docs/TECH93617

its not deleting the previous communication settings, this could the solution for it,

Follow this

How to create a client install setting to remove previous logs, policies and reset the client-server communication settings.

http://www.symantec.com/business/support/index?page=content&id=TECH93617

The key here is to create a new custom package (you can't edit the default one) and make sure the setting 'Remove all previous logs and policies, and reset the client-server communication settings" is checked. By default, it's set to maintain previous settings so this is likely the problem as to why it can't communicate until you replace the sylink manually. Once you do this and select your new package to deploy, it should connect and work fine from here.

This setting is on the Admin page >> Install Packages >> Client Install Settings

@_Brian & Rafeeq

 I would like to know if I deploy client using Add a client->Select Deployment Type( three options 1) New Package Deployment 2) Existing Package Deployment 3) Communitcation Update Package Deoployment) -> if I choose New Package Deployment-> select Installation Package->Windows  will it deploy the default install client package without any communication settings or the custom package that I created ?

Thanks,

Yes, 

1)So first export the package ( reset client server settings - enabled)

2)Then during the deployment, select an existing package and select the saved one ( 1)..

Thanks _Brian. I understand that I need to create a new custom package. How do I make this new custom package appear  under Add a client ->New Package Deployment -> Install package (by default I am presented with two option -  windows and Mac package). Screenshots attached.

Thanks,

Once you create and save it, just click the drop down and it should show up automatically

@Rafeeq. This is where I am getting confused. I am trying to use New Package Deployment instead of Existing Package Deployment . When I deploy a client using New Package Deployment the custom settings are not included and appears as unmanaged. It works fine if I deploy using an Existing Package Deployment option.

It is not showing up. Do I have to save it on a specific folder ?

Did you already create it, you need to do this from the Admin page >> Install packages >> Clients Install Settings

This is where it needs to be created and once you click OK it will be automatically saved and available for use. Sounds like you hadn't done this yet.

It wont show up :) 

By default those packages will show up and they are more than enough. Remember we are not changing the package we are just adding a installation setting..

What we have done is just created a new client installation setting, 

You need to select your setting from the Install Setting drop down menu.. ( This is the setting what you have created to remove previous logs and reset client server communciation)....

I tried to add a client install package ealier and I was not able to add it. I was getting an error " Youy cannot add this client install package because the package contains a single.EXE file, The sylink.xml is missing or corrupted in this package".  I think I am missing something here. I would appreciate if you could point me to the right direction.

Thanks,

You cannot ad a package, it would say the added package is already of latest version, we do not want to add the package, either we need to export a package with custom setting  (remove all previous logs) save it on C;\ drive then in the deployment wizard chose an existing package, select the package you save in C:\drive..

Don't you already have the client package there?

You just need to add a new client install setting, follow the steps in this article:

http://www.symantec.com/docs/TECH93617

If you want to import packages, just follow the steps here:

http://www.symantec.com/docs/TECH122824

Rafeeq,

Thanks for your help and that did the trick. I will go on testing since I have some time before I start deplying in production environment. The only issue was that I had to reboot the client couple of times and manually update the policy from client before the green dot showd up,

Thanks,

Again, it should happen automatically, no manual intervention should be needed

If you have installed Fullprotection,it would install NTP( firewall component) so a reboot is needed for the network driver ( teefer2)... Please carry out few more test before implimenting in production.. Just to make sure :)  Good day!

@_Brian, I will do some more testing and post how it goes.