Roughly, here is the process I used. You will want physical access to the CC as you can loose connectivity during this process. This is NOT supported by Symantec. I believe SBG 9.5 will have improvements in this area.
0. build a new CC from the OS build disk. call it Target
1. Backup the control center. Call it Source. You can use the GUI or the command line DB-BACKUP command. I'd put it on an off-box FTP/SCP site
On Target
2. Use GUI or DB-RESTORE command to load backup via FTP/SCP
3. Verify if OS IPs have change to the Source IPs. If not, reboot.
4. Use Delete OSCONFIG command to clear OS level settings. Reboot
5. You will be prompted to set password, networking on reboot. Use the new IP addressing for the network location of Target. Reboot.
6. While waiting for the reboot, on each Scanner use
agent-config -a <ip of Target CC>
7. When Target has rebooted, open the GUI via http://newIP:41443/brightmail.
8. Go to Admin/Config/CC. Do the following all in one session;
a. on service tab, set Directory Integration to Auto, but note which interface was selected.
b. on Ethernet -
add a temp IP address. This will be used to "park" the MTA interfaces.
Make sure this IP isn't in use.
c. on SMTP tab.
Move the inbound MTA to the temp IP
Move the outbound MT to the temp IP (you may need to change port)
If enabled, move the Auth interface to the temp IP.
d on SMTP/Advance/ Delivery tab
set the SMTP Delivery Bindings near the bottom to Auto, but note which interface you used.
e. change the MTA host name at the top.
f. on the DNS tab, correct DNS and NTP IPs, if needed.
g. On the ethernet tab,
Change the IP address to the new location IP addresses. Make sure
you use the correct netmasks, etc.
Change the Default gateway near the bottom.
SAVE
Reopen the config, and change binding to the new IP addresses on Services, SMTP, SMTP Advanced tab.
SAVE.
Goto Status / Hosts, software tab. You should get valid status back from each scanner. If not you need to verify your firewall allow CC to Scanner communication for the Target CC, and that you used the correct IP address when you did the Agent-Config.
If this works, go to each scanners CLI and use Agent-Config -d <old cc ip> prevent remove the Old Source CC from talking to the Scanner and "confusing" it.
Go through all the other interfaces and make any hostname changes (e.g. reports that send from <old CC>@yourdomain.com.
Make sure your next hop MTA trusts the IP address of the Control center (our exchange needs to know the IP of any sending MTA as part of bot net lockdown.