Data Center Security

Dear Team,

We are currently the project phase of implementing DCS version 6.5 in our environment to implement IPS/IDS solution for our server farm.

As a testing phase, we have DCS server 6.5 installed and rolled out 18 windows and 2 linux clients. and creating policy based on the event monitoring.

Now we are advised to have latest version of DCS 6.7 in our environment. I read in some articles that we can manage IPS/IDS policies using UMC (unified Management console). while we currently manage IPS/IDS polcies via DCS Management java console.

Please advise if UMC is a manadory component to have IPS/IDS colution with 6.7. or is there any additional benifit we get if we deploy UMC in our environment ?

In my previous experience i have used UMC to configure AV polciies for Virtual environment (Agentless Antimalware).

 

Regards,

Sankar.

Hi Dhasan,

in DCS 6.7 UMC is part of Manager installation, meaning you'll have it once you move to 6.7. You will still use the Java console to manage policies but for monitoring and dashboard views, you'll have that in UMC. For my opinion benefits of UMC is clean design and now that it runs together with Manager so you do not have to have additional system to run it.

Thanks for your response Vladx.

As i understand UMC is a appliance that needs to be configured on esxi but here you mentioned "UMC is part of Manager installation"

Could you also let me know if is there any difference in UMC installation / functionality on DCS 6.6. and 6.7 ?

 

Regards,

Sankar

 

Hi Sankar,

in 6.7 as mentioned in Release Notes "Unified Management Console appliance is now integrated with the Management Server. So, there is no need of the virtual infrastructure to deploy Unified Management Console."

I have no prior experiance with DCS 6.6 so I can't tell you what is the difference.

Yes, in DCS 6.7, Unified Management Console appliance is integrated with the Management Server. So, there is no need of the virtual infrastructure to deploy Unified Management Console.

When you install the Management Server, the Unified Management Console is also deployed on the same computer.

Refer to the following link for instructions.

http://help.symantec.com/cs/dcs6.7/DCS6_7/v118140018_v119765770/Installing-the-Management-Server-and-Unified-Management-Console/?locale=EN_US

 

Additionally, in DCS 6.7, you can migrate all the data from an existing Unified Management Console appliance automatically during the installation process.

Refer to the following link for instrucitons.

http://help.symantec.com/cs/dcs6.7/DCS6_7/v118537719_v119765770/Migrating-the-Unified-Management-Console-data-to-6.7?locale=EN_US

 

Hi Sankar,

As Vladx mentioned, in DCS 6.7, Unified Management Console appliance is integrated with the Management Server. So, there is no need of the virtual infrastructure to deploy Unified
Management Console. When you install the Management Server, the Unified Management Console is also
deployed on the same computer.

Refer to the following link for more information.

http://help.symantec.com/cs/dcs6.7/DCS6_7/v118140018_v119765770/Installing-the-Management-Server-and-Unified-Management-Console/?locale=EN_US

Additionally, in DCS 6.7, Unified Management Console provides an option to migrate all the data
from an existing Unified Management Console appliance automatically during the installation process.

Refer to the following link for more information.

http://help.symantec.com/cs/dcs6.7/DCS6_7/v118537719_v119765770/Migrating-the-Unified-Management-Console-data-to-6.7?locale=EN_US

Thanks,
Nagendra

Thanks Nagendra,

Currently i am using DCS 6.5 MP1 ( without UMC ).

Can i directly upgrade to 6.7 ? or is there migration path to be followed

Appreciate if any best practice document to upgrade from 6.5 to 6.7

 

Regards,

Sankar

Hi Dhasan, yes, you can upgrade from 6.5 MP1 directly to 6.7. I recommend reading following articles about the upgrade process: https://support.symantec.com/en_US/article.HOWTO125093.html http://help.symantec.com/cs/dcs6.7/DCS6_7/v118271461_v119765770/Upgrading-to-Data-Center-Security:-Server-Advanced-6.7/?locale=EN_US

Don't upgrade in production of course. If you don't have any demands for 6.7 such as Agentless Malware on ESX/NSX then you may want to stick with 6.5 MP1. Use the latest Hotfix release for 6.5 MP1 if you do.

For the Management Server you can find 6.5 MP1 HF8 (6.5.0.493) here: 

https://support.symantec.com/en_US/article.INFO3750.html

For the Agent you can find 6.5 MP1 Hotfix 9 (6.5.0.498) here:

https://support.symantec.com/en_US/article.TECH234967.html

In my own experience with implementing DCS, waiting for the Maintenance Pack is worth it for Production (i.e 6.7 MP1). 6.7 requires a lot more resources as well. Better to set it up in a lab to get familiar with it and see what you might need to change in Production to prepare for the change.

I recently tried to upgrade from 6.5MP1 to 6.7 and had some serious issues.

The upgrade first started and then said that the machine would need to be rebooted.

This happened twice.  After that, I tried to run ther server.exe and run the upgrade again.

My question is:  The steps about the UMC are a little confusing.  When I ran the server, it said to upgrade from a previous install.  I chose:  Production Installation: Install Tomcat and create the database schema

 

I skipped the enable data bridge because we don't need our data in the cloud.

After I verified my existing TomCat settings, and Server Settings, and verieid my credentials were correct for the Upgrade Database, I entered my initials.

I think the part where I was having issues was where it says to register wtih the Uniified Management Console

Is this my existing DCS 6.5 Server?

After I proceeded with this setup, the databases were upgraded to 6.7 after an hour or two.  We never had a UMC server in 6.5 MP1. We used the Thick Java client without issue. 

These are the notes I had from Symantec tech support at the time:

 

Thank you for contacting Symantec Technical Support and reporting to us the problem with upgrading the SDCS from 6.5 to 6.7.

As discussed today on Webex we have identified the following:

1. The SDCS Manager and the SCSPDB have been updated successfully to 6.7.

751    2016-11-12 15:53:37.557    Database Upgrade to ROME 6.7 Script Completed Successfully    Database Upgrade to ROME 6.7 Script Completed Successfully    12999    2016-11-12 15:53:37.557

2. The dcs_umc Database has not been created on the SQL Server

3. The SDCS 6.7 Configuration task failed.

MSI (s) (F8:34) [08:54:16:243]: Product: Symantec Data Center Security Server Manager -- Configuration failed.
MSI (s) (F8:34) [08:54:16:243]: Windows Installer reconfigured the product. Product Name: Symantec Data Center Security Server Manager. Product Version: 6.7.0.859. Product Language: 1033. Manufacturer: Symantec. Reconfiguration success or error status: 1602.

4. The SQL Server Logs are showing the following Error:

11/13/2016 09:39:22,Logon,Unknown,Login failed for user 'umcadmin'. Reason: Could not find a login matching the name provided. [CLIENT: 10.x.x.x]
11/13/2016 09:39:22,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 5.
11/13/2016 05:25:23,spid58,Unknown,Could not allocate space for object 'dbo.SORT temporary run storage:  140745393766400' in database 'tempdb' because the 'PRIMARY' filegroup is full. Create disk space by deleting unneeded files<c/> dropping objects in the filegroup<c/> adding additional files to the filegroup<c/> or setting autogrowth on for existing files in the filegroup.

5. The initial SCSPDB size was > 500 GB which is very big. The SCSPDB Database is showing 160 GB free space.

According to the above please implement the steps below:

1. Please take a full backup (preferably image) of the SDCS Manager and SQL Server machines.

2. Please restore the SDCS Manager 6.5 and SQL Server Instance from the backup before the upgrade.

3. Stop the SDCS Manager Service

4. Restart the SQL Server Instance.

5. Remove the not needed Events from SCSPDB using the sql query below:

USE SCSPDB DELETE FROM CSPEVENT WHERE EVENT_DT<= '2015-12-31 23:59:59:999
(Please modify the date accordingly)

6. Shrink the SCSPDB -> right click -> tasks -> shrink -> database

7. Restart the SQL Server Instance.

8. Run the installer again.

 

After all of this, was the issue that there was no UMCAdmin ?  and if so, wouldn't that be part of the upgrade process ?

I had to restore the server to pre upgrade state and wanted some input before I tried again.

 

This is the website I used for the install:  https://support.symantec.com/en_US/article.HOWTO125107.html#v118312382