Data Loss Prevention

Hello everybody

I am currently working out an upgrade strategy for a DLP environment.
Current version running is 11.6.3 and target version is 14.6.
There is one physical W2k8R2 server hosting the Enforce and Endpoint Prevent roles.
The DB is on a central Oracle Cluster, running on 11.2.0.4 and currently having around 7.8 million incidents.

So far, nothing special, no big deal.

What I am concerned is that from 11.6.3 there are a lot of versions to be upgraded until I'll end up with 14.6. Therefore, a lot can and probably will go wrong.

Biggest concern is the fact that it is pretty costly to snapshot and revert a physical server. So if it's blowing up, I am pretty much on a bad side with the current setup.
To mitigate this, first I want to create a VM from the physical server. This will give me the possibility to take snapshots and revert in the very likely case of trouble.

Is there anyone who did something similar already?
Even if everything is working fine, DLP 14.6 will in the end run on W2k8R2. Will DLP 14.6 be running on W2k8R2 at all?

What my preferred approach would be is setting up a new 14.6 environment and then attach the DLP DB to the new environment.
Is there _any_ possible way to achieve something like this?

As you can see, there are a lot of questions but not many solutions at the moment. I am thankful for each input which is lighting up the dark.

Cheers

Ive done something similar to this with a customer (they migrated to new servers running Win 2012 AND Oracle 12c AND kept the old environment running in the process). This involved a staging environment to upgrade the database schemes, etc then export/import into new environment... i dont think you need to go to this extent however. You need to run the database through the upgrade process to ensure schemas, tables, etc are as 14.6 requires. You cant just attach your current database to 14.6. Win 2008 R2 SP1 is supported for 14.6, so you should be fine upgrading to 14.6 on the current setup or a cloned virtual. If migrating your set up to virtual isnt a hassle then snapshots can be helpful. But, you should be ok with off-the-box backups of the full database, as well as the local Enforce install directory (everything under Protect, to keep it simple). 11.6 doesnt support 2012 R2 however so be careful migrating to it prior to upgrading.

Hi Dean

Thanks very much for your explanations. So at least there are examples where similar upgrades have been succesful.

I, of course would prefer having a parallel environment to test the whole upgrade first and then, if successful do it again in a productive environment.

When on 14.6, the DB should be upgraded to 12c as well of course. Same goes for the server which then needs to be migrated to W2k12.

Is there a possibility to upgrade the DB only?

edit: You say backing up the Protect folder is enough as a restore point - Really?

So I've done the upgrade in the past this way but to DLP 14.1.  It was very time consuming.

What I told other customers was to take the time to build a fresh DLP infrastructure on new gear, new OS and everything.  Take this as a time to make sure your DLP environment is working correctly to meet the requirements of your business and the stakeholders in your DLP project.  Take time to document your policies, EDM/IDM/etc. and response rules.  Make sure things are working correctly.  If they aren't then this is a great time to refresh the project.

Then what I've done is keep the old system in a snapshot, etc and keep it from a historic point of view and move forward.

But it is up to you and your team

Hello Jonathan

I was and am really concerned about the time factor. Based on my previous upgrade experiences, it will be a terrible pain with a lot of bugfixing involved.

Management and security prefer the upgrade scenario from legal perspectives to keep the history.
Another point to consider is that keeping systems running is not efficient. Even if they are non-productive, they need to be maintained.

What I also have considered is the following:

I now have a 11.6.3 physical server running. Creating a VM from this is an option, but I would prefer a new installed 11.6.3 server using the current DB. Would this be possible? Basically changing the Enforce server.
DB encryption and communication comes to my mind for example.

Yes, it is possible.

The database encryption key is located in the $installdir$/Protect/config/CryptoMasterKey.properties and will be specified when you go through the installer for the new DLP Enforce (when you untick 'Initialize DLP Database').

All the information you need to migrate (essentially backup and recover on a new server) is in the Symantec DLP System Maintenance guide for your version and the Symantec DLP Installation Guide.

 

Am I getting this right here?

The upgrade path from 11.6.3 to 14.6 would be:

11.6.3 > 12.0.0 > 14.0.0 > 14.6

Correct?

Yes.

What all information jjesse and Dean_Thomson provided are perfect for you to start your testing.

I had also done one test in my environment for the scenario where upgradation was to be done from 12.0 to 14.5 on new servers and it was performed as explained successfully.