Endpoint Protection

Good Morning

i need to migrate a sepm from a windows 2k to a windows 2k3 server using replication.

I try this process using the last version of sep 11(MR4 MP2) on virtual machines and it works fine,  but in the "real world" i must move a 11.0.776.942 version from a server to another, and I'm not sure if the same process works fine too.

So, i need to find the SEPM 11.0.776.942 CD1 for test pourpose. With my fileconnect account i can download only the lastest version of sep, but i need a previous version. What can I do to solve my problem?

After the migration I would update sep from the old version to the last version. What is the better way (a or b)?

a. update the original server and use replication with another server with the last version of sepm installed

b. migrate the original server and update the new server

Thanks to all.

Luca

Hi,

The best way is option A

First Migrate the SEP to the latest version and then use replication.
(I have already done this option at one of our customer place and woring fine with out any issues)

Make sure you are upgrading 11.0.776.942 to MR 4 only. 
Do not directly upgrade to MR4 MP 2.( This will cause multiple issues)

Follow the steps below to move Symantec Endpoint Protection Manager from one server to another with a different IP address and host name:

1. Install Symantec Endpoint Protection Manager on the new server
   NOTE: The version installed to the new server must be the same version as on the old server. The new management console can be migrated to a newer version once the transition is complete.
2. In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next
3. In the Server Information panel, accept or change the default values for the following boxes, and then click Next
   • Server Name
   • Server Port
   • Server Data Folder
4. In the Site Information panel, accept or change the name in the Site Name box, and then click Next
5. In the Replication Information panel, type values in the following boxes:
   • Replication Server Name
     The Name or IP address of the old Symantec Endpoint Protection Manager.
   • Replication Server Port
     The default is 8443.
   • Administrator Name
     The Username used to log on to the old console.
   • Password
     The password used to log on to the old console.
6. Click Next
7. In the Certificate Warning dialog box, click Yes
8. In the Database Server Choice panel, do one of the following, and then click Next
9. Check Embedded database or Microsoft SQL server (whichever database type you'd prefer to install), then complete the installation.
10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies have Migrated successfully.
11. Click Policies > Policy Components > Management Server Lists > Add Management Server List
12. Click Add> Priority and a new Priority would get added named as "Priority2" (To be done on both the SEPM server)
13. Add the Old server under Priority 2 and add the new one under "Priority 1", and assign this New Management Server List to all the groups
14. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on the old Management Console to verify whether all client now report to the new Management Console
15. Once verified that all the clients are reporting into the new Management Console, and have moved away from the Old Management Console, proceed to the next step.
16. After the successful Migration uninstall the old "Symantec Endpoint Protection Manager (SEPM)"

is this you looking for?

http://service1.symantec.com/support/ent-security.nsf/docid/2008031204405448
 

• Symantec Endpoint Protection 11.0.4000 (MR4), and 11.0.4014 (MR4 MP1a).

So what you need
Upgrade to MR4 from RTM
Then upgrade from MR4 to MR4MP2

Migrating to Symantec Endpoint Protection 11.0 MR4
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008121712452848
Migrating to Symantec Endpoint Protection 11.0.4202 (MR4 MP2)

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009051906042048


Also i have question for you will the 2k server be taken off once SEPM is running on the 2k3

If this is the case, the  best thing would be

Install SEPM as fresh install on the 2k3
Run the sylink Replacer on the server and we can have all the clients reporting back in the new SEPM

https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

also it will be  very difficult to get the RTM CD. It is no more on filecoonect nor on our FTP site.
So go with the latetest version

With this version (11.0.778.xx ) is better install fresh SEPM on the new server and use Sylinkreplacer of re-connect the clients back to the server..
All the above options above might cause issues. I have seen that even after upgrading the 11.0.780 build to any version some issues will always be there.Database curruption is the most common one..

Hi,

After you install fresh SEPM MR4MP2 version on your new server and use the sylinkreplacer tool to reconnect all your clients, just to make your life easier, if you have custom policies created in your old SEPM you can export these policies and then import them into your new SEPM.

The following article would tell you about how to do this,

How to import/export an existing Symantec Endpoint Protection policy?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e1d6b2be029e9479ca2574f90003fdc0?OpenDocument

Thanks :-)

I think i going to use the "fresh installation and sylink replace". It seems easy and sure

I have another question: What is the sure way to update clients after sylink replacing.
I ask this, because, in another installation with a fresh server i try to install new clients version without uninstall the old version of sep. The result was that clients didn't update definitions.

Excuse my bad english.

Luca

Dont' mess with Old  SEPM.

Install MR4MP2 on new server.

Do sylink replacer utility & replace the old Sylink file with the new one.

Regards...
Ramji Iyyer

 Replacing sylink vs Pushing client package are 2 diffrent things.

When you replace the sylink it means you are pointing the client to the new SEPM server.However if you are simply pushing out the package exported from ( without addtional install settings ) SEPM will only upgrade the version of the sep client it wont re-connect the Client-to SEPM.

If you want to export the package make sure you use Install setting of "remove previous logs and settings and reset client-server communication settings"
for more info :

How to restore/retain client-server communication using custom installation settings without having to use the sylink drop tool.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052008163148

I try to test the Sylinkreplace procedure as in manual, but sylinkreplace doesn't discovery any sep client, so the procedure shut down.

I have 3 virtual machines in a virtual net (i use vmware)
- Windows 2k3 AD, DHCP,WINS and DNSServer, with new sepm console installed
- Windows 2k pro, with the old sepm console installed
- Windows xp pro

Every V.M. have a sep client installed, and all clients refer to old installation of sepm.

I try to execute sylink replace from the w2k3 machine, but resutls are not very good.

From every machine i can ping each other in the virtual net, and i can see all computer using net view command

Thanks to all.

Luca

We shall later check why sylink replacer is not working, in the mean time , we shall first try if manual replacement of sylink is working or not

on your server 2k3 Ad, go to

E:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent

open a numbered folder

copy the sylink.xml file

go to start run ...smc -stop

go to c:\program file \symantec \symanetc endpoint protecion \

place the copied sylink file here.

now you need to start the service

start -run - smc -start

check if the local client on 2k3 has green dot and if thats reporting to new SEPM..

Run the Sylink Remote

https://www-secure.symantec.com/connect/articles/how-run-sylink-remote-replace-sylink-remotely

Download it from

https://www-secure.symantec.com/connect/downloads/sylink-remote

Hi,

As the clients are currently running on 11.0.776 why dont you create new package and deploy, two purpose will be solved at the same time.

Upgrade to the clients would be completed and the clients will start communicating with the manager. Try to test in on couple of clients first and then proceed further with all the clients.

Regards,

I try sylink remote and it works very well. It will be usefull not only in this case.

So, if I install a new SEPM MR4 MP2, I deploy a package that is MR4 MP2 version, and symantec says that the migration from RTM version to MR4 MP2 is not a "support path". The only possible migration path is RTM --> MR4 -->MR4 MP2. Isn't it?

In any case, i can try Vikam and Nirav  modus operandi in a little clients group, before start a massive clients update.

Thanks to all, again

Luca

Yes the correct migration path is RTM --> MR4-->MR4MP2

My customer doesn't want update clients version, cuase he is afraid of them strange behavior, and he doesn't want spend $$$$ for repair any damage.

Can I install the new server (with a more recent version) , and recconect the client to this new server, without make client version migration?

Thanks to All

Luca

Yes that is certainly possible.

Just install the new manger  and reconncet the cleint they will work , without an problem

The sylink replacement will only re-establish the client-server communication. It will not upgrade the clients unless you specify an upgrade packege in the "Upgrade groups with package" wizard in admin->install packages location.

Cheers,
Aniket