Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

best migration route to 4.5 on new tin

kjhoskin

Currently running em3.5 and NAC 3.1 on a, getting long in the tooth, w2k3 box.  Would like to replace it with new tin (actually a VM running w2k8 on a new box)  Whats the best way forward for this?

Looking at the guides I get the impression that it'll be an in place upgrade from 3.5 to 4 and then 4.5 and then migrate to a new box which is a bit of a ball ache.  We're only running with around 250 clients so would it actually be quicker to just start afresh with a new install of 4.5?  I can see the problem being NAC (we have around 100 or more Linux boxes all of which have defined MAC exclusions) so that might be a pain and sorting out the client various policies we have as we run HIPS and Application control. 

So I was thinking of installing 4.5 on the new VM leaving 3.5 and NAC 3.1 in place and running on the old box.  Configuring 4.5 and moving our servers and win7 boxes over to it to install 9.5 (win7 boxes aren't running NAC)  I can then turn off the DHCP agents so that NAC doesn't do anything and install NAC on the new box and configure that, but I'm going to have to do some manual messing around with the NAC rules and MAC exclusions.

Comments?

:3786


This thread was automatically locked due to age.
Parents
  • 0

    Your SOPHOS3/ SOPHOS4/ SOPHOS45 database contains all of the policies, groups and history.  If you don't need that information and you're willing to find all the machines again/ recreate the policies you don't need to migrate the database.

    However you may want to export the following key on the old server and import into the registry of the new...

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager

    Importing this key means the new server will use the same certificates a the old one so clients won't be denied access when trying to report.

    NOTE:  If you moving from a 32-bit server to a 64-bit you should edit the export in notepad.exe and add in the "Wow6432Node" bit.

    If you're redirecting clients to a new server I recommend read...

    Changing the IP address of the server may affect the clients ability to report correctly to the server. This is due to a client's capacity to use multiple addresses to contact its fixed parent. Therefore you should check to see what addresses the clients use to contact the server to see if this needs to be amended after the IP address change.

    Checking which addresses are used for reporting by the clients

    During installation the Sophos Remote Management System.msi uses the MRInit.conf file for the addresses of the Sophos management server. Once the the client installation is complete the addresses are stored in the registry.

    1. Search the Sophos management server for the "mrinit.conf" file on all drives.
    2. Open the files in notepad.exe and compare the last line of the file that begins ParentRouterAddress. A default MRInit.conf file will contain the IP address, full qualified domain name and hostname of the server as detected during the original installation of the Sophos management server components. An example is...
      "ParentRouterAddress"="192.168.0.1,myserver.net.local,myserver"
    3. Compare the ParentRouterAddress string with the following registry key on a working client...
      HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router > ParentAddress
      ...the values should match.

    Based on the example above a client would attempt to connect to the server on 192.168.0.1 and failover to myserver.net.local after five minutes then failover to myserver after another five minutes.

    If the clients are only using an IP address or you do not want communication between the client and server to be delayed please follow the instructions below to correct the address.

    Changing the ParentAddress of client machines

    1. Open the following file in notepad.exe...
      C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\CIDs\Sxxx\SAVSCFXP\mrinit.conf
      NOTE: Substitute the "Sxxx" folder for the relevant subscription folder
    2. Correct the ParentRouterAddress string to match the new IP address of the server.
    3. Save and close the file
    4. Copy the mrinit.conf file into the RMS sub-directory beneath the SAVSCFXP folder
    5. Run the utility ConfigCID.exe as detailed in the following article...
      Article ID:13112
      Title: Enterprise Console: using ConfigCID.exe to implement XML configuration file changes
      URL: http://www.sophos.com/support/knowledgebase/article/13112.html
    6. On a client force an update.
    7. When the re-installation completes check the value of...
      HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router > ParentAddress
      ...which should have changed to match the string in the in the mrinit.conf file.
    :3858

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0

    Your SOPHOS3/ SOPHOS4/ SOPHOS45 database contains all of the policies, groups and history.  If you don't need that information and you're willing to find all the machines again/ recreate the policies you don't need to migrate the database.

    However you may want to export the following key on the old server and import into the registry of the new...

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager

    Importing this key means the new server will use the same certificates a the old one so clients won't be denied access when trying to report.

    NOTE:  If you moving from a 32-bit server to a 64-bit you should edit the export in notepad.exe and add in the "Wow6432Node" bit.

    If you're redirecting clients to a new server I recommend read...

    Changing the IP address of the server may affect the clients ability to report correctly to the server. This is due to a client's capacity to use multiple addresses to contact its fixed parent. Therefore you should check to see what addresses the clients use to contact the server to see if this needs to be amended after the IP address change.

    Checking which addresses are used for reporting by the clients

    During installation the Sophos Remote Management System.msi uses the MRInit.conf file for the addresses of the Sophos management server. Once the the client installation is complete the addresses are stored in the registry.

    1. Search the Sophos management server for the "mrinit.conf" file on all drives.
    2. Open the files in notepad.exe and compare the last line of the file that begins ParentRouterAddress. A default MRInit.conf file will contain the IP address, full qualified domain name and hostname of the server as detected during the original installation of the Sophos management server components. An example is...
      "ParentRouterAddress"="192.168.0.1,myserver.net.local,myserver"
    3. Compare the ParentRouterAddress string with the following registry key on a working client...
      HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router > ParentAddress
      ...the values should match.

    Based on the example above a client would attempt to connect to the server on 192.168.0.1 and failover to myserver.net.local after five minutes then failover to myserver after another five minutes.

    If the clients are only using an IP address or you do not want communication between the client and server to be delayed please follow the instructions below to correct the address.

    Changing the ParentAddress of client machines

    1. Open the following file in notepad.exe...
      C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\CIDs\Sxxx\SAVSCFXP\mrinit.conf
      NOTE: Substitute the "Sxxx" folder for the relevant subscription folder
    2. Correct the ParentRouterAddress string to match the new IP address of the server.
    3. Save and close the file
    4. Copy the mrinit.conf file into the RMS sub-directory beneath the SAVSCFXP folder
    5. Run the utility ConfigCID.exe as detailed in the following article...
      Article ID:13112
      Title: Enterprise Console: using ConfigCID.exe to implement XML configuration file changes
      URL: http://www.sophos.com/support/knowledgebase/article/13112.html
    6. On a client force an update.
    7. When the re-installation completes check the value of...
      HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router > ParentAddress
      ...which should have changed to match the string in the in the mrinit.conf file.
    :3858

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Unfiltered HTML