This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to upgrade Win2008 + SEC + ClusterSQL -> Win2016 + SEC + ClusterSQL

Hello,

I need to upgrade our infrastructure because it was installed long time ago on 32 bits version and 64 bits verison of Windows 2008.

Due to security policies in Bank, I cannot give orginal name. don't ask, thank you ;-).

 

DMZ

ServerA1.dmz.local

Sophos Update Manager 1.7.0.316

Sophos Antivirus 10.8.2.334

Sophos AutoUpdate 5.14.36

Sophos System Protection 1.3.1

+ share \\ServerA1\SophosUpdateSources

+ share \\ServerA1\SophosUpdateManager 

 

ServerA2.dmz.local

Sophos Management Console 5.5.0

Sophos Management Server 5.5.0 + Databases on SQL Cluster : 1 dedicated instance with 3 databases

Sophos Update Manager 1.7.0.316

Sophos Antivirus 10.8.2.334

Sophos AutoUpdate 5.14.36

Sophos Diagnostic Utility 1.4.4

+ share \\ServerA2\SophosUpdate where DMZ servers come to take their updates

 

ServerAZZZ.dmz.local

Clients of ServerA2.dmz.local (200 servers)

 

VMware Horizon View

+ VDI Win10 clients with SEC Console (allow to manage Sophos without RDP on ServerA2 with Lan computers)

 

LAN

ServerB1.lan.local

Sophos Update Manager 1.7.0.316

+ Share : \\ServerB1\SophosUpdate

 

SeverB2.lan.local

 

Sophos Management Console 5.5.0

Sophos Management Server 5.5.0 + Databases on SQL Cluster : 1 dedicated instance with 3 databases

Sophos Update Manager 1.7.0.316

Sophos Antivirus 10.8.2.334

Sophos AutoUpdate 5.14.36

Sophos System Protection 1.3.1

+ share \\ServerB2\SophosSources where LAN Update ServerB1.lan.local comes to take updates

 

WKSBXXX.lan.local

2 Teams with 20 computers with SEC Console to manage Sophos LAN without access to ServerB2.

 

ServerBZZZ.dmz.local

Clients of ServerB2.lan.local (300 servers)

 

Questions

My problem is to upgrade thoses servers to be supported by Microsoft :

ServerA1 Windows 2008R2 64 bits

ServerA2 Windows 2008 32 bits

ServerB1 Windows 2008R2 64 bits

ServerB2 Windows 2008R2 64 bits

 

I will upgrade SEC 5.5.0 to 5.5.1 that week.

Can I fallow that KB to migrate my 2 SEC servers from 2008 to 2016 ? https://community.sophos.com/kb/en-us/28276

One shortcut could be to do an upgrade in place of ServerB2 from 2008R2 to 2012R2 .. anyone has done that with SEC 5.5.x ???

 

Thanks

 

Yann

PCOS Team



This thread was automatically locked due to age.
Parents
  • Hello Yann,

    an in-place OS upgrade is not supported - personally I'm not a fan of Windows upgrades anyway, YMMV.

    Are your child SUMs (A1 and B1) also Message Relays? Will the new servers have new names and IPs?

    Christian

  • Hi Christian,

    Thanks for the information with the upgrade in place. ;-)

    For Message Relays : No we are not using messenging with Sophos Enterprise Console/Server.

    For IP and name : Me I prefer to install a new server in the same VLAN dedicated with a new IP. We will probably move the database on a new SQL Cluster 2017 for lan.local but the SQL Cluster 2017 is not available for the DMZ so it will live with the old 2014 SQL cluster for the moment.

    If I can, I will create a CNAME on the old server, reconfigure the policies with the Cname, then when we are ready, just change the CNAME from OLD to NEW SEC. Any problem with certificates ?

    Same things with the SUMs. Any problem with certificates ?

    It is more quick & easy to reconfigure a Cname than Policies and place I don't know XD

    But I don't know to much the Sophos Certificates parts... I already had problems with another antivirus... I cross fingers.

    Yann

Reply
  • Hi Christian,

    Thanks for the information with the upgrade in place. ;-)

    For Message Relays : No we are not using messenging with Sophos Enterprise Console/Server.

    For IP and name : Me I prefer to install a new server in the same VLAN dedicated with a new IP. We will probably move the database on a new SQL Cluster 2017 for lan.local but the SQL Cluster 2017 is not available for the DMZ so it will live with the old 2014 SQL cluster for the moment.

    If I can, I will create a CNAME on the old server, reconfigure the policies with the Cname, then when we are ready, just change the CNAME from OLD to NEW SEC. Any problem with certificates ?

    Same things with the SUMs. Any problem with certificates ?

    It is more quick & easy to reconfigure a Cname than Policies and place I don't know XD

    But I don't know to much the Sophos Certificates parts... I already had problems with another antivirus... I cross fingers.

    Yann

Children
  • Hello Yann,

    not using messaging
    just to make sure, messaging and Message Relays refer to the communication (status →, policies and commands ←) between endpoint and management server - the RMS component.

    same VLAN [...] CNAME [...] certificates
    VLAN doesn't play a role (proveded a path exists of course). CNAMEs work but just changing policies isn't sufficient. RMS doesn't use the policies, the pivot is mrinit.conf. It's used to distribute the keys required for certificate verification, certificates aren't pinned to a certain name or IP. Thus as long as you reuse the certificates of an existing installation the server is the "same" from the POV of the endpoints. SUMs are just redistribution points.

    HTH
    Christian

  • Hi Christian

     

    Oh sorry I misunderstood that.

    Yes all clients (servers) are communicating with the both SEC servers :

    - servers in DMZ with the DMZ SEC 

    - servers in LAN with the LAN SEC

    And ours teams use SEC Console to manage both

    - VDI clients in DMZ manage DMZ SEC

    - Workstation in Lan manage LAN SEC

    Updates Servers post updates and servers go on shares to take updates (if I don't do mistake, I need to check that part)

     

    Sorry I know much better Trend Micro or Symantec solution.

    Sophos is quiet new for me. That s why I posted in the community part :D

    Cheers

    Yann

  • Hello Yann,

    no problem. And naturally the forum is here for - amongst other things - sharing knowledge. Feel free to ask, and if in doubt please do ask before you try something you're not sure it'll work.And if something didn't work out as expected it's perhaps better NOT to try to "correct" the problem before asking for help. [:)]

    Christian

  • I upgraded the DMZ SEC 5.5.0 to 5.5.1 without problem.

    But i have some DB SOPHOS540 and SOPHOS550 in my instance. I figure I can delete them. But about the old SOPHOSENC52. Someone knows ?

    I will have at the end the 3 db : SOPHOS551 / SOPHOSPATCH52 / SophosSecurity

    I need to deploy the Console only on some Computers. Is there any KB to explain me how to create a powershell script and parameters ?

    I called support today about reducing the 500 Mb installer, but it seems it is not possible, does it ?

  • Hello Yann,

    the older databases can be dropped. SOPHOSENC52 is not used since SEC 5.4.0, either Full Disk Encryption has never been installed/initialized or has been uninstalled before installation of 5.4.0 or a later version. It can be dropped as well.

    deploy the Console
    neither scripted install nor pruning of the package is supported. And I have not done it - you'd have to experiment (it's not supported) and the question is whether it's actually saving time and effort. Repeat, it's unsupported and I don't recommend it. Given that it is a rather minor upgrade and assuming you desperately want to try it: Basically setup.exe just calls msiexec.exe to install the Console64.msi package. You can find the parameters used in either the Sophos_bootstrapper or the Sophos_Console64msi log in %ProgramData%\Sophos\Management Installer\. From \sec_551\ServerInstaller\ you probably don't need all the subfolders and the files whose names start with SUM, DB, Database, Svr, and Server. As said, unsupported and not tested.

    Christian