This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console migration

Currently running EC 5.3.1 on an old W2003 server. Would like to migrate endpoint to a new 2012 R2 server. Going back and forth from several migration docs and just starting over from scratch on the new server. Is there anyone who has started over an just re-protected the endpoints? if so, are there any "gotcha's" I haven't found any documentation other than support telling me its ok to do that....but they never give me any specific steps.

I'm not running encryption and not really concerned about losing history if it makes the transition easier.

I also read this statement in the forums which makes no sense:

I called Sophos support about 5 months ago as I had an issue with some machines not updating.  After getting those fixed, I asked about moving to a new server and the tech told me the exact solution you quoted.  Complete uninstall, registry clean and then reinstall on the other one.  



This thread was automatically locked due to age.
Parents
  • Hello nf,

    there's more than one way to skin a cat.

    Installing a blank SEC takes less than one hour, with a restore/migrate of the database it shouldn't take more than two.

    not really concerned about losing history
    History might not be of interest, the database also contains your subscriptions (actually not hard to reenter though), your policies (might be a few, might be many), and the group structure and policy assignments, and last but not least the computers with their group-membership. You can either backup/restore/migrate (it's not rocket science) the database with all this information or you have to re-do and re-type everything (except the computers which could - depending on the path you take - "appear by themselves" in the Unassigned group or have to be discovered/re-protected or by some other means told to re-install). 

    The IMO most important aspect is that your endpoints aren't marooned. Re-protect from the console requires (apart from discover) that the endpoints are online.

    Some possible scenarios (OS already installed on the new server):

    1. Backup and export all necessary data (including the certificate store) on the old server, turn it off. Change name and IP of new to old's values. Import certificates, start SEC installation - if you follow the database import procedure almost everything will be there (and work) when the install is complete, otherwise the endpoints will gradually appear.
    2. Backup and export all necessary data (including the certificate store) on the old server, if you want to migrate the database turn off the Sophos services before the final backup and leave them off. If the new server is ready you could configure the CID(s) on new and trigger a "move" of the endpoints (Windows, possibly Linux) to the new server by changing the updating policies or a temporary (DNS) alias.
    3. Install SEC on new not migrating anything, then re-protect, re-install, or re-direct your endpoints.

    Each has pros and cons, 1. is simple provided everything works (and you can easily change name and IP for a machine). I've left out most details (too many trees and you won't be able see the wood), feel free to ask.

    this statement
    couldn't find it here - anyway, the last sentence doesn't make sense [:)]

    Christian

     

  • Thanks Christian!

    I think I will follow your advice and go with option 1 and follow the "server to server migration guide" for the steps on backing up the DB and restoring. Although I'm not sure what you meant by the certificate store? I don't see that referenced in the guide.  If its related to encryption, we have not used that ...yet.

    One last thing, does it matter that I don't have the Update Manager password?  took over this position from someone and have no idea what they used.

  • First timer to Sophos here also migrating from 5.1 on Win2003 32-bit to Win2012 64-bit. I've downloaded the migration PDF and the steps seem to match well with what I have. The only question I have is regarding what happens when I've stopped the Sophos services to migrate the configuration to the new server. If I hit a snag, or wish to back out, or if re-directing the clients to the new server is going to take a while, is it OK to restart the services on the old server until (a) the new server is fully ready and (b) all the endpoints are using the new server?

  • I recently renewed our Sophos subscription and we received the Update Manager credentials with the licence, so you'll probably find it there.

  • Hello nf,

    certificate store
    related to encryption, yes - but not the withdrawn Full Disk Encryption. RMS communication is cryptographically secured. Upon installation the management server generates (or re-uses) keys and certificates (please find some related articles here). These are what establishes the server's identity, name and/or IP are "only" used to locate the potential server - thus if you (re-)install a server from scratch existing endpoints won't communicate with it even if it has the same name and IP. The store is among the things backup up by the DataBackupRestore tool.

    the Update Manager password
    the account is required to provide clients read access to the distribution location share. It's set in the Default updating policy and also used to pre-populate the credentials in a newly created policy. Please note that credentials are stored and not referenced in the policies. Thus when you restore the database the policies will contain the password from the old server. You can either change the password on the old server or create a new account (which you would then use as the SUM account on the new server) as per chapter 6.1 of the migration guide.

    One subject I have not yet addressed: You probably want to upgrade to SEC 5.4, don't you? To my knowledge an upgrade-migration is not a supported scenario but possible. You'd use the sec_540 installer to install the database component. Instead of DataBackupRestore you'd use RestoreDB.bat to restore SOPHOS521, SOPHOSPATCH52, and SophosSecurity. You'd then proceed installing the server components. After importing the registry (chapter 11) the Initial Catalog in DatabaseConnectionMS must be (re-)set to SOPHOS540.

    Do not forget the changes necessary for 32-bit to 64-bit migration if applicable.

    Christian

Reply
  • Hello nf,

    certificate store
    related to encryption, yes - but not the withdrawn Full Disk Encryption. RMS communication is cryptographically secured. Upon installation the management server generates (or re-uses) keys and certificates (please find some related articles here). These are what establishes the server's identity, name and/or IP are "only" used to locate the potential server - thus if you (re-)install a server from scratch existing endpoints won't communicate with it even if it has the same name and IP. The store is among the things backup up by the DataBackupRestore tool.

    the Update Manager password
    the account is required to provide clients read access to the distribution location share. It's set in the Default updating policy and also used to pre-populate the credentials in a newly created policy. Please note that credentials are stored and not referenced in the policies. Thus when you restore the database the policies will contain the password from the old server. You can either change the password on the old server or create a new account (which you would then use as the SUM account on the new server) as per chapter 6.1 of the migration guide.

    One subject I have not yet addressed: You probably want to upgrade to SEC 5.4, don't you? To my knowledge an upgrade-migration is not a supported scenario but possible. You'd use the sec_540 installer to install the database component. Instead of DataBackupRestore you'd use RestoreDB.bat to restore SOPHOS521, SOPHOSPATCH52, and SophosSecurity. You'd then proceed installing the server components. After importing the registry (chapter 11) the Initial Catalog in DatabaseConnectionMS must be (re-)set to SOPHOS540.

    Do not forget the changes necessary for 32-bit to 64-bit migration if applicable.

    Christian

Children