This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with redirecting endpoints from old SEC to new SEC

 Hi all

I'd love some advice on how we might be able to migrate the last few hundred clients from our legacy SEC to production version.

Legacy: Server 2003, SEC 5.3.0, SUM 1.5.8.11

Production: Server 2012R2, SEC 5.5.0, SUM 1.6.1.124

The majority were migrated over a period of time, using the VBScript MRreinit method, successfully. The remainder though, are:

  • Remote
  • NEVER on our internal networks - not even via VPN
  • We have no remote management methods, no remote control options (other than manually calling users one at a time and talking them through some steps), and no patch or script remote deployment methods on these particular machines - this is the real reason they haven't been migrated...

I have read a lot of posts and KBs, and I think the only method that might work is to somehow bend the rms / AutoUpdate mechanisms to redirect endpoints from the old SEC server to the new SEC server, eg:

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/1825/changing-parent-router-ip-address/2321#2321

and 

https://community.sophos.com/kb/en-us/14635

https://community.sophos.com/kb/en-us/13112

On our legacy SEC, there are 3x subscriptions, but, as far as I can tell they have all lapsed - the subscriptions status panel in UM details shows that each of the 3x subscriptions have last successful download recently, BUT under the Update Manager Status History listing it's a very long list of "Software update failed - error 80040404". I assume this is due to the subscription lapsed, but can someone please confirm? There are many popups to the effect that SEC isn't supported. I tried upgrading to 5.5.0, but not supported on S2003. It seems that 5.3.1 might be the latest version supported on S2003, but I can't find a link - it doesn't seem to be on the legacy versions download page anymore.

I picked upon the subscription used for the "Preview" version, since that has the least number of endpoints in Groups using it (none, actually) and also since I figured it would have the newest versions. Figured out this subscription saves into the following:

\\sophos\SophosUpdate\CIDs\S008

I took the mrinit.conf and cac.pem files from our Production SEC, placed into the following dir:

\\sophos\SophosUpdate\CIDs\S008\SAVSCFXP\rms

On the Legacy SEC, ran:

C:\Program Files\Sophos\Update Manager\ConfigCID.exe \\sophos\SophosUpdate\CIDs\S008\SAVSCFXP\

Output looks ok, it's mostly "Nothing to do" but it DID say:

Updating entry for \rms\cmanifest.dat

Updating entry for cmanifest.dat

Wrote a few catalog files, checked a bunch of checksums (all matched), then wrote into catalog file master.upd. Done.

At this point I should point out that our CID on the legacy SEC is published as a WEBCID, remaining clients connect remotely.

I then cautiously moved an endpoint machine into the correct group so that it would get the right modified subscription and clicked "Update computers now".

I saw the status change to "Awaiting policy transfer" as expected. Then it went to 'same as policy'. Still on the legacy SEC.

It then went offline (but didn't appear in the Production SEC), so I similarly moved into my test Group another handful, of ONLINE machines.

Some of these are still online after an hour or two, but NONE of them have moved into the production SEC.

Did I misunderstand this mechanism or process completely?

All advice gratefully received. And - if I'm attempting to do something completely impossible, then I'd rather be told instead of spending more time on it...

TIA



This thread was automatically locked due to age.
Parents Reply Children