This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrate Clients to new SEC Server

I am attempting to resolve an issue with the Update Manager failing to retrieve updates, I have run though some of the other troubleshooting pages with no success. I did set up a new server which is downloading updates correctly. What seems to be the simple solution would be to un-manage clients from the original server and re-manage them from the new and correctly updating server. I can not find a recommended process to migrate from one SEC server to another, is there such a thing?

The uninstall instructions for the Sophos endpoint software also seems excessively complicated to manually perform on every workstation. Is there a better way?

Thanks!



This thread was automatically locked due to age.
Parents
  • OK, I assume that you now have:

    • SECSERVER1
    • SECSERVER2

    Both servers have all components of the management server installed, i.e. Enterprise Console, SUM, Database.

    All your clients are pointing at SECSERVER1 and now you want to point all the clients at SECSERVER2 for both management and updating.

    I assume that when you installed SECSERVER2 you didn't import any certificates from SECSERVER2 so they are essentially 2 unrelated installations.

    You may have performed an ADSync/Import to re-generate the groups structure and re-created any policies you may have had in SECSERVER1

    It sounds like it would be easier to fix updating on SECSERVER1 and remove SECSERVER2 but if you wish to migrate all the clients, there are 3 options and I'm sure you'll employee all 3 methods to cover all endpoints.

    1. Re-protect from SEC - Essentially pushing a scheduled task to remote computers.  This may work but requires a number of pre-reqs to be met.  https://www.sophos.com/deployment  has some information.  Of course the computers need to be on when you do this.

    2. Pull installs from the endpoint - This is basically running the same command that is generated by the SEC push (option 1) but you just run it from the client either manually or as part of some startup script in AD. - https://community.sophos.com/kb/en-us/12570 has the switches but to generate a command, you can use option 1 to push to an example client and copy the command out of the Sophos install scheduled task properties.  You will have to be reasonably quick but at least you will get the full command with obfuscated usernames and passwords.

    3. Generate a VBScript file using the HTA tools that will re-direct the computers to the new server and issue all the clients new certificates in the process.  https://community.sophos.com/kb/en-us/116737 
    The script can then be deployed as a startup script.

    Option 1 and 2 will require the clients to download and uninstall/reinstall some components so there is quite a bit of churn to those options.  Option 3 just changes registry keys and restarts existing services.

    Once completes you can decommission SECSERVER1 which might include un-installation the Sophos components, rebooting and re-protecting from the SECSERVER2

    Regards,

    Jak

  • You are correct, they are two unrelated installs. One of the issues that I thought I might be encountering was an issue downloading updates through a SonicWall gateway with Gateway AV enabled. I set up the whitelist/exception list, but my original server would still not update. I installed the second server to test the ability for SEC to download updates from behind the SonicWall, and it seems to have no problem.

    I'm not opposed to troubleshooting the original server further. I have not opened a community thread on that topic yet, but I have worked through the troubleshooting documented on other similar threads, to no avail.

    -Paul

Reply
  • You are correct, they are two unrelated installs. One of the issues that I thought I might be encountering was an issue downloading updates through a SonicWall gateway with Gateway AV enabled. I set up the whitelist/exception list, but my original server would still not update. I installed the second server to test the ability for SEC to download updates from behind the SonicWall, and it seems to have no problem.

    I'm not opposed to troubleshooting the original server further. I have not opened a community thread on that topic yet, but I have worked through the troubleshooting documented on other similar threads, to no avail.

    -Paul

Children