This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

should I Upgrade then Migrate OR Migrate then Upgrade? or Just uninstall everything and start Again?

Hi Everyone, 

I have a few question, would greatly appreciate if any one can point me in the right direction. 

Background Info: we have a Sophos Enterprise Console 5.4.1 running on server2008r2. We have about 200 computers. We have active application control policies aswell as the tamper control and the usual anti virus policies. We have built a new VM - Server 2012 STD and want to migrate our Sophos Console onto that. 

Now the question is,

1. Should we Upgrade the console to Sec5.5 first and then migrate it from server2008 to server 2012 

OR

2. Should we migrate 5.4.1 to server2012 first and then upgrade it to sec5.5?

OR

3. Should we completely uninstall sec5.4.1 from server 2008 and then re-install sec5.5 on server 2012 and re-protect the clients and re-do the policies etc. 

 

Note* Ther server2008 that is curently hosting sec5.4.1 is a domain controller.. :-(

 

Thank you for any tips suggestion you can give us. 

 



This thread was automatically locked due to age.
Parents
  • Hello Redfern,

    first of all, there's no need to uninstall from the old server.

    Normally you'd first upgrade and then migrate. While not documented AFAIK it can be done in one step, briefly mentioned here. If these are your first upgrade and first migration I'd recommend you follow the standard procedure.

    Christian

  • Hi Christian!

    I was hoping you would comment on our post :-)

     

    Thank you for your guidance, I have a couple more questions if you could please answer them?

     

    This is the article we will be using to carryout the upgrade: https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/PDF/sec_55_ugeng.pdf

     

    This is the article we will be using to migrate from the old server to the new server: https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/PDF/sec_55_mgeng.pdf

     

    Also we have Sophos Pure message installed on our exchange server, will this project affect the pure message installation in any way or is that separate from  SEC?

     

    If the upgrade or migrate goes wrong at any point, and we restore the entire server 2008r2 from a image backup then will SEC work okay or will it fall out with its clients? 

     

    Thank you for your help. 

     

    Redfern

     

  • Hello RedFern,

    from the names these should be the ones, can't say for sure - real programmers don't read manuals [;)].
    Seriously - upgrading is just backup, download and run installer, make amendments as suited so I don't read the guide, but I do read the Release Notes. BTW - according to TomHilton SEC 5.5.1 is just around the corner. You might want to wait another two weeks perhaps.

    PureMessage could update its AV component directly from Sophos or from a local CID. If the former there is no connection with SEC at all. If the latter the server hosting PM is nevertheless just an endpoint like all the others. Note that the Endpoint software isn't affected by SEC upgrades.

    If the upgrade [...] goes wrong
    depending in the resources the upgrade doesn't take long (hint: make the image backup after you've downloaded and unpacked the installer and backed up the database and management server). If the management server is started again after you've taken the image backup you'll lose some errors, events, and history - otherwise there should be no permanent effects. You should make sure though that SUM isn't downloading a new Endpoint version as this could result in the endpoints first upgrading and after the image restore downgrading. As this is a DC SEC is probably of lesser concern when restoring ...
    As to goes wrong and potential restore - there are four main steps:

    1. Pre-reqs check - no need to restore anything if a condition isn't met; another backup might be advisable though after it has been corrected
    2. Installation of the components - if one or more installs fail and the issue can't be solved immediately don't forget to preserve the logs before a restore; if the cause isn't identified and solved another attempt will likely equally fail
    3. Management service first run and database upgrade - similar to 2
    4. Console open - nasty but probably a minor issue that doesn't justify going through a restore

    or migrate goes wrong
    nothing changes on the server you migrate from so no need to restore. Of course if you decide to delay the migration and start the "old" management services you have to take a new backup for migration.

    Last but not least there's the question of how to direct the endpoints to the new management server. Reprotect is recommended but not necessary if you have restored the certificates. ReInit is another option but requires the command to be run on the endpoints. Personally I prefer(red) to configure the CIDs' \rms subdirectory, the procedure for message relays can analogously applied to the CIDs on the new server (note that from then on you should apply this to all CIDs as endpoints installed from the old server might fall back to the original mrinit.conf when they update from an unconfigured CID).
    With the last migration I've started using an alias in mrinit.conf and our DNS. Will the 2k8R2 continue to run as DC?

    Christian

Reply
  • Hello RedFern,

    from the names these should be the ones, can't say for sure - real programmers don't read manuals [;)].
    Seriously - upgrading is just backup, download and run installer, make amendments as suited so I don't read the guide, but I do read the Release Notes. BTW - according to TomHilton SEC 5.5.1 is just around the corner. You might want to wait another two weeks perhaps.

    PureMessage could update its AV component directly from Sophos or from a local CID. If the former there is no connection with SEC at all. If the latter the server hosting PM is nevertheless just an endpoint like all the others. Note that the Endpoint software isn't affected by SEC upgrades.

    If the upgrade [...] goes wrong
    depending in the resources the upgrade doesn't take long (hint: make the image backup after you've downloaded and unpacked the installer and backed up the database and management server). If the management server is started again after you've taken the image backup you'll lose some errors, events, and history - otherwise there should be no permanent effects. You should make sure though that SUM isn't downloading a new Endpoint version as this could result in the endpoints first upgrading and after the image restore downgrading. As this is a DC SEC is probably of lesser concern when restoring ...
    As to goes wrong and potential restore - there are four main steps:

    1. Pre-reqs check - no need to restore anything if a condition isn't met; another backup might be advisable though after it has been corrected
    2. Installation of the components - if one or more installs fail and the issue can't be solved immediately don't forget to preserve the logs before a restore; if the cause isn't identified and solved another attempt will likely equally fail
    3. Management service first run and database upgrade - similar to 2
    4. Console open - nasty but probably a minor issue that doesn't justify going through a restore

    or migrate goes wrong
    nothing changes on the server you migrate from so no need to restore. Of course if you decide to delay the migration and start the "old" management services you have to take a new backup for migration.

    Last but not least there's the question of how to direct the endpoints to the new management server. Reprotect is recommended but not necessary if you have restored the certificates. ReInit is another option but requires the command to be run on the endpoints. Personally I prefer(red) to configure the CIDs' \rms subdirectory, the procedure for message relays can analogously applied to the CIDs on the new server (note that from then on you should apply this to all CIDs as endpoints installed from the old server might fall back to the original mrinit.conf when they update from an unconfigured CID).
    With the last migration I've started using an alias in mrinit.conf and our DNS. Will the 2k8R2 continue to run as DC?

    Christian

Children