Migrate Clients to new SEC Server

OK, I assume that you now have:

• SECSERVER1
• SECSERVER2

Both servers have all components of the management server installed, i.e. Enterprise Console, SUM, Database.

All your clients are pointing at SECSERVER1 and now you want to point all the clients at SECSERVER2 for both management and updating.

I assume that when you installed SECSERVER2 you didn't import any certificates from SECSERVER2 so they are essentially 2 unrelated installations.

You may have performed an ADSync/Import to re-generate the groups structure and re-created any policies you may have had in SECSERVER1

It sounds like it would be easier to fix updating on SECSERVER1 and remove SECSERVER2 but if you wish to migrate all the clients, there are 3 options and I'm sure you'll employee all 3 methods to cover all endpoints.

1. Re-protect from SEC - Essentially pushing a scheduled task to remote computers.  This may work but requires a number of pre-reqs to be met.  https://www.sophos.com/deployment  has some information.  Of course the computers need to be on when you do this.

2. Pull installs from the endpoint - This is basically running the same command that is generated by the SEC push (option 1) but you just run it from the client either manually or as part of some startup script in AD. - https://community.sophos.com/kb/en-us/12570 has the switches but to generate a command, you can use option 1 to push to an example client and copy the command out of the Sophos install scheduled task properties.  You will have to be reasonably quick but at least you will get the full command with obfuscated usernames and passwords.

3. Generate a VBScript file using the HTA tools that will re-direct the computers to the new server and issue all the clients new certificates in the process.  https://community.sophos.com/kb/en-us/116737 
The script can then be deployed as a startup script.

Option 1 and 2 will require the clients to download and uninstall/reinstall some components so there is quite a bit of churn to those options.  Option 3 just changes registry keys and restarts existing services.

Once completes you can decommission SECSERVER1 which might include un-installation the Sophos components, rebooting and re-protecting from the SECSERVER2

Regards,

Jak

You are correct, they are two unrelated installs. One of the issues that I thought I might be encountering was an issue downloading updates through a SonicWall gateway with Gateway AV enabled. I set up the whitelist/exception list, but my original server would still not update. I installed the second server to test the ability for SEC to download updates from behind the SonicWall, and it seems to have no problem.

I'm not opposed to troubleshooting the original server further. I have not opened a community thread on that topic yet, but I have worked through the troubleshooting documented on other similar threads, to no avail.

-Paul

Are you able to link the Sophos Update Manager trace file?  It's called SUMTraceLog under C:\ProgramData\Sophos\Update Manager\Logs\. 

I think you can just drag it onto the rich text editor to upload.

Regards,

Jak

Are you able to link the Sophos Update Manager trace file?  It's called SUMTraceLog under C:\ProgramData\Sophos\Update Manager\Logs\. 

I think you can just drag it onto the rich text editor to upload.

Regards,

Jak