I wanted to point out this KBA to everyone that is upgrading to SGN 5.50 from SGN 5.40.
While the same information is provided in the /docs folder of the downloadable software ZIP files, the PDF attached to the KBA is a quick read. It will give you the details you need to get upgraded from SGN 5.40 and a couple tips to help it go smoothly. :smileyvery-happy:
rei wrote:
Any special considerations in upgrading from SGE-Standalone 5.4 to SG-Easy 5.5?
Hi rei,
Thank you for posting your question in the SophosTalk community.
I'm assuming you mean SGE is SafeGuard Enterprise? Sorry for the question, but the acronym for SafeGuard Enterprise is SGN and that is an accurate version number. If you mean SafeGuard Easy for SGE then my apologies. You threw me with the word "Standalone".
For SGN Standalone, first please take a look at this KBA. It will explain what's going on with SGN Standalone 5.4x (and lower) and SGE 5.50. Since SGN DE Standalone is and SGE 5.50 have the same architecture, you can upgrade your existing SGN DE Standalone environment using the SGE 5.50 installation bits. Please read through the Release Notes and the SafeGuard Easy 5.50 Administrator Help for more details on which versions of SGN DE Standalone can be upgraded to SGE 5.50.
If you are looking to learn how to migrate from SGE 4.x to SGE 5.5 then please take a read through this KBA.
ssij wrote:
Dave,
Do you have any tips for upgrading SGN Enterprise clients? I've been trying the upgrade from 5.40 -> 5.50 on some of my machines, and the DE/DX client seems to upgrade just fine, but CP will not install.
Hi ssij,
Thanks again for posting your question.
Before I can answer that, I will need (for now) at least 2 pieces of information:
Thanks!
DSchwartzberg wrote:Before I can answer that, I will need (for now) at least 2 pieces of information:
- Which Windows OS are you using and bit level?
- Can you list the MSI files you are installing and the order you are installing? Also, please include if you are doing a reboot in between.
Thanks!
I've tried with both XP Pro SP3 32-bit and Vista Biz SP2 32-bit.
As for the MSI files and install order,
First, I tried this:
Install SGxClientPreInstall.msi
Install SGNClient.msi with ADDLOCAL=ALL
Install SGN_CP_Client.msi (v5.50)
The CP Client fails outright, both scripted and unscripted. When I ran the installer unscripted, I got the error "Please reboot before starting the Install process". No matter how many times I reboot, it will still give me this error. I emailed support about it, and they told me to delete the pendingfilerenameoperations key in the registry (referring to this KBA), but that did not work.
The second time around, I tried:
Install SGxClientPreInstall.msi
Install SGNClient.msi with ADDLOCAL=ALL
Uninstall SGN_CP_PortProtectorClient.msi (from v5.40)
Install SGN_CP_Client.msi
As explained in this KBA. This also fails, both scripted and unscripted. When run unscripted, I get an error message saying, "The Client Configuration file is not reachable". Support thought that this refers to the client configuration MSI file, but the path is referring to C:\Documents and Settings\All Users\Application Data\Utimaco\SafeGuard Enterprise\CFP\ClientConfig.scc, not an MSI. Either way, I was under the impression that I didn't need to install a v5.50 client configuration msi on the client when upgrading from from v5.40.
I initially did not reboot on after the client upgrade, and the CP install failed. Even after rebooting, the CP install still fails on both tries.
I'm kinda stumped as to why this isn't working. Am I doing something wrong?
ssij wrote:
I've tried with both XP Pro SP3 32-bit and Vista Biz SP2 32-bit.As for the MSI files and install order,
First, I tried this:
Install SGxClientPreInstall.msi
Install SGNClient.msi with ADDLOCAL=ALL
Install SGN_CP_Client.msi (v5.50)
The CP Client fails outright, both scripted and unscripted. When I ran the installer unscripted, I got the error "Please reboot before starting the Install process". No matter how many times I reboot, it will still give me this error. I emailed support about it, and they told me to delete the pendingfilerenameoperations key in the registry (referring to this KBA), but that did not work.
The second time around, I tried:
Install SGxClientPreInstall.msi
Install SGNClient.msi with ADDLOCAL=ALL
Uninstall SGN_CP_PortProtectorClient.msi (from v5.40)
Install SGN_CP_Client.msi
As explained in this KBA. This also fails, both scripted and unscripted. When run unscripted, I get an error message saying, "The Client Configuration file is not reachable". Support thought that this refers to the client configuration MSI file, but the path is referring to C:\Documents and Settings\All Users\Application Data\Utimaco\SafeGuard Enterprise\CFP\ClientConfig.scc, not an MSI. Either way, I was under the impression that I didn't need to install a v5.50 client configuration msi on the client when upgrading from from v5.40.
I initially did not reboot on after the client upgrade, and the CP install failed. Even after rebooting, the CP install still fails on both tries.
I'm kinda stumped as to why this isn't working. Am I doing something wrong?
Hi ssij,
While it looks like you are going down the correct path, I have a feeling a small detail might be overlooked. According to the Release Notes (RN) found with the installation software named readsgn_5_eng.html, section 5.8 explains the steps to upgrade SGN CP 5.35 and higher to SGN 5.50. Here's the pasting from the RN:
SGN ConfigurationProtection Module can’’’’t be updated to SGN 5.50 directly due to security constraints. In order to get the new version of the ConfigurationProtection Module installed properly the existing version has to be removed beforehand.
The approved update procedure is the following:
Step 1: update SGN (do not reboot afterwards)
Step 2: remove old CP client (SGN_CP_PortProtectorClient.msi)
Step 3: install new CP client (SGN_CP_Client.msi)
The existing <Client Config.msi> you created for your location does not need to be removed and reinstalled. The error about the Client Configuration file is correct, but as you pointed out, it's the ClientConfig.scc and not the .msi file.
Also, this is in the RN "On updating the Configuration Protection Module the policy needs to be reapplied to be taken into account."
If you are stil having trouble, try removing CP (SGN_CP_Client.msi (assuming you already tried to upgrade to 5.50 otherwise use SGN_CP_PortProtectorClient.msi for 5.40) using the SGNClient.msi first, do not reboot, remove the CP client, reboot, then install the SGNClient.msi to include the CP component, do not reboot, then install the new CP client (SGN_CP_Client.msi).
DSchwartzberg wrote:Hi ssij,
While it looks like you are going down the correct path, I have a feeling a small detail might be overlooked. According to the Release Notes (RN) found with the installation software named readsgn_5_eng.html, section 5.8 explains the steps to upgrade SGN CP 5.35 and higher to SGN 5.50. Here's the pasting from the RN:
SGN ConfigurationProtection Module can’’’’t be updated to SGN 5.50 directly due to security constraints. In order to get the new version of the ConfigurationProtection Module installed properly the existing version has to be removed beforehand.
The approved update procedure is the following:
Step 1: update SGN (do not reboot afterwards)
Step 2: remove old CP client (SGN_CP_PortProtectorClient.msi)
Step 3: install new CP client (SGN_CP_Client.msi)The existing <Client Config.msi> you created for your location does not need to be removed and reinstalled. The error about the Client Configuration file is correct, but as you pointed out, it's the ClientConfig.scc and not the .msi file.
Also, this is in the RN "On updating the Configuration Protection Module the policy needs to be reapplied to be taken into account."
If you are stil having trouble, try removing CP (SGN_CP_Client.msi (assuming you already tried to upgrade to 5.50 otherwise use SGN_CP_PortProtectorClient.msi for 5.40) using the SGNClient.msi first, do not reboot, remove the CP client, reboot, then install the SGNClient.msi to include the CP component, do not reboot, then install the new CP client (SGN_CP_Client.msi).
David,
Your last suggestion (removing the CP component from the SGNClient.msi file and reinstalling it) seemed to work for this one machine, but it makes it difficult to script an install, and doesn't answer the question as to why the approved update procedure is failing consistently on my machines.
My best guess is that when the SGNClient is upgraded, the ClientConfig.scc is either re-created or remains as-is, but by removing the v5.40 CP Client in step two, that file is also removed by the installer. Thus, re-installing the CP component in the SGNClient.msi re-creates the file and allow the v5.50 CP client to properly install.
If my guess is correct, removing the v5.40 CP Client BEFORE upgrading the SGNClient to v5.50 might solve this problem, but the CP Client doesn't seem to like that (asks for a uninstallation password). Do you know of a way of getting around this?
I guess it would also be possible to copy the ClientConfig.scc file to a temporary location before uninstalling the v5.40 CP Client and copy it back after the uninstall is complete, but will that cause any other strange problems (with policies being applied, etc)?
Hi ssij,
You wrote
"Your last suggestion (removing the CP component from the SGNClient.msi file and reinstalling it) seemed to work for this one machine, but it makes it difficult to script an install, and doesn't answer the question as to why the approved update procedure is failing consistently on my machines."
I'm glad I was able to help, but the scripting is possible. If you are running into issues with the other devices, it's going to be a daunting task to figure it all out within the forums. Would you be kind enough to open a case with Sophos Technical Support so they can collect log files from you to see where the disconnect exists?
You wrote:
"My best guess is that when the SGNClient is upgraded, the ClientConfig.scc is either re-created or remains as-is, but by removing the v5.40 CP Client in step two, that file is also removed by the installer. Thus, re-installing the CP component in the SGNClient.msi re-creates the file and allow the v5.50 CP client to properly install."
You are absolutely correct in your second sentence quoted above. The ClientConfig.scc file is recreated when the SGNClient.msi is executed and includes the Configuration Protection component for an add or remove. In step 2, you need to remember to execute the old SGN_CP_PortProtectorClient.msi v5.40 and then the new SGN_CP_Client.msi v5.50. From the way I read what you wrote, it sounds like you are using the SGN_CP_Client.msi to uninstall the SGN_CP_PortProtectorClient.msi. If not, then I'm really confused as to the state of the software installed on that device.
You wrote:
"If my guess is correct, removing the v5.40 CP Client BEFORE upgrading the SGNClient to v5.50 might solve this problem, but the CP Client doesn't seem to like that (asks for a uninstallation password). Do you know of a way of getting around this?"
Your guess sounds correct, but it's the SGNClient.msi which is providing the password. If you attempt to add or remove the CP component using the SGNClient.msi, then restart without running the next msi on the list, then that msi will fail to install or uninstall. Make sense? There is no way to get around the password other than using the SGNClient.msi to control the installation or uninstallation of the second CP installer.
You wrote:
"I guess it would also be possible to copy the ClientConfig.scc file to a temporary location before uninstalling the v5.40 CP Client and copy it back after the uninstall is complete, but will that cause any other strange problems (with policies being applied, etc)?"
I wouldn't move the ClientConfig.scc file. The secondary CP installer is looking for it in a specific place and if it's not there then the install will fail. Sorry, but I couldn't tell you how it will impact policy application because I leave the ClientConfig.scc file alone.
Hang in there, we'll get through this.
David,
I emailed support about this issue before posting on the forum, but I haven't had much luck from them either.
I think we're both getting confused here, so let me try to clarify once again.
(Note: I renamed the SGNClient.MSI files to indicate what version they are running)
Original SGN v5.40 Scripted Install (created and used some months prior to v5.50 coming out)
ECHO STEP 1:
ECHO Installing SGN Client v5.40 with patch...
msiexec /package SGNClient540.msi /passive /norestart ADDLOCAL=ALL PATCH=5.40.0.152_Patch_SR.msp /log c:\tmp\SGN540Client.log
ECHO STEP 2:
ECHO Installing CP Client v5.40...
msiexec /package SGN_CP_PortProtectorClient.msi /passive /norestart /log c:\tmp\SGN540CP.log
ECHO STEP 3:
ECHO Installing Client Config...
msiexec /package ClientConfig.msi /passive /norestart /log c:\tmp\SGN540Config.log
shutdown /R /F /T 15 /C "SGN 5.40 Installation Complete. Restarting..."
Almost all of my machines have been installed with this script, and I haven't had any problems with installation failing at any point.
Now, the script to upgrade from v5.40 to v5.50
ECHO STEP 0:
ECHO Installing SafeGuard v5.50 Preinstall File...
start /wait msiexec.exe /package SGxClientPreInstall.msi /passive /norestart /log c:\tmp\SGN550PreInst.log
ECHO STEP 1:
ECHO Upgrading SafeGuard 5.40 Enterprise Client to v5.50...
start /wait msiexec.exe /package SGNClient550.msi /passive /norestart ADDLOCAL=ALL /log c:\tmp\SGN550ClientUpg.log
ECHO STEP 2:
ECHO Removing SafeGuard 5.40 Configuration Protection module...
start /wait msiexec.exe /uninstall SGN_CP_PortProtectorClient.msi /passive /norestart /log c:\tmp\SGN540CPUninst.log
ECHO STEP 3:
ECHO Installing SafeGuard Port Protector Client...
start /wait msiexec.exe /package SGN_CP_Client.msi /passive /norestart /log c:\tmp\SGN550PortProt.log
shutdown -r -f -t 15 -c "SGN v5.50 Upgrade complete. Restarting..."
Step 3 of the upgrade fails because the ClientConfig.scc file is not found.
I'm finding that this upgrade script does work though:
ECHO Removing CP/DX components of the v5.40 client... start /wait msiexec /package SGNClient540.msi /passive /norestart REMOVE=ConfigurationProtection,SecureDataExchange /log c:\tmp\SGN540DXCP.log ECHO Removing SafeGuard 5.40 Configuration Protection module... START /wait msiexec.exe /uninstall SGN_CP_PortProtectorClient.msi /passive /norestart /log c:\tmp\SGN540CPUninst.log <reboot here> ECHO Installing SafeGuard 5.50 PreInstall file... start /wait msiexec.exe /package SGxClientPreinstall.msi /passive /norestart /log c:\tmp\SGN550PreInst.log ECHO Upgrading SafeGuard 5.40 Enterprise Client to v5.50... start /wait msiexec.exe /package SGNClient550.msi /passive /norestart ADDLOCAL=ALL /log c:\tmp\SGN550ClientUpg.log ECHO Installing SafeGuard Port Protector Client... start /wait msiexec.exe /package SGN_CP_Client.msi /passive /norestart /log c:\tmp\SGN550CPClient.log
Honestly, I think that the approved update procedure for client machines is broken, since no matter what I do or how many machines I test it on, it will not work.
Hi ssij,
I actually like that last script a lot!
ECHO Removing CP/DX components of the v5.40 client...
start /wait msiexec /package SGNClient540.msi /passive /norestart REMOVE=ConfigurationProtection,SecureDataExchange /log c:\tmp\SGN540DXCP.log
ECHO Removing SafeGuard 5.40 Configuration Protection module...
START /wait msiexec.exe /uninstall SGN_CP_PortProtectorClient.msi /passive /norestart /log c:\tmp\SGN540CPUninst.log
<reboot here>
ECHO Installing SafeGuard 5.50 PreInstall file...
start /wait msiexec.exe /package SGxClientPreinstall.msi /passive /norestart /log c:\tmp\SGN550PreInst.log
ECHO Upgrading SafeGuard 5.40 Enterprise Client to v5.50...
start /wait msiexec.exe /package SGNClient550.msi /passive /norestart ADDLOCAL=ALL /log c:\tmp\SGN550ClientUpg.log
ECHO Installing SafeGuard Port Protector Client...
start /wait msiexec.exe /package SGN_CP_Client.msi /passive /norestart /log c:\tmp\SGN550CPClient.log
I'm a bit confused on why you need to also remove SecureDataExchange and then rebooting? Have you tried the upgrade script leaving SecureDataExchange installed and not rebooting?
Thanks for that awesome level of detail and clarity! Nicely done!
