Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1348 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC upgrade and migration concerns

AxL

Well, we are currently running SEC 5.1, and have a two-part need; upgrade to 5.2 and migrate to a different server.  One issue is that the current install is to a non-standard location, which acording to documentation complicates the backup process.  The migration will also be from the non-standard Win Server 2003 location to a standard install on a Win 2008 R2 64-bit server.

There's also 3 update servers out on other Win 2008 servers that will remain, while the 4th that is currently on the old 2003 box will be going away.

Basically, just looking for a little how-to-proceed advice.  Is it better to upgrade in-place on the old box, or migrate the 5.1 now, then upgrade?  Or, maybe, because of the non-standard-to-standard-location, is migration going to be more problematic than its worth, and should I just install a fresh SEC 5.2 on the new box and build anew?

:41567


This thread was automatically locked due to age.
  • 0

    Hello AxL,

    there's more than one way to skin a cat. You'll probably not want to start "from scratch", i.e. setting everything up (groups, policies) and the reprotect your clients (including the SUMs). The following is just how I would do it, YMMV (I'll not explain all details so if something is not clear feel free to ask). Does non-standard include the location of the \SophosUpdate share?

    • Plan whether to run old and new server in parallel (once you've copied/upgraded the database all alerts and events sent to the old server will be lost if it is still running; OTOH you can take your time moving the clients over to the new server)
    • Whatever your decision the next steps are:
    • "Clone" the server's identity (please see e.g. SEC 5.0 Update managers  for the meaning of this)
    • Make sure you know the passwords of the SUM and database accounts
    • Back up the 5.1 databases (Using backupdb.bat ) and server information (How to back up and restore your Sophos Management Server) - do not forget you have to edit some registry keys when going from 32 to 64 bit - and if using encryption the MSO certificates
    • Install the 5.2 database component
    • Restore the 5.1 (!) databases (see 5.d. in Sqlcmd commands for ... if you have to restore them to a different location)
    • Now proceed with the installation of the 5.2 Console - it should detect the 5.1 database and upgrade it

    If all went well you have several options at this point:

    1. Do some testing

    Although the recommended way to "redirect" the endpoints to a new management server is reprotecting them or running a reinit script those running Windows can be "moved" by pointing the to a CID configured with an appropriate mrinit.conf.

    • Make the necessary changes to the polices
    • Select a few endpoints (if you add a "test" SUM on the old environment before backing up the old installation you can test with it as well), create (on "old") an updating policy pointing to the new server and apply it to the test clients -and/or-
    • Test the reprotect/reinit scenario
    • whatever else ...

    Unless make some changes to the server's configuration you can "reset" SEC:

    Note: any test clients will re-connect to the new server - it might happen that the receive the old (reset by the restore) updating policies.

    2. "Immediate" migration

    • If you don't want to run the servers in parallel, stop the services on the old one, back up once more the databases as well as the envelopes
    • Manually re-initialize the 5.2 databases (see Manually creating the Sophos databases ...)
    • Restore the 5.1 databases
    • Proceed with the steps from the migration guide including redirecting SUMs and clients
    • Do not forget to rebuild installer packages if you use them

    3. "Staged" migration

    As said an endpoint's latest alerts and events will be lost. You'll probably do some testing, so I assume you've already made the "necessary changes". Once you are confident that your new installation works

    • Redirect (with you favourite method) SUMs and (groups of) clients as desired

    It is not as complicated as it sounds (assuming the OS base is already installed it'd take me about half a day or so). Of course I don't know the extent and nature of non-standard. There's also no warranty that this is complete and I haven't done it on the versions you are working with.

    HTH

    Christian

    :41607
  • 0

    Hello, sorry for the delay.  By "Non-standard" I meant the location that SEC is currently installed to, which in our case is \Sophos\Enterprise Console on a 2nd hard drive, i.e. the D drive.

    This looks good though, thanks, I hope to get started today and see how it goes.

    :42027