Retiring Server and Client Update Behavior

Do these curently "unmanaged" clients fail both to update and communicate over RMS, essentially are all channels are cut off?

No- they are updating and communicating just fine over RMS now with the old server.

Are they essentially either locked away, out of the office for an unknown peiod and either won't return at all or possibly at some time in the future?

They are computers that are difficult to identify and over which we have no administrative rights or remote administration capability.  Some may be personally-owned computers. In theory, if we had the manpower we could hunt down individual IP addresses and try to contact the users to work with them directly, but this would be a highly labor intensive effort.  We have about 400 endpoints still on the old server.  About 50/50 Windows and Mac.  The migration started over a year ago.

Out of interest how did you migrate the computers from the old to new server?  

1. Reprotect from the new SEC.
2. Use a script to re-direct them.
3. Use a custom mrinit.conf in the CID to redirect them?
4. Maybe a combination of the above?

The new server was set up with a separate name/IP as a completely new system.  On the Windows endpoints we used our remote admin tools to run a SophosReInit script.  On Macs, we used our remote admin tools to uninstall Sophos and re-install using an installer from the new server.

If you decommision the old server? Is the name/IP freed up?  I assume as the old and new are co-existing they have different names.

Yes the name will be freed up.  We had to use a new name for the new server becuase there were other services running on the Sophos server that required that name after the new Sophos server was brought up.

If the new and old have the same RMS certificates, i.e. the certauthstore was imported prior to installing on the new server: When you decommision the server, could you put just a DNS record in place that effectively points the clients at the new server using the old address.

I'll look into this, but I'm pretty sure the new server has a different RMS certificate. It was set up and configured from scratch and nothing was moved from the old server to the new.

Another options, if these computers, when they return have to run a system startup script you could redirect them at that point, either by:

1. Running setup.exe from the new CID.  Quite a heavy weight approach, certianly on bandwidth

2. Re-init them using a script: http://www.sophos.com/en-us/support/knowledgebase/116737.aspx

Yes - the kb article describes the process we used to create the Windows migration script.  We're posting info for users to manually download and run the script, but the challenge is communicating with the people who need to do this.  

They key is regaining RMS management so they can be managed in SEC; at that point you can configure their update location.

Regards,

Jak

Thanks for this info.  I'll run it by our team to see if there is anything you mention that we overlooked!

Do these curently "unmanaged" clients fail both to update and communicate over RMS, essentially are all channels are cut off?

No- they are updating and communicating just fine over RMS now with the old server.

Are they essentially either locked away, out of the office for an unknown peiod and either won't return at all or possibly at some time in the future?

They are computers that are difficult to identify and over which we have no administrative rights or remote administration capability.  Some may be personally-owned computers. In theory, if we had the manpower we could hunt down individual IP addresses and try to contact the users to work with them directly, but this would be a highly labor intensive effort.  We have about 400 endpoints still on the old server.  About 50/50 Windows and Mac.  The migration started over a year ago.

Out of interest how did you migrate the computers from the old to new server?  

1. Reprotect from the new SEC.
2. Use a script to re-direct them.
3. Use a custom mrinit.conf in the CID to redirect them?
4. Maybe a combination of the above?

The new server was set up with a separate name/IP as a completely new system.  On the Windows endpoints we used our remote admin tools to run a SophosReInit script.  On Macs, we used our remote admin tools to uninstall Sophos and re-install using an installer from the new server.

If you decommision the old server? Is the name/IP freed up?  I assume as the old and new are co-existing they have different names.

Yes the name will be freed up.  We had to use a new name for the new server becuase there were other services running on the Sophos server that required that name after the new Sophos server was brought up.

If the new and old have the same RMS certificates, i.e. the certauthstore was imported prior to installing on the new server: When you decommision the server, could you put just a DNS record in place that effectively points the clients at the new server using the old address.

I'll look into this, but I'm pretty sure the new server has a different RMS certificate. It was set up and configured from scratch and nothing was moved from the old server to the new.

Another options, if these computers, when they return have to run a system startup script you could redirect them at that point, either by:

1. Running setup.exe from the new CID.  Quite a heavy weight approach, certianly on bandwidth

2. Re-init them using a script: http://www.sophos.com/en-us/support/knowledgebase/116737.aspx

Yes - the kb article describes the process we used to create the Windows migration script.  We're posting info for users to manually download and run the script, but the challenge is communicating with the people who need to do this.  

They key is regaining RMS management so they can be managed in SEC; at that point you can configure their update location.

Regards,

Jak

Thanks for this info.  I'll run it by our team to see if there is anything you mention that we overlooked!