3 Replies Latest reply on Sep 16, 2013 6:50 AM by andrep1

    ePO migration 4.5 -> 4.6 (on new 64 bit hw)  advice welcome  (VSE, HDLP, AppCtrl)

    Regis

      Greetings,

       

      I'm facing our first big ePO migration to new hardware and the challenge is pretty daunting.  

       

      Anyone done this before and willing to share their strategy?   An SE who sorta off the cuff recommended a fresh build of a 4.6 server and rebuilding all policy's advice is suddenly giving me pause as I look at the number of things that have to come over. 

       

      This environment has about 2500 total device count. 

      One strategy is to start fresh and try to rebuild all policies and hierarchies for these products and migrate.  Which sounds daunting, and prone to human error if policies are missed. But probably the most likely to succeed?     For HDLP, is there a notion of policy export?  Is there anything to help a VSE 8.7 user creat similar policies for 8.8 or is it a manual task (as I believe the 8.5->8.7 migration was)?   Application Control?

       

      Another is to snap a database backup per KB66616 disaster recovery procedures, install epo 4.5.7 on the new server, and restore... but given the move from 32 to 64 bits with a hostname change,  does this have any chance of working?

       

       

      The current server:

      • one single server, ePO 4.5.7 
      • under win2003 32 bit and full SQL server license 2008r2, on-box.     
        • Products: VirusScan 8.7 engine 5400 (need to get to 8.8 engine 5600 in this upgrade),   Antispyware
        • HDLP 9.2  primarily for USB device control at this point
        • McAfee Application Control (Solidcore) 6.1  is in the process of being deployed and is current on a test group
        • Mix of agent 4.0 and 4.5 out there 

       

      The new ePO box:

      • Win 2008 R2 64bit, full SQL server 2008r2
      • Server is a different name and IP from the existing
        • Upgrade to VirusScan 8.8 in the process with engine 5600 when i migrate or reinstall agents on endpoints
        • Looking to get to Agent 4.6 and VSE 8.8 in the process of migrating endpoints to this
      • Not in love with the ePO inventory hierarchy we have on the old server, where there are a lot of subgroups and cruft that could be flattened substantially by using tags.   Part of the motivation to start fresh is rooted in the desire to rearchitect the hierarchy to be cleaner.

       

      Thanks for any advice you can give based on your experiences.

        • 1. Re: ePO migration 4.5 -> 4.6 (on new 64 bit hw)  advice welcome  (VSE, HDLP, AppCtrl)
          andrep1

          We had a similar situation, migrating to new hardwar, new IP, new server name, new OS. 50000+ endpoints. We choose to start fresh. DR procedure works but would work much better by reusing the old server name and IP and I've used it in the past, but a fresh start gives you 100% availability

           

          From my perspective, safest is to in place upgarde you current ePO to 4.6 . It has excellent tools for exporting policies and tasks, and their related assignements. I would also upgrade you agents at this point. It is not intrusive at all. You shouldn't be running 4.0 agents unless you still have win2k devices.

           

          Export your security keys from the existing server and import in new server, setup a registered server for the new server in the old server, enable system transfer. Once this is done, you can handover agents from the old to the new server. Basically, this will enable the agent to use the server list and encryption key from the new server. Plan to keep your servers in parallel for weeks. Agents that won't transfer are best handled by re-pushing the agent from the new server.

           

          If you are interested in keeping you old data but need to decomission the old servers, you can use rollup reporting to tansfer your data in the rollup database on the new server.

           

          This is the quick version and I can provide more details, but I would highly recomend the parallel setup. If you can keep the old server around, it can make a nice agent handler which reduced the load on your epo app. server and also enables you to continue agent communications between then database and the agents when the main epo server is down. 

          1 of 1 people found this helpful
          • 2. Re: ePO migration 4.5 -> 4.6 (on new 64 bit hw)  advice welcome  (VSE, HDLP, AppCtrl)
            Regis

            Wow, great advice there Andre, and I'm thrilled I was able to follow most of it. 

             

            Can you say more about the tools for exporting policies and tasks out of the epo server to the new?      Are you saying, an inplace upgrade to 4.6 on the existing would be  easy, and then parallel installing that same level on the new server, then, leveraging 4.6's niceties in policy and task export, and the ability to register the new server to easy the handover of agents to the new?      That sounds like a lot of time savings.  

             

            When you transfer an agent from one server to another registered server,  are there any restrictions or needs or suggestions on the system hierarchy in the epo asset tree on the new server side?      Or is there some sort of export available from epo 4.6 that'll tell a transferred server where in the hierarchy it should go when it comes to the new server?

             

            I don't have a hard deadline on retiring the old server, and old data isn't that much of a big deal, but it's really nice to know such a rollup is available in this approach.   But this approach does make it sound like the primary driver for this move (the VSE engine update) is well worth doing in the existing environment rather than trying to do too many things at once bringing things from old to new.

             

            I'm glad I asked.   I'd be interested in other commentary as well. 

            • 3. Re: ePO migration 4.5 -> 4.6 (on new 64 bit hw)  advice welcome  (VSE, HDLP, AppCtrl)
              andrep1

              Yes, an in place upgrade on the old server and fresh install on the new one. This way, you keep you servers in parallel and keep you environment managed with no interruption.

              Once that is done, you can export you client tasks and task assignments, policies and policy assignments,you can also export you server tasks (and that will automatically export the queries used by the server tasks if it applies).

              Then export you queries and custom dashboard.

               

              In regards to where you systems would end up in your system tree depends on you.

              If you use the IP sorting rules, you would to recereate that and the sorting rules would apply. If you create the leaf nodes (the managed system in the tree) , then it should attach the migrated systeme to the blank system you created,. If you have AD and sync from AD, then that would make you life simpler as it would create the objects and OU in your system tree. That' sthe way we manage our stuff. But to migrate your task and policy assignements, you woudl have to keep the same tree structure I think.

               

              Considering you driver, I would move forward with updating the McAfee epo Agent to 4.8, do engine 5600 and VSE88 since the date is approaching  then work on transferring to the new ePO and continue updating your security products.