Printable View
Maybe its just me but the Sophos knowledgebase seems hopeless and doesnt even seem to understand the term migrate
So how do I do it?
Enterprise Console v2 we're running
Is there a migration tool or a guide on doing it manually?
Also once its done I assume its just a case of changing the updating policy to reflect the new server so clients can find updates
I tried this a while ago, and it didn't go very well and Sophos weren't a great deal of help.
Basically it seems to involve a fresh installation, and then running a startup script (provided by Sophos) on the clients to redirect to the new server and force them to get a new certificate to allow them to connect to the remote management system. It all worked as soon as the scripts ran on the PCs.
This was on the older version 1.0 console, but I would assume the process is similar.
We just installed it on another server and then redirected the clients. Took a while ofr them to come over but it was all done ina few days. We jsut turned the other server off then
Ok really simple guys, one of the few simple things!
You need to ensure that the new server gets the name and IP of the old one, so thats easy done. So install Server 2003, SP2 etc updates etc, download Sophos from Sophos webby. Disconnect Old Server, remove from domain, network etc. Rename new server old serves name and give it its IPs, then reboot, install Sophos EC2, EMlib etc on that, give the shares the same names as the old servers had, then bobs your uncle, it should all come back through and work fine within a few hours, or it did for me when I moved it once. Must admit its the only thing thats gone well for me with Sophos!
What if the server you are moving it from has other network related apps / shares / home directories etc which people are using ?
I would really prefer not to call the server the same name
If I do that, I cant do any work on it until holidays, and it needs to go in at half term to replace an unreliable one
I would much prefer to work on it during term time and do as much as I can, and do the swap at half term
I think I'll go the route of installing it fresh
Word of warning on this that I discovered the hard way... It may seem obvious but worth noting for anyone who has a dense moment too.
You can't have Sophos EC installed on more than one server.. If you do you're likely to screw up your ability to get status reports from your clients.
Yep... I managed to get two EC's on the network and didn't realise for ages... The clients were installing fine but once Sophos started installing it would sit with the hourglass icon and not change.
Solution was to uninstall EC, the library, etc... from all machines and then reinstall on the machine that should have it... After that most of the client machines picked up the proper EC install and status updates worked fine.
Hmmm maybe your unlucky, I have 2 versions of Enterprise Console on my Lan. Fine one is the new V7 Sophos one with the dashboard and the other is the older one (forgot the version numbers) but they play very happily together so long as you dont try and talk to the same machines in both consoles, which I don't as i moved the ones i dont want in each console to the Unassigned Computers folder.
Hi Sidewinder,Quote:
Originally Posted by sidewinder
The Sophos Enterprise Console (SEC) and Sophos Enterprise Manager (SEM) will need to be uninstalled and reinstalled - but they are not as important as the database storing all the data regarding the installations of Sophos Anti-Virus (SAV) on each of your client machines. You can "migrate" the SOPHOS2 (or SOPHOS3 for SECv3) database from one machine to another. It is explained in appendix B of:
http://www.sophos.com/sophos/docs/eng/esav_20_uen.pdf (SEC v2)
http://www.sophos.com/sophos/docs/eng/esav_30_uen.pdf (SEC v3)
Once the database is moved to the new machine you will also retain all of your groups and policies (SAV and Updating) inside the SEC.
In order for all the client machines to talk successfully with the new server make sure you backup from the old server the registry key:
HKEY_LOCAL_MACHINE\Software\sophos\Certification Manager
...and import into the registry of the new server. Reinstating this key means the security keys that allow communication between clients and the Sophos management server have been preserved. If the IP address is the same on the new server as it was on the old all the client installations will not notice a different. If however the IP address/ hostname of the Sophos management server has changed the clients will send their status messages to the wrong server.
The following registry key dictates where the messages are sent:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Messaging System\Router - ParentAddress
If it is still looking to the old server initially try re-protecting a test group of clients and check in their registry again.
If this continues to point to the old server please raise a support request and we can troubleshoot further:
http://www.sophos.com/support/query
Regards,
Sophos Technical Support
Does that Certification Manager / Router Parent address trick work if you want to move the clients from a v1.2 to a v2/3 server with out moving the DB?
Hi Psydii,Quote:
Originally Posted by psydii
Sophos Enterprise Manager Library (EM Library) had a version 1.2. I assume you mean Sophos Enterprise Console v1.
Yes: the same registry key should be exported from the old installation and imported to the new server/ installation.
Regards,
Sophos Technical Support
Sophos-Support-5 - Where were you 2 months ago?!? ;) lol
In the end, as the old server was also running IAS and KS3 tests, I couldnt remove it (its still running now)
So I changed the update location on the old server to match the one on the new server
So all clients are updating but obviously Ive lost the ability to see their status.
Bit by bit Im going through and 're-protecting' them on Enterprise manager which does work but is going to take ages as we have 700 PC's and its hard to deploy to laptops from there because they often arnt on for long
I will have a look at those reg keys though as that may be an easier way
SS5,
You are of course correct that is what I meant!
Does this work if BOTH the ip and hostname of the server are different?
p.
Hi Psydii,Quote:
Originally Posted by psydii
What you are asking can be done; it's just a tad more complicated. As an overview...
Reinstating the Certification Manager key means messages recieved from clients are allowed (NOTE: RMS communication is secure) to be passed to the Management service and then written to the database.
If you did not back up the key and simply reinstalled the SEC on a new server the new SEC would have a different secure key and all the clients requests to send messages would be refused because the key they are using is unknown to the new SEC.
The above is based on the messages actually getting to the Sophos management server to be accepted/ refused in the first place. If your new Sophos management server has a different IP address/ hostname then the clients need to be told about it before you decommission the old Sophos management server - it's all done through the Central Installation Directory (CID) that they are currently updating from.
While all the clients are updating from \\oldServer\InterChk\ESXP\ you have to use that CID to re-configure them and tell them to not only look at \\newServer\InterChk\ESXP\ but also send all their status messages to the newServer from now on.
If you would like more details feel free to submit a support request.
www.sophos.com/support/query
Regards,
Sophos Technical Support
SS5 I'll probably log this later on in the week. Thanks.