Endpoint Protection

Hello,

I have two existing servers now on the latest SEPM version with separate set of clients today. I want to merge them and move them all to a new SEPM with different name/ip/os. I read up on various ways and then called support. They had me setup replication between the two existing servers and now the smaller one no longer have its old clients and no has clients trying to report in invalid domain ID. I'm about to get back on the horn with support and restore the DB and certs.

Is there a better way to merge and then move or do two moves? SyLink isn't something people here want to use since they don't want a mass deployment and there are many laptops not connected all the time.

SEPM-A existing clients

SEPM-B existing clients

both needs to move to

SEPM-C new server
 

The thing that makes this difficult is you want to merge both servers, then move it. I recommend setting up replication between the two SEPMs in order for the clients to get the information they need in order to contact the new SEPM. Once both have replicated and exchanged information, then you can follow this document

http://www.symantec.com/business/support/index?page=content&id=TECH104389&locale=en_US

Where it says B) Disaster Recovery method

Hi,

unfortunately there is not easy way to merge SEPMs, replication must be set up at installation time, not now. Set it up on existing installations was not a good idea as you have seen.

There are several things that should be taken in consideration like the complexity of your environment (policies, groups, etc.), what can be sacrificed if required, time constrains, etc. in order to accomplish your needs; unfortunately I cannot easily verify those things in a forum, I suggest you to come back to the support so they can further assist you via phone or remote support sessions (Webex) but explicitly ask them to reproduce your scenario in lab, test the procedures and come back to you with ins and outs before going ahead in your production environment with complex activities. Now you better restore your SEPMs at their last working status.

If you need something else, please send me the case ID so I can have a look at it.

Regards,

Being a fairly new user to SEPM etc. I can attest that it is near nigh impossible to have clients report to a new SEPM without changing the sylink which is unfortunately a difficult task. The really really difficult part that Symantec has not addressed is the issue of the laptops. I have this same issue in that Symantec has the mistaken idea that everyone's computer is sitting around all day turned on just waiting to get the Symantec install from the console etc. They do not easily have a script for it even though I use one but had to develop it myself.

Hi,

 I am happy to read that it is hard to connect SEP clients to a different SEP Manager.

Of course, it must be hard for an occasional user to do that, this is a security product, making it easier means being able to install a fake SEPM and change the policies at hacker's convenience. There are several ways to move clients between SEPMs but they need proper administrative rights and skills.

I am not sure I know what you are talking about laptop. If it is not related to this discussion, please, give me more details in a separate thread so I can answer you, thank you. Generally speaking, to stay on the market we need to listen the majority of our customers, what is a mistaken idea for you is likely a good idea for the rest of the customers.

Regards,

The current recommendation from support is to setup replication from one SEPM-A to SEPM-C then use Sylink to move from SEPM-B to SEPM-C. I think the clients on SEPM-B will lose its policies and group assignments after moving this way, is that correct? Also, support assures me SEPM-C will still be able to be a primary replication server even though I've read documentation that says once a server becomes a secondary replication partner it can never be primary again, is this correct?

If an organization is worried about someone inside setting up a fake SEPM then they have way bigger issues than antivirus. To date Symantec does not have a good system for implementation onto laptops that are already deployed in an organization and do not come onto the network but at widely scattered times. My issue is that we had another solution for antivirus and we needed that deinstalled and Symantec installed. Of course desktops are easier because generally they are on during the day.

In McAfee is has a rogue detector that scours the network for computers that did not McAfee and if it would find one it would install it and put it into the console and push out the Virus protection. Symantec's implementation of rogues only tells you that you had some but does not automatically install the agent. The argument I get from Symantec against auto install is that it could be a switch or printer. When was the last time a printer or switch allowed antivirus software to be installed?

I think Symantec needs to look at what others are doing and improve their product. I like the antivirus part of Symantec as that was it's original bread and butter way way back in the day but the implementation is really really arcane and not setup for modern day scencarios. We have close to 2000 laptops in our organization and making sure they have Symantec is a daunting task. One cannot be sitting around all day swatting flies so to speak to catch them when they are on.

Yes, the recommendation from support sounds good, but you lose site-B settings.

When site-C is ready you might go ahead with these steps:

• manually re-create site-B's groups in site-C
• manually export and import policies from B to C
• per each group, export the sylink.xml (it contains the preferred group)
• import it on the clients and they should go to the preferred group

Regards,

Hi,

the deployment part of SEP is still in evolution, in version 12.1 it is more accurate regarding the status of the deployment, as far as I know not more automatic than now, hence I invite you to submit your idea to the Ideas section of this forum. We need also to take into account that Symantec has dedicated Altiris solution to manage the IT infrastructure.

Regards,