Sophos Database move

Current Configuration

Sophos Enterprise Console v4.0.0.2362
Deploys Sophos Endpoint Client v9.5
Approximately 95% of clients and servers using this client.

Sophos Enterprise Console v5.2.0.644
Deploys Sophos Endpoint Client v10

Sophos Enterprise Console v5.2.0.644 Database Server

We want to move all clients and servers to v10 as soon as possible.  The problem with Server2 is that the database is on SQL1.  So with that in mind, the ideal results is the following:

Desired Configuration

Sophos Enterprise Console v5.2.0.644
Deploys Sophos Endpoint Client v10

Sophos Enterprise Console v5.2.0.644 Database Server

Is it possible to migrate the database from SQL1 to SQL3 for the Enterprise console installed on Server2?

Once the console is installed and running, a migration plan for clients and servers will be required.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

btanConnect With a Mentor Exec ConsultantCommented:
Suggest the following

How to back up and restore your Sophos Management Server
- backing up and restoring have been separated out depending on whether you have a default or non-default installation.

Information on how to migrate (move) your existing Sophos Management Server installation to a new server. The following product migrations are not supported:
-Sophos Enterprise Console to Sophos Enterprise Manager.
-Sophos Enterprise Console to Sophos Control Center.
-Sophos Enterprise Manager to Sophos Control Center.
-Sophos Control Center to Sophos Enterprise Manager.

How to install/upgrade the Sophos Management Database component on to a different (remote) computer

Using the UpgradeDB.exe tool to upgrade the Sophos database
- 'UpgradeDB.exe' is run as part of the management server installer and not as part of the database installer. It calls the SQL stored procedure 'dbo.FromXto4' or 'dbo.FromX' (depending on version) in the new database to initiate the transfer.

How to redirect Windows endpoints to a new management server
- use the Sophos endpoint migration utility to create a VBScript file that you use to redirect Windows endpoint computers to a new Enterprise Console
LeoAuthor Commented:
So it seems like its possible? have you came across any web forms where people have done it, and something brake down during the move of Sophos from one Server to another.

Also regarding your last point " How to redirect Windows endpoint to a new management Server" Sophos will be on the same server, its just the DB for Sophos needs to be moved, so what will be the migration plan for clients to the new version?  Testing, migration process, computers to migrate etc.
btanExec ConsultantCommented:
Yes it should be possible but migration is also not trivial - I suggest you seek your professional expertise service from Sophos or SI on the specific step to suite actual environment - it is always to be more cautions and prepared (murphy's law)

What are the key steps?
To migrate Control Center to a new server, you carry out these steps:

Collect existing information from the old server.
Prepare the new server.
Install Control Center on the new server.
Import database to new server.
Update database information with your new server information.
Download endpoint security software on the new server.
Change the account used by endpoints for updates from the server.
Remove management software from 'old server'.
Redirect endpoint computers to report to the new server.
Redirect any remote consoles to the new management server.
These steps are described in the sections below.

Known to apply to the following Sophos product(s) and version(s)

Sophos Control Center 4.0.0
Sophos Control Center 4.1
Sophos Control Center 4.0.1
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LeoAuthor Commented:
Thanks for your information.

I just want to move the DB from one server to another, for that do i have to Install Control Center on the new one? and take it out from the old one?
or i can  just import DB to new SQL server and then update the registry settings, and leave everything else.
btanExec ConsultantCommented:
The control center will just need to point to the database server..thought the link already spell out the importing and backup and pointing for new server. As mentioned already  you will need to backup as long as you want to install or upgrade in existing or new server...the link in last posting states those and will preach you to see through.
LeoAuthor Commented:
I am writing a complete procedure to move the DB, i will post it soon kindly review it and let me know if i had missed something.
In the mean while, I logged on to old SQL server, there are 5 DBs related to Sophos, which one i have to move and restore?
btanExec ConsultantCommented:
You will want to check this out first and d ohave backup first as it is suggested below too. They started from 5.0 (backup, restore, test "database" account) then 5.1 (create db), then run 5.1 installer to upgrade srv and console. I am not so savvy with Sophos but if you already backup then do try to also test in staging - best get the site support on your contracted service to advise ...

And this PDF on upgrade version

But I do see that this below of more relevance esp the UpgradeDB.exe in 2nd link (it is executed from old db ver to copy over to new ver)
LeoAuthor Commented:
I am going to do it tomorrow, i have put a guidline on how i am planning to do it, kindly check it and let me know if i have missed anything or if there is anything which needs amendment.
btanExec ConsultantCommented:
Quite detailed and I assumed you have done it  or rehearsed in staging environment.  If not pls do so as migrating db  may not always be trival. The old server should not be tampered  and be always ready to rollback as active instance till the new server is proven ok. Performance will only be gauge to run probably for a week or two depending on user base size.

Actually it will always be good to have expected outcome and the observed outcome checklist rather than steps. Remarks to highlight steps not to be skip and abandoned if not completed. The db team need to be on standby.

Also when db is down, will error from client polling for it be served with or flooded with errors causing unnecessary alarm to users and operation admin. This is to manage the comms side before any major upgrade etc...

Best to have sophos support on standby please as always preached to be wary for worst case and preemptive action.

ault comes if the restore from backup failedas never been verified but assume
btanExec ConsultantCommented:
Ignore the last statement as it simply meant to verify the backup which I heard of case recovery failed and versioning caused data corruption due to unknown backup version for full and increment.
LeoAuthor Commented:
just a quick question, under Sophos Enterprise Console, in Policies--> Anti-Virus and HIPS, i have created a policy, how can i attach it to Group Policy OU? because when i right click on this Policy and select View Groups using Group Policy i get a message that the policy is not assigned to any group.
btanConnect With a Mentor Exec ConsultantCommented:
You must a  group and computer within that group before you can assign the policy to the group. In the Policies pane, highlight the policy. Click the policy and drag it onto the group to which you want to apply the policy. Alternatively, you can right-click a group and select View/Edit Group Policy Details. You can then select policies for that group from drop-down menus.

Note that if you use role-based administration, you must have the Computer search, protection and groups right to perform above task.

You can check whether all the computers in a group comply with the policies for that group. Select the group which you want to check. In the computer list, Endpoints view, on the Status tab, look in the Policy compliance column. If you see the words “Same as policy”, the computer complies with the policies for its group. If you see a yellow warning sign and the words “Differs from policy”, the computer is not using the same policy or policies as other computers in its group.

Section 4 has most info -

13.5 Computers are not managed by the console
Note: Unless you use Active Directory synchronization, new computers added to the network are not displayed or managed by the console automatically.

13.6 Cannot protect computers in the Unassigned group
The Unassigned group is only for holding computers that are not yet in groups created by you, to which policies can be applied. You cannot protect computers until you place them in such a group.
btanExec ConsultantCommented:
just curious how is it going if possible to share ...thanks
All Courses

From novice to tech pro — start learning today.