Safend Data Protection Suite 3.4 - Upgrade Instructions.pdf

safend 

a w a v e s y s t e m s c o m p a n y 

1. Introduction 

Safend Data Protection Suite 3.4 

Upgrade Instructions 

Safend Data Protection Suite version 3.4 introduces many changes both in the user 

interface and the underlying infrastructure, due to the newly added improvements, 

features and functionalities. 

As a result of these changes, the upgrade procedure when upgrading from older 

versions to Safend Data Protection Suite version 3.4 is different from the upgrade 

procedure in older releases. 

This document contains important guidelines for the planning and execution of a 

successful upgrade. It is highly recommended to read this document before starting 

the upgrade procedure. 

Failing to comply with the steps described below may result in an unsuccessful 

upgrade process, therefore it is highly recommended to perform this process with the 

assistance of Professional Services. 

The link below is a short questionnaire that will assist us to understand your 

environment and provide recommendations for a successful upgrade plan to the 

professional service teams. 

http://survey.constantcontact.com/survey/a07e5gr6mi2gwi2ym7b/start 

2. Considerations before Performing the Upgrade 

The Purpose of the Upgrade 

Safend Data Protection Suite version 3.4 introduces three major enhancements, 

compared to older releases: 

1. It includes two new license-activated product components, Safend Inspector 

for Data Control and Safend Discoverer for Data Discovery. 

2. Support for installation on a 64-bit Windows platform. 

3. A Mac OS/X agent covering Port and Device control for Leopard (10.5) and 

Snow Leopard (10.6). 

In case your main objective in performing an upgrade is installing new agents on 64bit 

workstations, it is recommended to upgrade the Safend Management Server and 

install new agents on 64-bit platforms, while keeping the current Safend Agents 

installed on 32-bit workstations. The new version does not include major changes in 

the Safend Protector and Safend Encryptor components of the Safend Data 

Protection Suite, making the agent upgrade in these cases redundant. 

Page 1 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com

Current Environment 

In this version, upgrade and backward compatibility are supported from Safend Data 

Protection Suite 3.3 SP7 and up and backward compatibility is supported for 3.2 GA3 

and up. If you are currently using an older version of Safend Data Protection Suite, 

or have legacy agents in your environment which were not upgraded yet, it is 

recommended that you do not perform an upgrade using this version of the Safend 

Data Protection Suite. 

Existing Log Records 

The system upgrade will maintain all policies and definitions after the upgrade 

process. However, existing (history) log records and queries will no longer be 

available after upgrading a 3.3 server to the 3.4 version. If you do wish to keep your 

existing (history) log records when upgrading from the 3.3 version to the 3.4 

version, please refer to Appendix 1. 

Currently Used Features 

There are several features which were supported in Safend Data Protection Suite 3.3 

and are no longer supported in Safend Data Protection Suite version 3.4. Before 

performing an upgrade, please make sure you are not using these features: 

1. Policy distribution using GPO. In case you have used GPO for policy 

distribution in the past make sure no old policies are associated with your AD 

objects. 

2. Novel eDirectory integration. 

3. Agent installation on Windows 2000 OS. 

4. Different alert destinations cannot be set for different policies, alert 

destinations can only be defined using the Global Policy Settings. 

5. Encrypting removable storage devices using “Partition Encryption” mode. 

Please note: existing devices encrypted using “Partition Encryption” can still 

be used on a 3.4 agent, new devices will be encrypted using “Volume 

Encryption” mode. 

6. “Log Delegation” between different Management Servers. 

7. Integration with 3 rd party content inspection products. 

a. It is important to note that this option must be unchecked before 

upgrading the 3.3 server. 

8. White list specific CD/DVD media by its content. 

a. Please note that the current media white list groups will be preserved 

on the server, but will be not updateable and if they are deleted, there 

will be no way to recover them. 

9. Manually collecting logs from workstations. 

10. The "action when max cache size is exceeded" for file shadowing is no longer 

configurable (always set to “allow”). 

11. "Max file size to be shadowed" will no longer be configurable through the UI. 

12. Copying device information from the device inventory report. 


3. Pre-Upgrade Tasks 

Safend Data Protection Suite 3.4 Training 

The Safend Data Protection Suite version 3.4 user interface is different from the user 

interface in older versions. It is highly recommended that you become familiar with 

the new user interface in a test environment, before upgrading your production 

server to the new version. You can use the Safend Evaluation Kit for this purpose. 

Preparing Policies for Upgrade 

When upgrading the Management Server to version 3.4, all your existing policies will 

undergo an upgrade procedure. In Safend Data Protection Suite version 3.4, instead 

of having one policy which defines all aspects of the endpoint behaviour, you will now 

have separate policies managing separate aspects of the endpoint behaviour. Port 

control, device control and removable media encryption will be controlled using a 

Port & Device Control Policy. Encryption of the internal hard disk will be enforced 

using a Hard Disk Encryption policy. Endpoint configuration, such as the log sending 

interval, will be controlled using the Settings Policy. 

When upgrading the Safend Management Server to version 3.4, your existing policies 

will be converted to the new scheme: 

For every existing policy, a “Port and Device Control Policy” with an identical 

name will be created. This policy will contain all the “Security Settings” of the 

original policy (not including the settings for “Internal Disk Encryption”), as 

well as the end user messages defined in the Policy Settings. 

If the existing policy is set to either “Encrypt” or “Decrypt” for the internal 

hard disk, a “Hard Disk Encryption Policy” with the same name and an 

“Encryptor –“Prefix will be created. Please note: if you do not have a license 

for Safend Encryptor such a policy will never be created. The policy will be 

associated with the same organizational objects as the original policy. 

If the existing policy is configured to use “Policy Specific Settings”, instead of 

“Global Policy Settings”, in any of the “settings” tabs, except the “End User 

Messages” tab, a “Settings Policy” with the same name and a “Settings –“ 

Prefix will be created. The policy will be associated with the same 

organizational objects as the original policy. 

Important Notes Regarding "Policy Specific Setting": 

1. End User Messages that were defined using policy specific settings, will 

still be used on your 3.3 agents, however after the upgrade, those 

messages will be no longer available, and when applying any other setting 

policies, the end user messages will be taken from the global policies. 

2. Policy-specific settings for media encryption are not being upgraded, and 

will be shown as taken from the global setting. 

3. Policy specific settings for "and Max Cache Size" is not being upgraded, 

and will be shown as taken from the global setting. 

Recommended action: to avoid the creation of multiple, redundant policies 

following the server upgrade, please review your existing policies to make sure 

policies are not configured to use “policy specific settings”, instead of “global policy 

settings”, without a good reason. 


Obtaining a License File 

Before upgrading the Management Server to version 3.4, you must obtain a new 

license file suitable for the version. Contact your local distributer to obtain this 

license. 

Creating Updated Backup Files 

Before performing the upgrade, it is highly recommended to create an updated 

System Backup file (created through the Administration -> Maintenance tab). This 

file will be used to restore the existing server in case the upgrade procedure is not 

completed successfully. 

Preparing Legacy Agents for Upgrade 

The recommended path for upgrading legacy agents (3.3 SP7.1 and below) to the 

3.4 version will be to upgrade those clients to the latest version of 3.3, which is 3.3 

SP7.2. This version includes a direct path for upgrading the agents to the 3.4 version 

and thus won't require any special preparation tasks before the upgrade of the 

clients. 

If you are currently using 3.3 SP7 or 3.3 SP7.1 agents in your environment and you 

wish to upgrade the clients directly to 3.4, without upgrading the agents to 3.3 SP7.2 

first, a preparation action should be performed on the protected machine before the 

upgrade process. The preparation is performed using a lightweight preparation tool 

that is activated on the protected machine before the upgrade takes place. This tool 

only prepares the machine for the upgrade, and does not affect any other 

functionality of the agent, thus no reboot or other activities are required after 

running this tool. This lightweight preparation tool can be executed with any software 

distribution tool such as, SMS, Altiris, Tivoli, GPO and others, as a onetime task, 

using the native run command for running the executable of the relevant deployment 

tool. This is with no additional parameters that need to be added, since by default 

this tool is run in silent mode. Before running the tool, please note that: 

1. This preparation action must take place prior to the upgrade process, and it is 

recommended to perform it a few weeks before the upgrade takes place in 

order to cover all the machines that need to be upgraded. In cases where the 

upgrade will occur without running the tool before, the upgrade will fail to 

start, without affecting the machine in any way. 

2. This tool requires admin privileges, thus it cannot be run through a login 

script or other methods that do not elevate the privileges of the security 

context with which this tool is running. 

3. By default, this tool runs in silent mode. If you wish to run this tool manually 

in order to perform some tests, you can run it via a command line. That way 

you will gain visibility on the output results of the run. 


In order to use GPO, perform the following steps: 

1. Create a new Group Policy Object. 

2. Navigate through the left panel by opening each branch as follows: 

Computer configuration -> Windows Settings -> Scripts 

(Startup/shutdown). 

3. Click the Add button and provide a network share where you stored the 

executable and click OK. No parameters are required. 

4. Apply the GPO on all the machines that are going to be upgraded. 

Once this GPO is applied and run on all of the machines that need to be 

upgraded, the policy can be unlinked and deleted. 

To obtain the executable, please contact Safend Support. 

4. Upgrade Procedure – Overview 

The Safend Upgrade Procedure is performed in two steps: 

Step 1: Upgrading the Management Server 

In this step, the server is upgraded to the new version, while the agents installed on 

the endpoints in the organization are still of the older version. The old agents are 

fully managed by the new server. New clients can be installed on machines which are 

not yet protected by the older agents (for example: 64-bit machines or new 

machines in the organization). 

Step 2: Upgrading the Agents 

In this step, the existing agents are upgraded to the new version using the agent 

installation files created by the new server. Please note: In case you have not 

purchased Safend Inspector or Safend Discoverer, and your main objective in 

performing an upgrade to Safend Data Protection Suite 3.4 is installing new agents 

on 64-bit workstations. It is recommended to upgrade the Safend Management 

Server, but keep the current Safend Agents installed on 32-bit workstations in their 

current version, without performing an agent upgrade. 

It is important to note that a reboot is necessary after upgrading the agents, thus 

if you have decided to suppress the reboot during the upgrade, you will have to 

reboot the machine in order for agents to function properly. 

Please refer to the Safend Data Protection Suite Installation Guide for detailed 

instructions about upgrading the server and agent. 


5. Recommended Actions Following the Server 

Upgrade 

After the Server Upgrade, the following actions should be performed: 

Reviewing Hard Disk Encryption Policies 

In case you are using Safend Encryptor to encrypt machines in your organization, 

some Hard Disk Encryption policies will be created following the server upgrade. 

Your organization should have at any point in time no more than two Hard Disk 

Encryption Policies: an “Encrypt” policy which enforces the encryption on the 

appropriate workstations in your environment, and (optionally) a “Decrypt” policy 

excluding specific workstations from the general encryption policy. 

In addition, Hard Disk Encryption policies only apply on machines, not on users. 

There is no reason to associate a Hard Disk Encryption policy to a user object, or to 

another object (Group or OU) which only contains user objects. 

Recommended action: review the Hard Disk Encryption Policies which have been 

created following the upgrade, delete redundant policies (and “combine” their 

associations), delete redundant associations to user objects, and rename them to 

indicative names. Note that if you had Policies Specific Settings for hard disk 

encryption that were enforced on machines, they should be applied on users as well, 

so they will not be overridden by other user policies. 

Reviewing Settings Policies 

In case your existing policies contain “policy specific settings”, new “Setting Policies” 

will be created following the server upgrade. 

From our experience, most customers do not need to configure different settings for 

different machines in the organization using the “Policy Specific Settings”, and can 

use a consistent configuration throughout the organization using the “Global Policy 

Settings”. 

Recommended action: review the Settings Policies which have been created and 

decide which of them are still necessary in your environment. Try to reduce the 

number of settings policies by combining different settings policies into one which is 

associated with a specific user profile. Rename these policies to indicative names 

which represent their functionality. For example, if you have remote sites with 

limited network connectivity, you may want to create a Setting Policy which will limit 

the log sending interval to specific hours, and associate it with all remote sites. 

Reviewing Reports 

In this version, several new options have been added to the Security Incidents 

reports. After a server upgrade, it is recommended to review your existing reports to 

see if you would like to adjust the search parameters. 

Contact Information: 

For additional information and technical support, please contact your local Safend 

representative or Safend support as follows: 

Web: www.safend.com/support 

Email: support@safend.com 

Phone: US: +1-215-496-9646 

ROW: +972-3-6442662 x122 


Appendix 1: Migrating Old 3.3 Logs Records 

As mentioned above, the upgrade process doesn’t preserve automatically the logs 

history, thus If you do wish to keep your existing (history) log records when 

upgrading from the 3.3 version to the 3.4 version, please perform the steps below. It 

is important to note that queries that were created in the 3.3 platforms will not be 

upgraded \ saved by this process and thus will have to be re-created in the 3.4 

platform. 

Steps for migrating logs from 3.3 to 3.4(Should be performed only when the upgrade 

process has been completed) : 

1. Download the LegacyLogsMigrator.exe from the tools folder under the FTP 

site, where you have downloaded the Safend Data Protection Suite. 

2. When executing the file, be prompt to extract the files into a destination 

folder. Please type the following destination and press Install: 

\Program Files\Safend\Safend Protector\Management Server\bin 

Figure 1.0 

3. Verify that a new folder name LogsMigrationTool is created under the bin 

folder. 

4. Close all open consoles and run the command Prompt (CMD) from the 

LogsMigrationTool folder above, and run the following command: 

LegacyLogsMigrator.exe –i 

Where is equal to: 

\Program Files\Safend\Safend Protector\Management Server\bin 

At this stage, the tool will run and provide indications to the command prompt 

screen regarding its running status.

Safend Data Protection Suite 3.4 - Upgrade Instructions.pdf

Create successful ePaper yourself

Delete template?

Save as template?