Safend Data Protection Suite 3.4 - Upgrade Instructions.pdf
Safend Data Protection Suite 3.4 - Upgrade Instructions.pdf
Safend Data Protection Suite 3.4 - Upgrade Instructions.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
safend<br />
a w a v e s y s t e m s c o m p a n y<br />
1. Introduction<br />
<strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> <strong>3.4</strong><br />
<strong>Upgrade</strong> <strong>Instructions</strong><br />
<strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong> introduces many changes both in the user<br />
interface and the underlying infrastructure, due to the newly added improvements,<br />
features and functionalities.<br />
As a result of these changes, the upgrade procedure when upgrading from older<br />
versions to <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong> is different from the upgrade<br />
procedure in older releases.<br />
This document contains important guidelines for the planning and execution of a<br />
successful upgrade. It is highly recommended to read this document before starting<br />
the upgrade procedure.<br />
Failing to comply with the steps described below may result in an unsuccessful<br />
upgrade process, therefore it is highly recommended to perform this process with the<br />
assistance of Professional Services.<br />
The link below is a short questionnaire that will assist us to understand your<br />
environment and provide recommendations for a successful upgrade plan to the<br />
professional service teams.<br />
http://survey.constantcontact.com/survey/a07e5gr6mi2gwi2ym7b/start<br />
2. Considerations before Performing the <strong>Upgrade</strong><br />
The Purpose of the <strong>Upgrade</strong><br />
<strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong> introduces three major enhancements,<br />
compared to older releases:<br />
1. It includes two new license-activated product components, <strong>Safend</strong> Inspector<br />
for <strong>Data</strong> Control and <strong>Safend</strong> Discoverer for <strong>Data</strong> Discovery.<br />
2. Support for installation on a 64-bit Windows platform.<br />
3. A Mac OS/X agent covering Port and Device control for Leopard (10.5) and<br />
Snow Leopard (10.6).<br />
In case your main objective in performing an upgrade is installing new agents on 64bit<br />
workstations, it is recommended to upgrade the <strong>Safend</strong> Management Server and<br />
install new agents on 64-bit platforms, while keeping the current <strong>Safend</strong> Agents<br />
installed on 32-bit workstations. The new version does not include major changes in<br />
the <strong>Safend</strong> Protector and <strong>Safend</strong> Encryptor components of the <strong>Safend</strong> <strong>Data</strong><br />
<strong>Protection</strong> <strong>Suite</strong>, making the agent upgrade in these cases redundant.<br />
Page 1 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
Current Environment<br />
In this version, upgrade and backward compatibility are supported from <strong>Safend</strong> <strong>Data</strong><br />
<strong>Protection</strong> <strong>Suite</strong> 3.3 SP7 and up and backward compatibility is supported for 3.2 GA3<br />
and up. If you are currently using an older version of <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong>,<br />
or have legacy agents in your environment which were not upgraded yet, it is<br />
recommended that you do not perform an upgrade using this version of the <strong>Safend</strong><br />
<strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong>.<br />
Existing Log Records<br />
The system upgrade will maintain all policies and definitions after the upgrade<br />
process. However, existing (history) log records and queries will no longer be<br />
available after upgrading a 3.3 server to the <strong>3.4</strong> version. If you do wish to keep your<br />
existing (history) log records when upgrading from the 3.3 version to the <strong>3.4</strong><br />
version, please refer to Appendix 1.<br />
Currently Used Features<br />
There are several features which were supported in <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> 3.3<br />
and are no longer supported in <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong>. Before<br />
performing an upgrade, please make sure you are not using these features:<br />
1. Policy distribution using GPO. In case you have used GPO for policy<br />
distribution in the past make sure no old policies are associated with your AD<br />
objects.<br />
2. Novel eDirectory integration.<br />
3. Agent installation on Windows 2000 OS.<br />
4. Different alert destinations cannot be set for different policies, alert<br />
destinations can only be defined using the Global Policy Settings.<br />
5. Encrypting removable storage devices using “Partition Encryption” mode.<br />
Please note: existing devices encrypted using “Partition Encryption” can still<br />
be used on a <strong>3.4</strong> agent, new devices will be encrypted using “Volume<br />
Encryption” mode.<br />
6. “Log Delegation” between different Management Servers.<br />
7. Integration with 3 rd party content inspection products.<br />
a. It is important to note that this option must be unchecked before<br />
upgrading the 3.3 server.<br />
8. White list specific CD/DVD media by its content.<br />
a. Please note that the current media white list groups will be preserved<br />
on the server, but will be not updateable and if they are deleted, there<br />
will be no way to recover them.<br />
9. Manually collecting logs from workstations.<br />
10. The "action when max cache size is exceeded" for file shadowing is no longer<br />
configurable (always set to “allow”).<br />
11. "Max file size to be shadowed" will no longer be configurable through the UI.<br />
12. Copying device information from the device inventory report.<br />
Page 2 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
3. Pre-<strong>Upgrade</strong> Tasks<br />
<strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> <strong>3.4</strong> Training<br />
The <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong> user interface is different from the user<br />
interface in older versions. It is highly recommended that you become familiar with<br />
the new user interface in a test environment, before upgrading your production<br />
server to the new version. You can use the <strong>Safend</strong> Evaluation Kit for this purpose.<br />
Preparing Policies for <strong>Upgrade</strong><br />
When upgrading the Management Server to version <strong>3.4</strong>, all your existing policies will<br />
undergo an upgrade procedure. In <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> version <strong>3.4</strong>, instead<br />
of having one policy which defines all aspects of the endpoint behaviour, you will now<br />
have separate policies managing separate aspects of the endpoint behaviour. Port<br />
control, device control and removable media encryption will be controlled using a<br />
Port & Device Control Policy. Encryption of the internal hard disk will be enforced<br />
using a Hard Disk Encryption policy. Endpoint configuration, such as the log sending<br />
interval, will be controlled using the Settings Policy.<br />
When upgrading the <strong>Safend</strong> Management Server to version <strong>3.4</strong>, your existing policies<br />
will be converted to the new scheme:<br />
For every existing policy, a “Port and Device Control Policy” with an identical<br />
name will be created. This policy will contain all the “Security Settings” of the<br />
original policy (not including the settings for “Internal Disk Encryption”), as<br />
well as the end user messages defined in the Policy Settings.<br />
If the existing policy is set to either “Encrypt” or “Decrypt” for the internal<br />
hard disk, a “Hard Disk Encryption Policy” with the same name and an<br />
“Encryptor –“Prefix will be created. Please note: if you do not have a license<br />
for <strong>Safend</strong> Encryptor such a policy will never be created. The policy will be<br />
associated with the same organizational objects as the original policy.<br />
If the existing policy is configured to use “Policy Specific Settings”, instead of<br />
“Global Policy Settings”, in any of the “settings” tabs, except the “End User<br />
Messages” tab, a “Settings Policy” with the same name and a “Settings –“<br />
Prefix will be created. The policy will be associated with the same<br />
organizational objects as the original policy.<br />
Important Notes Regarding "Policy Specific Setting":<br />
1. End User Messages that were defined using policy specific settings, will<br />
still be used on your 3.3 agents, however after the upgrade, those<br />
messages will be no longer available, and when applying any other setting<br />
policies, the end user messages will be taken from the global policies.<br />
2. Policy-specific settings for media encryption are not being upgraded, and<br />
will be shown as taken from the global setting.<br />
3. Policy specific settings for "and Max Cache Size" is not being upgraded,<br />
and will be shown as taken from the global setting.<br />
Recommended action: to avoid the creation of multiple, redundant policies<br />
following the server upgrade, please review your existing policies to make sure<br />
policies are not configured to use “policy specific settings”, instead of “global policy<br />
settings”, without a good reason.<br />
Page 3 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
Obtaining a License File<br />
Before upgrading the Management Server to version <strong>3.4</strong>, you must obtain a new<br />
license file suitable for the version. Contact your local distributer to obtain this<br />
license.<br />
Creating Updated Backup Files<br />
Before performing the upgrade, it is highly recommended to create an updated<br />
System Backup file (created through the Administration -> Maintenance tab). This<br />
file will be used to restore the existing server in case the upgrade procedure is not<br />
completed successfully.<br />
Preparing Legacy Agents for <strong>Upgrade</strong><br />
The recommended path for upgrading legacy agents (3.3 SP7.1 and below) to the<br />
<strong>3.4</strong> version will be to upgrade those clients to the latest version of 3.3, which is 3.3<br />
SP7.2. This version includes a direct path for upgrading the agents to the <strong>3.4</strong> version<br />
and thus won't require any special preparation tasks before the upgrade of the<br />
clients.<br />
If you are currently using 3.3 SP7 or 3.3 SP7.1 agents in your environment and you<br />
wish to upgrade the clients directly to <strong>3.4</strong>, without upgrading the agents to 3.3 SP7.2<br />
first, a preparation action should be performed on the protected machine before the<br />
upgrade process. The preparation is performed using a lightweight preparation tool<br />
that is activated on the protected machine before the upgrade takes place. This tool<br />
only prepares the machine for the upgrade, and does not affect any other<br />
functionality of the agent, thus no reboot or other activities are required after<br />
running this tool. This lightweight preparation tool can be executed with any software<br />
distribution tool such as, SMS, Altiris, Tivoli, GPO and others, as a onetime task,<br />
using the native run command for running the executable of the relevant deployment<br />
tool. This is with no additional parameters that need to be added, since by default<br />
this tool is run in silent mode. Before running the tool, please note that:<br />
1. This preparation action must take place prior to the upgrade process, and it is<br />
recommended to perform it a few weeks before the upgrade takes place in<br />
order to cover all the machines that need to be upgraded. In cases where the<br />
upgrade will occur without running the tool before, the upgrade will fail to<br />
start, without affecting the machine in any way.<br />
2. This tool requires admin privileges, thus it cannot be run through a login<br />
script or other methods that do not elevate the privileges of the security<br />
context with which this tool is running.<br />
3. By default, this tool runs in silent mode. If you wish to run this tool manually<br />
in order to perform some tests, you can run it via a command line. That way<br />
you will gain visibility on the output results of the run.<br />
Page 4 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
In order to use GPO, perform the following steps:<br />
1. Create a new Group Policy Object.<br />
2. Navigate through the left panel by opening each branch as follows:<br />
Computer configuration -> Windows Settings -> Scripts<br />
(Startup/shutdown).<br />
3. Click the Add button and provide a network share where you stored the<br />
executable and click OK. No parameters are required.<br />
4. Apply the GPO on all the machines that are going to be upgraded.<br />
Once this GPO is applied and run on all of the machines that need to be<br />
upgraded, the policy can be unlinked and deleted.<br />
To obtain the executable, please contact <strong>Safend</strong> Support.<br />
4. <strong>Upgrade</strong> Procedure – Overview<br />
The <strong>Safend</strong> <strong>Upgrade</strong> Procedure is performed in two steps:<br />
Step 1: Upgrading the Management Server<br />
In this step, the server is upgraded to the new version, while the agents installed on<br />
the endpoints in the organization are still of the older version. The old agents are<br />
fully managed by the new server. New clients can be installed on machines which are<br />
not yet protected by the older agents (for example: 64-bit machines or new<br />
machines in the organization).<br />
Step 2: Upgrading the Agents<br />
In this step, the existing agents are upgraded to the new version using the agent<br />
installation files created by the new server. Please note: In case you have not<br />
purchased <strong>Safend</strong> Inspector or <strong>Safend</strong> Discoverer, and your main objective in<br />
performing an upgrade to <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> <strong>3.4</strong> is installing new agents<br />
on 64-bit workstations. It is recommended to upgrade the <strong>Safend</strong> Management<br />
Server, but keep the current <strong>Safend</strong> Agents installed on 32-bit workstations in their<br />
current version, without performing an agent upgrade.<br />
It is important to note that a reboot is necessary after upgrading the agents, thus<br />
if you have decided to suppress the reboot during the upgrade, you will have to<br />
reboot the machine in order for agents to function properly.<br />
Please refer to the <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong> Installation Guide for detailed<br />
instructions about upgrading the server and agent.<br />
Page 5 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
5. Recommended Actions Following the Server<br />
<strong>Upgrade</strong><br />
After the Server <strong>Upgrade</strong>, the following actions should be performed:<br />
Reviewing Hard Disk Encryption Policies<br />
In case you are using <strong>Safend</strong> Encryptor to encrypt machines in your organization,<br />
some Hard Disk Encryption policies will be created following the server upgrade.<br />
Your organization should have at any point in time no more than two Hard Disk<br />
Encryption Policies: an “Encrypt” policy which enforces the encryption on the<br />
appropriate workstations in your environment, and (optionally) a “Decrypt” policy<br />
excluding specific workstations from the general encryption policy.<br />
In addition, Hard Disk Encryption policies only apply on machines, not on users.<br />
There is no reason to associate a Hard Disk Encryption policy to a user object, or to<br />
another object (Group or OU) which only contains user objects.<br />
Recommended action: review the Hard Disk Encryption Policies which have been<br />
created following the upgrade, delete redundant policies (and “combine” their<br />
associations), delete redundant associations to user objects, and rename them to<br />
indicative names. Note that if you had Policies Specific Settings for hard disk<br />
encryption that were enforced on machines, they should be applied on users as well,<br />
so they will not be overridden by other user policies.<br />
Reviewing Settings Policies<br />
In case your existing policies contain “policy specific settings”, new “Setting Policies”<br />
will be created following the server upgrade.<br />
From our experience, most customers do not need to configure different settings for<br />
different machines in the organization using the “Policy Specific Settings”, and can<br />
use a consistent configuration throughout the organization using the “Global Policy<br />
Settings”.<br />
Recommended action: review the Settings Policies which have been created and<br />
decide which of them are still necessary in your environment. Try to reduce the<br />
number of settings policies by combining different settings policies into one which is<br />
associated with a specific user profile. Rename these policies to indicative names<br />
which represent their functionality. For example, if you have remote sites with<br />
limited network connectivity, you may want to create a Setting Policy which will limit<br />
the log sending interval to specific hours, and associate it with all remote sites.<br />
Reviewing Reports<br />
In this version, several new options have been added to the Security Incidents<br />
reports. After a server upgrade, it is recommended to review your existing reports to<br />
see if you would like to adjust the search parameters.<br />
Contact Information:<br />
For additional information and technical support, please contact your local <strong>Safend</strong><br />
representative or <strong>Safend</strong> support as follows:<br />
Web: www.safend.com/support<br />
Email: support@safend.com<br />
Phone: US: +1-215-496-9646<br />
ROW: +972-3-6442662 x122<br />
Page 6 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com
Appendix 1: Migrating Old 3.3 Logs Records<br />
As mentioned above, the upgrade process doesn’t preserve automatically the logs<br />
history, thus If you do wish to keep your existing (history) log records when<br />
upgrading from the 3.3 version to the <strong>3.4</strong> version, please perform the steps below. It<br />
is important to note that queries that were created in the 3.3 platforms will not be<br />
upgraded \ saved by this process and thus will have to be re-created in the <strong>3.4</strong><br />
platform.<br />
Steps for migrating logs from 3.3 to <strong>3.4</strong>(Should be performed only when the upgrade<br />
process has been completed) :<br />
1. Download the LegacyLogsMigrator.exe from the tools folder under the FTP<br />
site, where you have downloaded the <strong>Safend</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Suite</strong>.<br />
2. When executing the file, be prompt to extract the files into a destination<br />
folder. Please type the following destination and press Install:<br />
\Program Files\<strong>Safend</strong>\<strong>Safend</strong> Protector\Management Server\bin<br />
Figure 1.0<br />
3. Verify that a new folder name LogsMigrationTool is created under the bin<br />
folder.<br />
4. Close all open consoles and run the command Prompt (CMD) from the<br />
LogsMigrationTool folder above, and run the following command:<br />
LegacyLogsMigrator.exe –i <br />
Where is equal to:<br />
\Program Files\<strong>Safend</strong>\<strong>Safend</strong> Protector\Management Server\bin<br />
At this stage, the tool will run and provide indications to the command prompt<br />
screen regarding its running status.<br />
Page 7 of 7 : Copyright © 2011 safend a wave systems company | www.safend.com | www.wave.com