topic Re: Separating Endpoint Management from SMS in Firewall and Security Management

Separating Endpoint Management from SMS

Kryten — Thu, 22 Jan 2026 10:50:56 GMT

Hello!

I am currently trying to find out the neccessary steps for separating an EPM from a SMS.

At the moment the SMS is doing the Endpoint Management, but our customer plans to separate that into two servers for better redundancy and to get rid of that limitation with DB revisions (Not possible to use revisions when SMS is also doing the EPM).

Apart from an old Post (2017) that ended with "PS needs to be involved", I did not find anything...So I came here to see if anyone has done this before and could give some useful hints.

I guess at first I should be installing a second management server, importing the DB and then activating the EPM blade. But what then? I guess I cannot just disable that blade on the first server and everything will work, that sounds too easy. 🙂

Somehow the Clients will need to know that they have to connect to a different server now and that will probably bring other issues like changed fingerprint and/or certificates...and probably more stuff that I do not think of yet.

So...is there a Guide or SK that I missed? Or someone who did this already?

Best Regards,

Alex

Re: Separating Endpoint Management from SMS

Don_Paterson — Thu, 22 Jan 2026 10:56:59 GMT

Can you do it the other way?

The existing server stays there for EPM (and remove firewalls and policy) and the new one is installed (import) for the gateway management.

I guess EPMaaS is not an option to move the EPM to the Infinity Portal?

You have to plan around licenses too.

Another option is to leave the current server as EPM (as above) and build a new SG management server (SMS) and then build that up from scratch.

You would need to do a SIC reset on the SGs and can use API to make policy 'migration' more efficient.

Just initial thoughts. Hopefully someone who has done it picks this up too.

Regards,

Don

Re: Separating Endpoint Management from SMS

PhoneBoy — Thu, 22 Jan 2026 17:07:42 GMT

The reconnect tool is what is used to associate Endpoint clients with a different server.
migrate_server does have options to exclude Endpoint configuration, so this could be the basis for creating a new management server without Endpoint.
Associating the firewalls with the new management server might require a small adjustment to the active policy to allow policy installation from the new management server, but after the policy install, they'll effectively be migrated to the new management server.

Re: Separating Endpoint Management from SMS

the_rock — Thu, 22 Jan 2026 23:40:22 GMT

Interesting...never knew of that tool.

Re: Separating Endpoint Management from SMS

the_rock — Tue, 27 Jan 2026 01:31:28 GMT

Hey Alex,

Were you able to figure this out? Had client ask me the same question today and I remembered this post, but told them would follow up.

Re: Separating Endpoint Management from SMS

Kryten — Wed, 28 Jan 2026 08:48:21 GMT

Not yet, we are still in the planning stage(long term project). So far it sounds like it would be easier to create a new management for the Gateways, but we still have not decided.

Re: Separating Endpoint Management from SMS

Vincent_Bacher — Wed, 28 Jan 2026 10:31:29 GMT

This tool is nice, we used that to migrate thousands of clients from on prem endpoint management to harmony cloud.

Re: Separating Endpoint Management from SMS

the_rock — Wed, 28 Jan 2026 11:36:39 GMT

Nice. Will see if I can test it in the lab.