Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ted_Serreyn
Collaborator

migration from on premise endpoint to cloud sandblast agent

Jump to solution

Ok so I was told that there was a procedure to migrate a client from on premise endpoint server to cloud (infinity portal) sandblast agent?

 

However the person I was talking with has so far failed to deliver.

 

Does anyone know what the procedure is going to be?  I was thinking that there should be a migrate export/migrate import type of migration for this to move all the settings.

 

Is there a reason with endpoint that we can't define cloud endpoint as a "fake" policy server, so when the other policy servers and on premise mangement go away, the clients just start talking to the new ip of the cloud sandblast agent?  Is the reconnect tool really required here to reconnect all the clients to the new endpoint server.

 

I know that we can take a staged approach to move new clients to the cloud portal, but I am looking to migrate 900 plus clients.  I would really like this to be somewhat transparent to the end user if possible.

 

I am working to come up with a good procedure so I can test with a small depl

 

 

48 Replies
jcortez
Employee
Employee

You can find this in your "Infinity Portal/Harmony Endpoint Management Portal >> Service Management". Here is an example.

 

Capture2.PNG

 

You can send private messages through community.checkpoint.com. At the top right had side of the page next to your account icon there is a 'messages' option/button. From there you can send private messages to whom ever you would like, in this case me.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

Has been sent. Thanks

0 Kudos
jcortez
Employee
Employee

@John_Richards 

Sorry for the delay. I have responded back to you privately and provided the config.dat file via the SFTP Site. You can use the same credentials I sent privately previously.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
RS_Daniel
Advisor

Hello @jcortez ,

Thanks for all these clarifications. About your comments about config.dat file, it has always been accesible for everyone, when you download a EPS.msi installer from SmartEndpoint a config.dat file is also downloaded to some tmp folder, i have used many times and worked ok on previous versions. Recently i have tried to create many reconnect tools using dynamic packages exported directly from infinity portal. Extracting the .exe dynamic package you can find a config.dat file which is inside Config folder, however it always fails. I understan i should use smartendpoint to download a EPS.msi installer and  use the config.dat downloaded file, but in a recent support case, TAC recommended not to use SmartEndpoint to connect to EPMaaS as it could contribute to have corruption problems. Do you know if the config.dat from the dynamic package should work ok? From SmartConsole R81 and higher the maketool.bat archive can be found on two different directories:

C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM\util\RepWorkFolder\INVOKE

C:\Program Files (x86)\CheckPoint\SmartConsole\R81\81.0.9500.556\util\RepWorkFolder\INVOKE

Do you know if we should use one of these mandatory? or both should work ok?

Regards

0 Kudos
jcortez
Employee
Employee

For Harmony Endpoint Cloud/EPMaaS we no longer create the config.dat file in the Smart Console installation directory. The only supported way with Harmony Endpoint Cloud/EPMaaS to get a good working config.dat file that can be used with the reconnect tool is by contacting the Endpoint Teams from TAC and for us to provide it to you directly from the server. I have seen issues in the past using the config.dat file from the client packages. I would not recommend using it.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
RS_Daniel
Advisor

Thank you!

0 Kudos
Marcus_Halmsjo
Contributor

Thought i should share my experience in this thread.

I migrated 300 clients this week with zero problems, the key that made my day was that i looked into the reconnect tool creation more closely.

the maketool.bat has a /silent parameter if you use that the reconnect.exe will not display popup after it is done and just quit, this made it possible to push this tool to every client that was connected to old management. Only issue is that the reconnect.exe exists with 1 and not 0 so if you push with anything that checks response add 1 as successful response.

they way i created the reconnect tool was that i created an export package in cloud management, downloaded the msi and unpacked it with 7-zip, searched the dir for config.dat it was named Binary.CPINSTADDEXT_config.dat.

Copied this file renamed it to config.dat and used it with maketool.bat with parameter /silent

One thing to note is that if the export package is configured to add computer to a virtual group it will do that also when you reconnect with the tool, i used this opportunity to cleanup some virtual groups when migrating.

Since nothing in this was sure to work did i check every client one by one, i was just happy to finally migrate and better it took a few more hours to be sure everything is ok.
Every client connected to cloud the second the reconnect tool was done, new policy was installed without issues.
Users did not notice any interuptions.

Important to state is that i did this on my own this was not initiated by Check Point in any way, i searched and read a few SK and decided to test and my backup plan was always to manually reinstall every client since that was the first migration plan either way.

Ted_Serreyn
Collaborator

Glad you had great success.  I am still having problems even getting a resource involved to work with me on the initial export/import.  Answer is always professional services engagement.

 

IMHO, this is what partners are for and who the client trusts to do this.

 

As to the why I need this, there are a multitude of tuning and exceptions that we have done over the last few years as part of this endpoint deployment.  I do not want to lose this configuration as part of the migration.

 

 

Marcus_Halmsjo
Contributor

Yeah i can understand that, was not so much for us, just viewed cloud as a "new" installation intead of a move.

Migrating rules and exceptions etc is a whole other level that i did not think of.

0 Kudos
anstelios
Contributor

Can someone please describe the latest procedure to create the reconnect tool for a new cloud server?
This has changed so many times..
I believe I saw it as an option(to create the reconnect exe) somewhere in the Infinity portal a few days ago, but I cant find it now..
Do we need to get TAC involved??

0 Kudos
jcortez
Employee
Employee

Yes there was an option for the Reconnect Tool in the Infinity Portal/Harmony Endpoint Web Management Portal but it has been removed due to it still being BETA/EA. It was not supposed to be public facing just yet. I am not sure what the ETA is at this time for it to be released in the Infinity Portal/Harmony Endpoint Web Management Portal but I am working to find out.

For the time being, you still need to involve TAC as we would need to grab and provide the config.dat for you.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
Don_Paterson
Advisor

Hi Justin,
Was just looking at this tool in the Infinity Portal and the documentation and it is not clear in terms of the procedures for using the tool.
Is it GA now and are the details steps and use cases (maybe an SK) that can referenced until the documentation is improved?

Reference:
https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

 

Regards,

Don

 

0 Kudos
jcortez
Employee
Employee

@Don_Paterson

An SK for our Reconnect Tool/Utility already exists. Please see SK92329. We have had the Reconnect Tool since 2013 but we are now making it available via the Harmony Endpoint Web Management to make it easier to use and access. You can use SK92329 as a reference on what it is, how it works, how to use it and limitations.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
PhoneBoy
Admin
Admin

That SK looks like it's internal still, just FYI.

0 Kudos
Don_Paterson
Advisor

Make it external, please   😉

 

0 Kudos
jcortez
Employee
Employee

@Don_Paterson 

This will not be possible. It has been made internal for important reasons.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
jcortez
Employee
Employee

Yes it is internal. We do not and will not have a public facing SK for it since there are situations where the reconnect should not be ran and that customers understand all of the limitations that way any reconnect tool/utility questions customers have they have to open up an SR to discuss it with TAC so we can make the decision if it is needed or not and guide the customer.

 

Customers can create an SR and ask for the Reconnect Tool/Utility steps and content in the SK and we can send it over but we would still tell them for every situation where the Reconnect Tool/Utility is needed, they should be contacting TAC.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
Don_Paterson
Advisor

OK, Thanks. But why allow the tool download, rather than perhaps just a note related to the tool.
The documentation is also in the public domain, with procedure/steps, but again advertising something that is not well documented or recommended in some cases.

Appreciate your replies.

Don

0 Kudos
jcortez
Employee
Employee

@Don_Paterson 

It is there for ease of use. And the idea is that a customer should still work with Endpoint Support before downloading it and using it. Once the customer calls in and explains what it is needed for we will then explain how it can be created, used and all the limitations and detailed information. We want to control when it is being used since when using it in the wrong scenarios it can cause problems.

 

Hope this clears it up.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos