Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ted_Serreyn
Collaborator
Jump to solution

migration from on premise endpoint to cloud sandblast agent

Ok so I was told that there was a procedure to migrate a client from on premise endpoint server to cloud (infinity portal) sandblast agent?

 

However the person I was talking with has so far failed to deliver.

 

Does anyone know what the procedure is going to be?  I was thinking that there should be a migrate export/migrate import type of migration for this to move all the settings.

 

Is there a reason with endpoint that we can't define cloud endpoint as a "fake" policy server, so when the other policy servers and on premise mangement go away, the clients just start talking to the new ip of the cloud sandblast agent?  Is the reconnect tool really required here to reconnect all the clients to the new endpoint server.

 

I know that we can take a staged approach to move new clients to the cloud portal, but I am looking to migrate 900 plus clients.  I would really like this to be somewhat transparent to the end user if possible.

 

I am working to come up with a good procedure so I can test with a small depl

 

 

2 Solutions

Accepted Solutions
Kobie_Bendalak
Employee Alumnus
Employee Alumnus

@Ted_Serreyn  it's on our plate for 2021, if urgent I suggest to proceed by submitting an RFE. 

View solution in original post

Brad_Muller
Participant

I was able to work this out with the help of John Morris (Checkpoint) and his team. I'm attaching a word document for instructions. I've also shared with TAC, so hopefully they will write up an SK.

When signing into the new Smartconsole (downloaded from Service Management), you will need to change the server (pull down) to the cloud. The token they are looking for is the Service Identifier, which can be copied from Service Management tab. Then just sign in with admin and the new password you created in step 4.

Another note, the portal does not match 1-1 on all areas of the on-prem server. But if you use the newly download SmartConsole you can do the one-to-one manual copy. Unfortunately, there is no export (at least that I've found) of the blocked application list.

View solution in original post

(1)
48 Replies
Kobie_Bendalak
Employee Alumnus
Employee Alumnus

Please raise a TAC ticket, they can assist.

Share the ticket number w/ me, and I'll help you expedite its resolution.

0 Kudos
Ted_Serreyn
Collaborator

Here is the TAC response:

 

I got reply from the internal team and they said is not possible for you test out migrations from on-Prem to EPMass.

It can only be done by PS and R&D, and i know you said you do not want to pay you will need to reach out to your sales team for that.

Please let us know if you have any other questions or comments for us on Tech support.

Ted_Serreyn
Collaborator

As a long time Checkpoint VAR, I would like to know how exactly I am supposed to recommend moving to the cloud for an existing customer?

 

These are loyal checkpoint customers who have run endpoint before the cloud management even existed.

 

It seems that checkpoint does not have a plan for their existing customer base, other than to charge them more money to move to the latest version.

Kobie_Bendalak
Employee Alumnus
Employee Alumnus

@Ted_Serreyn  it's on our plate for 2021, if urgent I suggest to proceed by submitting an RFE. 

MikeB
Advisor

Hello @Kobie_Bendalak / @Ted_Serreyn 

Any news or recommendations on the procedure to migrate an on-prem deployment to EPMaaS?

I need to migrate more than 1100 endpoints on a customer that has on-prem R80.40 management to EPMaaS.

0 Kudos
Ted_Serreyn
Collaborator

1+ year later, same issue still exists.   Try to get PS involved, they don't quote less than a week.  TAC says PS has to do it.  Customer still hasn't migrated endpoint management to cloud and at this point is beyond frustrated.

Chris_Atkinson
Employee Employee
Employee

@jcortez Have you heard anything in this space?

CCSM R77/R80/ELITE
0 Kudos
jcortez
Employee
Employee

@Chris_Atkinson

This still requires PS. This from what I understand is an ongoing project and will not be completed anytime soon. If customers are looking for a quick migration and easiest route that would be to migrate without their existing database/migrate export and to just migrate the clients using our Reconnect Tool.

Now if a customer looking to migrate from Harmony Endpoint On-Premise to Harmony Endpoint Cloud (EPMaaS) and they are using FDE and MEPP, this makes the migration very complicated and it is suggested to migrate your database/migrate export. But again, it still remains that PS is needed for this migration and this is something TAC does not handle.

The only migration TAC can handle is if a customer is just migrating the client using the Reconnect Tool and there are no plans to bring over the database/migrate export.

 

Hope this helps.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
Ted_Serreyn
Collaborator

Yeah no FDE, no MEPP.  It’s a simple export/import, then use reconnect tool.

 

PS won’t do less than a week of time, and this shouldn’t take that amount.  In addition customer has an issue with paying for this service.

 

 

IMHO, This is a case of checkpoint not considering their loyal existing clientele and how to keep them moving into the newer technologies.

We need to be able to take our new technologies and ask the question how do we get our existing checkpoint customers to migrate to this.

I understand the lack of back end access, but this is extremely frustrating as a partner to see and experience this.

 

to quote Gil:  “we deserve the best security solutions”.

 

 

0 Kudos
Dan_Cannon
Contributor

@jcortez 

 

I work for a partner also and second Ted's comments here.  We are already seeing customers rejecting deals as there is no formal migration path.  I think this is very short-sighted and should be addressed urgently as we cannot recommend an "upgrade" to cloud for the customer.  This is particularly bad for customers using MEPP where they have extensive definitions already created.

Even with the workarounds I have any migration to cloud has its pitfalls and isn't a workable solution.  Given Smart-1 cloud has the ability to allow a migrate import it should be the same for Endpoint.

0 Kudos
jcortez
Employee
Employee

@Chris_Atkinson @Ted_Serreyn @Dan_Cannon 

I wanted to revisit this thread. There have been new developments/updates/changes here internally on who does the On-Premise to EPMaaS Server migration now.

When this process and special migration tools were still in testing and EA, this is why it required an RFE + PS to be able to achieve this kind of migration.

However, one to two weeks ago we have made the special migration tools for this process/procedure GA. TAC Endpoint Teams are now expected to assist customers with this. Since this is still new to us and all TAC Endpoint Engineers have not been trained to handle it, it is currently being handled by myself (Endpoint Technology Leader for Americas/DTAC/OTAC) and my counterpart Kiril (Endpoint Technology Leader for International TACs) .

So going forward please feel free to open SRs/Cases when needing a full migration (Migrate export of On-Premise EPS Server >> Migrate import to Harmony Endpoint Cloud/EPMaaS Server) as TAC Endpoint Teams now handle this.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
Ted_Serreyn
Collaborator

Yeah I guess I’m not going to be recommending migrating to the cloud until that time for any of my existing customers and would advise other VARs the same.

It’s hard to be put in the middle like this as a VAR.  customers want to know how to migrate and what the impact is to them.  This is part of the Value Add that we provide as resellers.

 

 

0 Kudos
Brad_Muller
Participant

I was able to work this out with the help of John Morris (Checkpoint) and his team. I'm attaching a word document for instructions. I've also shared with TAC, so hopefully they will write up an SK.

When signing into the new Smartconsole (downloaded from Service Management), you will need to change the server (pull down) to the cloud. The token they are looking for is the Service Identifier, which can be copied from Service Management tab. Then just sign in with admin and the new password you created in step 4.

Another note, the portal does not match 1-1 on all areas of the on-prem server. But if you use the newly download SmartConsole you can do the one-to-one manual copy. Unfortunately, there is no export (at least that I've found) of the blocked application list.

(1)
Dan_Cannon
Contributor

just an FYI regarding this document - they have now updated the files to a .exe from .msi, so config.dat can be exported using 7zip from this.  And for R81 the path for make tool will be something like C:\Program Files (x86)\CheckPoint\SmartConsole\R81\81.0.9500.556\util\RepWorkFolder\INVOKE (the 81.0.9500.556 represents the build of smart console)

 

Dan

John_Richards
Contributor

I was curious if anyone had an issue using maketool.bat with the /silent switch? If we run maketool.bat config.dat and then run the created reconnect.exe on a workstation it prompts us for the uninstall password and it migrates from on-prem to Harmony successfully. If we run again with maketool.bat /silent config.dat password we get the reconnect.exe but nothing happens when we try run on the client machine. We are doing more testing but wondering if we're missing something. Thanks

jcortez
Employee
Employee

@John_Richards 

CORRECTION! I apparently found my brain today...

When you make a reconnect tool that includes the password and the /silent flag/switch, you will not get any indication at all that the reconnect tool is running and has also completed. That is the point when combining the two, password and /silent flag/switch, so no one on the client side is aware of anything running at all.

However, you can look at current processes/services running and you will see tools used by the reconnect tool running when looking at Task Manager in Windows.

 

I said here to view the 'EP_CDTDll.log', but this is incorrect.

You can also collect and analyze the C:\Windows\Internet Logs\EP_CDTDll.log to see if the reconnect tool completed and ran successfully or if it failed.

 

The Reconnect Tool log, ReRegister.log, would be located here...

C:\Users\<user_name>\AppData\Local\Temp\CPReconnect<date stamp>\

 

Are you checking the Harmony Endpoint Client to see if it is pointing to the new server or not? You can see this in the Harmony Endpoint Clients GUI/Display Overview or in it's cpda.log located here to see which server is is connecting to and all servers it is aware of.
C:\ProgramData\CheckPoint\Logs\


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

Thanks for the information. We changed the uninstall password on the on-prem, updated the client and made sure same uninstall password in Harmony. We run the reconnect.exe and get the popup "Please enter administrative password in order to change/remove Endpoint Security configuration". We did download a new client and extracted the config.dat and tried a new reconnect.exe and same issue. We run maketool.bat /silent config.dat password and it does create the reconnect.exe. Is there something in the syntax we are missing?

0 Kudos
jcortez
Employee
Employee

@John_Richards 

Where are you getting the config.dat from? You should be contacting TAC to get this. There is not a way to get this without someone from TAC Endpoint Team grabbing this directly from your Harmony Endpoint Cloud/EPMaaS Server for you since customers do not have access to this.

Also, does your Harmony Endpoint Client uninstall password have special characters included?

 

Please be aware of the following limitations...

Notes:

  • 'client_uninstall_password' is an optional parameter, if not provided here, it should be entered on the client computer
  • See the "Limitations" section for clients using Token-Based uninstall authentication below.
  • See the "Limitations" section for clients using Challenge-Response uninstall authentication below.
  • The Reconnect.exe executable will be created in the current directory.
  • Include /silent in step 6 to create a silent reconnect tool.  "/silent" parameter must follow maketool.bat (ex. maketool.bat  /silent \path_to\config.dat  [client_uninstall_password]). This suppresses the message "The reconnect tool was run successfully" message which needs to be dismissed after running the tool on the Endpoint client.
  • If 'client_uninstall_password' contains special characters, like $%^&*|" or space, the 'client_uninstall_password' should be surrounded with double quotes (for example: "!1@3$5^7*9"). In some cases, additional escaping may be needed, see the following link as example.
  • Starting from E85.60, if client will not be able to connect to the given server, the client will revert reconnect tool changes and will connect back to old server.

Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

Getting the config.dat was the easy part. Just followed the instructions above but now an exe and not msi. We used 7Zip to open the exe that was downloaded and got the config.dat from there. Using this config.dat and the maketool.bat does work without the /silent and password. So, the password does have a character (@) and we are going to try with only alphanumeric characters only. Will let you know what happens.

0 Kudos
jcortez
Employee
Employee

We had an issue back late last year in Q4 regarding the reconnect tool and using the silent flag. We have fixed Smart Console Packages for that. I am wondering if this is the issue you are facing. If you still face the issue after changing the client uninstall password, let me know. I will get you the CFG Smart Console Package and we can see if that resolves the issue.

Which version Harmony Endpoint Server are you running?


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

Is this what you are referring to on the server 

Service version
81.0.23.112
Web version
8.14.0:8.14.0
 

We are using SmartConsole R81 (only option we had). I tried to use "" around the password but no luck. We changed the on-prem password using only numbers and letters. Have not tested yet but will update. Thanks

0 Kudos
jcortez
Employee
Employee

Yes that is what I was looking for. Your EPMaaS Server is on R81 JHF Take 112. You are likely running into the issue I mentioned. Let me know how the test goes. I have the Smart Console CFG package ready for you. Or I can grab the config.dat from your EPMaaS Server and create the Reconnect Tool to you. However, you would need to provide your client uninstall password if you wanted me to back it into the Reconnect Tool.

Let me know what you would like to do.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

Thanks so much for your effort. I would like to obtain the package if possible. I have more than one customer that needs to be moved from on-prem to Harmony.

0 Kudos
John_Richards
Contributor

Customer did try again using the new password but still get the prompt to enter the password. Again if I could get the CFG package that would be great. Thanks

0 Kudos
jcortez
Employee
Employee

@John_Richards 

I just reached out to you via a direct private message where I have provided the R81 Smart Console CFG Package.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

So, downloaded the new SmartConsole and still did not work. Still getting a prompt for the password. From the log in CPReconnect log:

Service shutdown was called
Password dialog is launched
8
Could not load external resource, GetLastError() = 2
Error: Could not read config file
GetLastEror() = 2
Service was started

 

As well we are getting a wrapme.exe has stopped working error but the reconnect.exe still get created. Will post text in another window

 

0 Kudos
John_Richards
Contributor

Problem signature:
Problem Event Name: BEX
Application Name: wrapme.exe
Application Version: 0.0.0.0
Application Timestamp: 6148713b
Fault Module Name: MSVCR110.dll
Fault Module Version: 11.0.51106.1
Fault Module Timestamp: 5098858e
Exception Offset: 000a326c
Exception Code: c0000409
Exception Data: 00000007
OS Version: 6.3.9600.2.0.0.400.8
Locale ID: 1033
Additional Information 1: 3433
Additional Information 2: 34334c2e142571f7d5ce100346779462
Additional Information 3: 64e3
Additional Information 4: 64e388ea3be3f118c589186044928550

0 Kudos
jcortez
Employee
Employee

The error is as if the config.dat file you are using is corrupted. Which would make sense since the expectation is to not to pull if from an exported package but to get it from the server itself. What is the name of your EPMaaS Server? This way I can give you a config.dat file directly from it.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
John_Richards
Contributor

What is the name of your EPMaaS Server? Where would I find this and is there a way to share privately?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events