Here is the TAC response:

I got reply from the internal team and they said is not possible for you test out migrations from on-Prem to EPMass.

It can only be done by PS and R&D, and i know you said you do not want to pay you will need to reach out to your sales team for that.

Please let us know if you have any other questions or comments for us on Tech support.

As a long time Checkpoint VAR, I would like to know how exactly I am supposed to recommend moving to the cloud for an existing customer?

These are loyal checkpoint customers who have run endpoint before the cloud management even existed.

It seems that checkpoint does not have a plan for their existing customer base, other than to charge them more money to move to the latest version.

Hello @Kobie_Bendalak / @Ted_Serreyn 

Any news or recommendations on the procedure to migrate an on-prem deployment to EPMaaS?

I need to migrate more than 1100 endpoints on a customer that has on-prem R80.40 management to EPMaaS.

1+ year later, same issue still exists.   Try to get PS involved, they don't quote less than a week.  TAC says PS has to do it.  Customer still hasn't migrated endpoint management to cloud and at this point is beyond frustrated.

@jcortez Have you heard anything in this space?

@Chris_Atkinson

This still requires PS. This from what I understand is an ongoing project and will not be completed anytime soon. If customers are looking for a quick migration and easiest route that would be to migrate without their existing database/migrate export and to just migrate the clients using our Reconnect Tool.

Now if a customer looking to migrate from Harmony Endpoint On-Premise to Harmony Endpoint Cloud (EPMaaS) and they are using FDE and MEPP, this makes the migration very complicated and it is suggested to migrate your database/migrate export. But again, it still remains that PS is needed for this migration and this is something TAC does not handle.

The only migration TAC can handle is if a customer is just migrating the client using the Reconnect Tool and there are no plans to bring over the database/migrate export.

Hope this helps.

Yeah no FDE, no MEPP.  It’s a simple export/import, then use reconnect tool.

PS won’t do less than a week of time, and this shouldn’t take that amount.  In addition customer has an issue with paying for this service.

IMHO, This is a case of checkpoint not considering their loyal existing clientele and how to keep them moving into the newer technologies.

We need to be able to take our new technologies and ask the question how do we get our existing checkpoint customers to migrate to this.

I understand the lack of back end access, but this is extremely frustrating as a partner to see and experience this.

to quote Gil:  “we deserve the best security solutions”.

@jcortez 

I work for a partner also and second Ted's comments here.  We are already seeing customers rejecting deals as there is no formal migration path.  I think this is very short-sighted and should be addressed urgently as we cannot recommend an "upgrade" to cloud for the customer.  This is particularly bad for customers using MEPP where they have extensive definitions already created.

Even with the workarounds I have any migration to cloud has its pitfalls and isn't a workable solution.  Given Smart-1 cloud has the ability to allow a migrate import it should be the same for Endpoint.

@Chris_Atkinson @Ted_Serreyn @Dan_Cannon 

I wanted to revisit this thread. There have been new developments/updates/changes here internally on who does the On-Premise to EPMaaS Server migration now.

When this process and special migration tools were still in testing and EA, this is why it required an RFE + PS to be able to achieve this kind of migration.

However, one to two weeks ago we have made the special migration tools for this process/procedure GA. TAC Endpoint Teams are now expected to assist customers with this. Since this is still new to us and all TAC Endpoint Engineers have not been trained to handle it, it is currently being handled by myself (Endpoint Technology Leader for Americas/DTAC/OTAC) and my counterpart Kiril (Endpoint Technology Leader for International TACs) .

So going forward please feel free to open SRs/Cases when needing a full migration (Migrate export of On-Premise EPS Server >> Migrate import to Harmony Endpoint Cloud/EPMaaS Server) as TAC Endpoint Teams now handle this.

just an FYI regarding this document - they have now updated the files to a .exe from .msi, so config.dat can be exported using 7zip from this.  And for R81 the path for make tool will be something like C:\Program Files (x86)\CheckPoint\SmartConsole\R81\81.0.9500.556\util\RepWorkFolder\INVOKE (the 81.0.9500.556 represents the build of smart console)

Dan

I was curious if anyone had an issue using maketool.bat with the /silent switch? If we run maketool.bat config.dat and then run the created reconnect.exe on a workstation it prompts us for the uninstall password and it migrates from on-prem to Harmony successfully. If we run again with maketool.bat /silent config.dat password we get the reconnect.exe but nothing happens when we try run on the client machine. We are doing more testing but wondering if we're missing something. Thanks

@John_Richards 

CORRECTION! I apparently found my brain today...

When you make a reconnect tool that includes the password and the /silent flag/switch, you will not get any indication at all that the reconnect tool is running and has also completed. That is the point when combining the two, password and /silent flag/switch, so no one on the client side is aware of anything running at all.

However, you can look at current processes/services running and you will see tools used by the reconnect tool running when looking at Task Manager in Windows.

I said here to view the 'EP_CDTDll.log', but this is incorrect.

You can also collect and analyze the C:\Windows\Internet Logs\EP_CDTDll.log to see if the reconnect tool completed and ran successfully or if it failed.

The Reconnect Tool log, ReRegister.log, would be located here...

C:\Users\<user_name>\AppData\Local\Temp\CPReconnect<date stamp>\

Are you checking the Harmony Endpoint Client to see if it is pointing to the new server or not? You can see this in the Harmony Endpoint Clients GUI/Display Overview or in it's cpda.log located here to see which server is is connecting to and all servers it is aware of.
C:\ProgramData\CheckPoint\Logs\

Thanks for the information. We changed the uninstall password on the on-prem, updated the client and made sure same uninstall password in Harmony. We run the reconnect.exe and get the popup "Please enter administrative password in order to change/remove Endpoint Security configuration". We did download a new client and extracted the config.dat and tried a new reconnect.exe and same issue. We run maketool.bat /silent config.dat password and it does create the reconnect.exe. Is there something in the syntax we are missing?

@John_Richards 

Where are you getting the config.dat from? You should be contacting TAC to get this. There is not a way to get this without someone from TAC Endpoint Team grabbing this directly from your Harmony Endpoint Cloud/EPMaaS Server for you since customers do not have access to this.

Also, does your Harmony Endpoint Client uninstall password have special characters included?

Please be aware of the following limitations...

Notes:

• 'client_uninstall_password' is an optional parameter, if not provided here, it should be entered on the client computer
• See the "Limitations" section for clients using Token-Based uninstall authentication below.
• See the "Limitations" section for clients using Challenge-Response uninstall authentication below.
• The Reconnect.exe executable will be created in the current directory.
• Include /silent in step 6 to create a silent reconnect tool.  "/silent" parameter must follow maketool.bat (ex. maketool.bat  /silent \path_to\config.dat  [client_uninstall_password]). This suppresses the message "The reconnect tool was run successfully" message which needs to be dismissed after running the tool on the Endpoint client.
• If 'client_uninstall_password' contains special characters, like $%^&*|" or space, the 'client_uninstall_password' should be surrounded with double quotes (for example: "!1@3$5^7*9"). In some cases, additional escaping may be needed, see the following link as example.
• Starting from E85.60, if client will not be able to connect to the given server, the client will revert reconnect tool changes and will connect back to old server.

Getting the config.dat was the easy part. Just followed the instructions above but now an exe and not msi. We used 7Zip to open the exe that was downloaded and got the config.dat from there. Using this config.dat and the maketool.bat does work without the /silent and password. So, the password does have a character (@) and we are going to try with only alphanumeric characters only. Will let you know what happens.

We had an issue back late last year in Q4 regarding the reconnect tool and using the silent flag. We have fixed Smart Console Packages for that. I am wondering if this is the issue you are facing. If you still face the issue after changing the client uninstall password, let me know. I will get you the CFG Smart Console Package and we can see if that resolves the issue.

Which version Harmony Endpoint Server are you running?

Is this what you are referring to on the server 

We are using SmartConsole R81 (only option we had). I tried to use "" around the password but no luck. We changed the on-prem password using only numbers and letters. Have not tested yet but will update. Thanks

Yes that is what I was looking for. Your EPMaaS Server is on R81 JHF Take 112. You are likely running into the issue I mentioned. Let me know how the test goes. I have the Smart Console CFG package ready for you. Or I can grab the config.dat from your EPMaaS Server and create the Reconnect Tool to you. However, you would need to provide your client uninstall password if you wanted me to back it into the Reconnect Tool.

Let me know what you would like to do.

Thanks so much for your effort. I would like to obtain the package if possible. I have more than one customer that needs to be moved from on-prem to Harmony.

Customer did try again using the new password but still get the prompt to enter the password. Again if I could get the CFG package that would be great. Thanks

@John_Richards 

I just reached out to you via a direct private message where I have provided the R81 Smart Console CFG Package.

So, downloaded the new SmartConsole and still did not work. Still getting a prompt for the password. From the log in CPReconnect log:

Service shutdown was called
Password dialog is launched
8
Could not load external resource, GetLastError() = 2
Error: Could not read config file
GetLastEror() = 2
Service was started

As well we are getting a wrapme.exe has stopped working error but the reconnect.exe still get created. Will post text in another window

Problem signature:
Problem Event Name: BEX
Application Name: wrapme.exe
Application Version: 0.0.0.0
Application Timestamp: 6148713b
Fault Module Name: MSVCR110.dll
Fault Module Version: 11.0.51106.1
Fault Module Timestamp: 5098858e
Exception Offset: 000a326c
Exception Code: c0000409
Exception Data: 00000007
OS Version: 6.3.9600.2.0.0.400.8
Locale ID: 1033
Additional Information 1: 3433
Additional Information 2: 34334c2e142571f7d5ce100346779462
Additional Information 3: 64e3
Additional Information 4: 64e388ea3be3f118c589186044928550

The error is as if the config.dat file you are using is corrupted. Which would make sense since the expectation is to not to pull if from an exported package but to get it from the server itself. What is the name of your EPMaaS Server? This way I can give you a config.dat file directly from it.

What is the name of your EPMaaS Server? Where would I find this and is there a way to share privately?