Server Protection migration - available since 11th of July - non used profiles hidden on 31st of Jul

PetriKuikka

Migration Goals & Benefits

 

The goals of the Server Protection migration process are:

• Provide a controlled process for the Solution Provider and/or Company to migrate its servers from their Server Security software to the latest and greatest Server Protection software.
• Ensure that the upgrade is the smooth and non-intrusive way for the end-customers. 
• Keep the security settings (profiles) intact during the upgrade process, so that you have the same level of security for the devices both before and after the upgrade process.
• Give easy way to upgrade servers at certain time with very fine grain process

 

High lights of the plan:

• Hiding all profiles that are not assigned to a device from the Server Security profile tab on 31st of July 2019 (to ease up finding of server profiles)
• Stage 1 - Profile migration will be available for SOP/SEP/Company administrators per individual profile. You can see how easy this stage is from this video.
  
• Stage 2 - Channel upgrade will be available for SOP/SEP/Company administrators per individual subscription key. Admins can also disable the channel upgrade per key once they have enabled it. Channel upgrade itself should be silent and without reboot the same way as it was in Workstation Security to Computer Protection. You can see how easy this stage is from this video.
  

 

Hiding all profiles that are not assigned to a device from the Server Security profile tab on 31st of July 2019

 

As we have no way of detecting if some profile is a server or workstation profile, we will hide all profiles that are not assigned to a device or are a company or Solution Provider default server security profile. This way it will be much easier to find those profiles that you might want to migrate as server profile. If some profile that you needed vanishes on this date, just contact the support and we will bring it back to be visible.

 

You can run the migration and upgrade at any given point and no need to wait for the profile cleanup.

 

Note! We will also leave visible all the parent profiles of those profiles that have assigned devices. 

 

Stage 1 - Profile migration (see video)

 

This is the stage during which your server profiles are migrated to the new Server Protection profiles.

• The profile migration process doesn't impact in any manner the existing Server Security or their profiles. It will just create the migrated profiles to Server Protection - profiles tab. 
• You need to own the profile to be able to migrate it.

 

PSB portal supports individual profile migrations from Server Security tab for all profiles. You will find the "Migrate profile to Server Protection" option for each profile behind "..." -button.

The outcome of a profile migration is one of the following:

1. Successful Profile Migration
2. Successful Profile Migration - There are confilict and you need to resolve them with instructions below.
3. Profile is already migrated with link to the profile. In this case if you really want to migrate again, you need to manually delete the previously migrated profile from Server Protection profiles.

 

You will need to define the company default Server Protection profile manually after the migration.

 

Note! We will not migrate any Firewall settings nor rules as the Server Security did not have the firewall component. Instead we will inherit all the values from default Server Protection profile, where the F-Secure changes to Firewall are disabled. This is done using the "Firewall" > "Apply F-Secure firewall profiles" -setting. 

 

What is a profile of conflict? 

 

If you end up in this state after profile migration, you have to validate that Scheduled scanning task settings are suitable . 

 

You have configured for scheduled scanning tasks more than 1 scanning task and/or task with fields which can't be transformed into Server Protection format. The new format supports only one scanning task, so we will just migrate the 1st scanning task which has the less number of field inconsistencies

The Server Protection software has a different scheduled scanning functionality than the Server Security software. The main cases are:

 

Case 1:  There are 2 scheduled tasks in old profile to migrate:

• Runs weekly on Monday at 9:00
• Runs daily at 12:00

In the new profile, you have to choose between weekly and daily, you can't have them both at once. Also, it is not possible to define more than one execution time, so you can't combine 9:00 and 12:00. 

It means that we can take just one task to migrate.

 

Case 2: We have a task with the following options:

• Runs once at 9:00 after system is idle for 30 minutes

In the Server Protection profile, we don't have the option to run once, available choices are: daily, weekly, monthly. Also, we don't have combined time and idle options, we have to choose one or another (just as with weekly and daily in the previous example). So, practically this task can't be mapped without changing its peridiocity and time/idle options or, if having multiple tasks in the old profile, skipping it at all in favour of another task with fewer conflicts.

 

 

 

 

8. Example scheduled scanning tasks in a Server Security profile which leads to conflicts during migration

 

How to Solve?

 

If one of the profiles you migrated contains a conflict in scheduled scanning tasks, then the section in the profile will be highlighted similar as above and once you make the required changes and click on the 'Accept and Publish' button, the conflict is considered as resolved

 

Stage 2 - Channel upgrade (see video)

 

Instead of the manual upgrade, you can now upgrade from the Portal with the channel upgrade that allows you to:

• Upgrade automatically and silently in similar manner as the Workstation Security to Computer protection upgrade worked.
  
  • If the assigned profile for Server Security is migrated, it will take the migrated Server Protection profile into use.
  • If the assigned profile for Server Security is not migrated, it will take into use the company default Server Protection profile.
• On certain time for all servers belonging to one subscription. 

This will work in following manner:

1. Go to Subcriptions page and click the "..." button for any Server Protection subscription (also supports Server Protection Premium and Server Protection Premium and RDR). Select the "Enable channel upgrade" action. This will immedialtely enable the upgrade for all servers installed with this subscription. 
   
2. They will do the upgrade automatically within next 1 hour. If you want to speed this up, just assign the "Send full status update" operation to devices that you want to upgrade immediately or press the "Check for updates" button on the device itself.

If you want to cancel the channel upgrade, just select "Disable channel upgrade" for the subscription.

 

Future improvements to profile migration and channel upgrade phases

 

Based on the feedback we will most likely add later possibilty to migrate a list of profiles and channel upgrade a list of subscriptions.

 

Known issues

 

Bandwith Impacts of the Channel Upgrade

• During the channel upgrade, the new Computer Protection client has to be downloaded. As it is a bit less than 150 MB, if many computers are upgrading and are behind a slow link, it may slow down the network. To resolve the problem, the F-Secure End Point Proxy and a normal http caching proxy should be deployed. By caching the Computer Protection client and related database, they will drastically reduce the bandwith usage.

Computer not upgrading - There are a few actions that you can take to facilitate the upgrade:

• Install missing software updates: We noticed that computers with old version of their operating system displaying a lot of missing critical security update are sometimes not updating. This is typically resolved by installing the missing security update by for example selecting the computers in the device list and using the remote action "install software updates".
• Free disc space: Your computer needs to have at least 600MB of free disc space to properly upgrade
• Free seats: In rare cases the lack of free seats can block or slow the upgrade. If you have unused computers, it is recommended to use "Remove Computers" in the portal.
• Reboot: In some cases, the new client will only be installed after re-boot (as it does not trigger the re-boot). 
• Wait: We are regularly triggering the old client to retry the channel upgrade. The client will try to upgrade three times and wait for the next trigger. 

Computer cannot register the subscription after the upgrade

• "Turn off Automatic Root Certificate Update" setting is enabled and therefore it cannot update the root certificates used by the Server Protection installer. For more information on see https://community.f-secure.com/t5/Protection/Installing-Server-Protection/ta-p/117949

PetriKuikka

Hi,

 

just as quick heads up - this Server Protection migration feature will be rolled to all production portals during today evening and tomorrow.

 

PSB Team

PetriKuikka

Hi all,

 

Update: this operation is now completed in all portals.

 

this hiding of all profiles that are not assigned to a device nor the account default profile from the Server Security profile tab is going to happen in all portals today. For more information see the 1st post. So this hiding should really only impact totally non used profiles and maybe some template profiles that are not used by any company nor a device.

 

If you lose some profiles that you still wanted to use, just open a support ticket with you account name and we'll revert the hiding of all profiles for that account.

 

PSB Team

 

 

PetriKuikka

Hi,

 

we have done 2 videos about this Server Protection migration:

https://www.youtube.com/playlist?list=PLkMjG1Mo4pKIFE6PlOA0JMIHloE58Z9RB

 

PSB Team

barkerkr

What heppens to those clients that are on older OS? Are they skipped by the channel upgrade? For example Server 2008 and Server 2003.

PetriKuikka

Hi,

 

Windows Server 2008 R2 is supported, but 2008 and 2003 are not and those servers just fail to launch the upgrade.

 

Petri

ThiagoBolli

URGENT!

Hi, we have migrated our customized profile last night, but we had a script to scan incoming files using C:\Program Files (x86)\F-Secure\Anti-Virus\fsav.exe, which is now gone.

Please I need to know where the new anti-virus executable file is placed and what's its name!!!