Computer Protection Migration

ByteTeam
ByteTeam W/ Alumni Posts: 26 Security Scout

 This article gives an overview of the migration process from Workstation 12 series client to Computer Protection client.

 

UPDATE:

- All Solution Providers have been migrated, so all the migrated profiles are available

- 31st of March, 2019: End of Life of Workstation Security client. The client will still receive security updates, but it will not anymore be under support. Using Computer Protection is the resolution for any issues. 

 

NEXT STEP: Channel upgrade is now scheduled for the remaining customers who have not yet fully migrated

 

Migration Goals & Benefits

 

The goals of the Computer Protection Migration process are:

  • Provide a controlled process for the Solution Provider to migrate his customers from their Workstation Security clients to the latest and greatest Computer Protection Clients.
  • Ensure that the upgrade is the smooth and non-intrusive way for the end-customers. 
  • Keep the security settings (profiles) intact during the upgrade process, so that you have the same level of security for the clients both before and after the upgrade process.

Migration Process

 

Stage 1 - Profile Migration (DONE)

 

This is stage during which your workstation profiles are migrated to the new Computer Protection ecosystem.

 

What happens in the background

 

  • The default profiles for each account is set based on the following logic at the end of successful migration:
    • If you have already defined some Computer Protection profiles as the default profile, we will keep that decision as it is and won't be over-writing this.
    • If you have defined some default profile for Workstation Security (and haven't defined any on Computer Protection side), the profile migration process will mark the migrated version of the default Workstation Security profile as the default in the Computer Protection world.
    • If you haven't defined any default profile on either side, the default profile of the parent account will be assumed.
  • The profile migration process doesn't impact in any manner the existing PSB Workstation Security computers or their profiles. It will just create the migrated profiles to Computer Protection - profiles tab. 

The outcome of a profile migration is either:

    1. Successful Profile Migration
    2. Successful Profile Migration - Needs Review

     

    Successful Profile Migration

     

     

    Once the migration is complete, its status will be indicated by a green banner on the homepage. This would be shown until channel upgrade commence.

    Note that the administrator of the companies logging in the portal will also be informed by same a green banner indicated as below

     

    migration-successful-flyers.png

     

    If you end up in this state after profile migration, you then need to set the channel upgrade dates for either per company level or at set it automatically which will start 14 days after successful migration. However, you are strongly encouraged to

    • Check the profiles that have been migrated and familiarize yourself with the new editor and its functionalities.
    • Check the default profile for your account as well as the security characteristics of this default profile.
    • Try assigning Computer Protection profiles to computers running the Computer Protection Client.

    See more information about this in the Channel Upgrade section.

     

    Successful Profile Migration - Needs Review

     

     

    Once the migration is complete, its status will be indicated by a blue banner on the homepage. This would be shown until channel upgrade commence.

    Note that the channel upgrade can still be done without resolving the conflicts however the profiles may be inconsistent.

     

    Similarly, the administrator of the companies logging in the portal will also be informed by same a blue banner indicated as below

    migration-conflict-flyer.png

     

    If you end up in this state after profile migration, you have work on your hands. You have to review the profiles with conflicts and resolve these conflicts before Channel Upgrade. This is a rather straightforward process. The next section provides sufficient details about what you need to do.

      

    What is a profile of conflicts?

     

    If you end up in this state after profile migration, you have to validate if the proposed profiles are suitable or to modify them according to your needs. Profiles can be in this state because of two reasons

     

    • You have firewall rules where both Allow and Deny rules are defined for same protocolport, and direction. Workstation profile firewall rules have priority order to decide which rule gets processed first. Since Computer Protection uses Windows Firewall behind the scenes, this causes apparent conflicts in firewall rules due to the order in which Windows Firewall rules are executed (Refer https://technet.microsoft.com/es-es/library/dd421709(v=ws.10).aspx).

     

    Screen Shot 2018-02-08 at 11.38.38.png

    • You have configured for scheduled scanning tasks more than 1 scanning task and/or task with fields which can't be transformed into Computer Protection format. The new format supports only one scanning task, so we will just migrate the 1st scanning task which has the less number of field inconsistencies.

     

    Screen Shot 2018-02-08 at 18.49.50.png

     

    For more information about how to handle these conflicts, check Workstation Profile to Computer Protection Profiles (Handling Conflicts).

     

    After you have resolved the conflicts in your profiles, you are strongly encouraged to

    • Check the profiles that have been migrated and familiarize yourself with the new editor and its functionalities.
    • Check the default profile for your account as well as the security characteristics of this default profile.
    • Try assigning Computer Protection profiles to computers running the Computer Protection Client.
    • Set the channel upgrade date (see next section).

     Note: With Computer Protection, the number of computers using a certain profile is explicitly indicated. Just after a migration that number will always be 0 as no computers are using the profile yet. 

     

    Stage 2 - Channel Upgrade

     

    This is the stage during which your computers that have Workstation Client are upgraded silently  to Computer Protection Client.

    - There are no banner or pop up and no reboot is needed

    - The computer automatically takes the new migrated profile in use, or if this one has been deleted he default profile

     

    Overall Process

     

    After the profile migration, the Solution Provider administrator is informed that Channel upgrade schedule has not been set and that they can select a starting date from account view.

     

    There are 2 options to set the channel upgrade schedule.

    1. Manual Channel Upgrade: From the account view, the Solution Provider adminstrator can select the new channel upgrade page tab. The Solution Provider administrator must first (as a Solution Provider in the scope selector) set a date. After that, he should select a Company or SEP view from the scope selector in the top left corner. Then he can click set schedule to define the starting date for this SEP or company in the view below. The SEP or Company administrator can also modify the date  (only when the manual channel upgrade was selected by the Solution Provider and a date selected).channel_upgrade_tab.PNG

    channel_configuration.PNG

     

    When different  starting dates are configured for a SEP and/or a company, the company will start the channel upgrade at the date indicated for the company. The rest of SEP will start the channel upgrade at the date set for the SEP. The rest of the SoP will start the upgrade at the date defined for the SoP.

     

    2. Automatic Channel upgrade: As the process is silent and does not require a reboot, the Solution Provider may not want to set a date for each company individually, but rather use the automatic channel upgrade. The channel upgrade is started 2 weeks after the migration was triggered. If the migration was triggered over 2 weeks ago, the channel upgrade will start immediately.

     

    After the automatic channel upgrade is selected, the manual channel upgrade will be disabled. It will be indicated in the channel upgrade tab as below

    channel_upgrade_tab_disabled.PNG

    Known Issues

    Security Impacts of the Channel Upgrade

     

    • If Windows firewall is disabled via Windows group policy due to using PSB Workstation's own firewall, the upgrade to Computer Protection cannot enable Windows firewall and devices are left without a firewall. The recommended action is: Prior to the channel upgrade, enable Windows firewall via Windows group policy and configure the rules to pass all traffic.
    • After the channel upgrade,
      • check the firewall status from device view by selecting category “Firewall” or filtering by the firewall value “disabled by GPO”
      • If your clients are experiencing problems with firewall blocking connections because of that, you can follow these next steps: 
        - A. If experiencing problems with outbound connections :  Add needed outbound rules for blocked protocol. You can also set “Allow unknown outbound connections” to “ON”
         - B. If experiencing problems with blocked inbound connections: Add needed inbound rules for blocked protocol. You can also set “Allow unknown inbound connections” to “ON” to test inbound connections but be aware that this will result in the computer being exposed to inbound traffic, so a better solution is to only open necessary ports and if possible only for necessary applications.

    Bandwith Impacts of the Channel Upgrade

    • During the channel upgrade, the new Computer Protection client has to be downloaded. As it is a bit less than 150 MB, if many computers are upgrading and are behind a slow link, it may slow down the network. To resolve the problem, the F-Secure End Point Proxy and a normal http caching proxy should be deployed. By caching the Computer Protection client and related database, they will drastically reduce the bandwith usage.

    Computer not upgrading

    There are a few actions that you can take to facilitate the upgrade:

    • Install missing software updates: We noticed that computers with old version of their operating system displaying a lot of missing critical security update are sometimes not updating. This is typically resolved by installing the missing security update by for example selecting the computers in the device list and using the remote action "install software updates".
    • Free disc space: Your computer needs to have at least 600MB of free disc space to properly upgrade
    • Free seats: In rare cases the lack of free seats can block or slow the upgrade. If you have unused computers, it is recommended to use "Remove Computers" in the portal.
    • Reboot: In some cases, the new client will only be installed after re-boot (as it does not trigger the re-boot). 
    • Wait: We are regularly triggering the old client to retry the channel upgrade. The client will try to upgrade three times and wait for the next trigger. 

    Unsupported Operating Systems

    • Old Operating Systems not supported by Computer Protection such as Windows XP or Vista will obviously not be migrated and still use WorkStation Security. Supported OS are listed in our Help Center.
    • After 31st of March, Workstation Security is End of Life and not supported anymore, so we cannot guarantee that it will still work on old Operating Systems. We cannot either guarantee that it will run properly on latest version of Windows as these will not be tested. Note that security updates will still be delivered to Workstation Security clients for a few months.

    Migration of Firewall rules with 0.0.0.0/0 

    These rules were not converted properly. More information in: 

    https://community.f-secure.com/t5/Protection/Computer-Protection-Firewall/td-p/116463

    «1

    Comments

    • ILIANE-Cédric
      ILIANE-Cédric W/ Alumni Posts: 3 Security Scout

      Hi,

       

      When will this option be available?

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Hello Cédric,

      We have developed the migration tool and we are now starting the piloting phase. I expect that the tool will be available for all our partners in May.

       

      I am planning to invite more partners (including Iliad) to pilot next week.  

       

      Regards,

      Serge

    • ILIANE-Cédric
      ILIANE-Cédric W/ Alumni Posts: 3 Security Scout

      Ok thanks for you reply

      we are available for pilot

      Regards

    • Triuvare_SJ
      Triuvare_SJ W/ Alumni Posts: 1 Security Scout

      Hi, any updates when profile migration tool will be available?

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Hello,

      We have now completed the initial piloting phase for the computer protection migration. 

      We are gradually deploying the migration tool to production.

       

      If you want to migrate before we have launched the migration in your region, let us know (e.g. through the PSB portal feedback).

       

      Regards,

      Serge

    • AshwinParkar
      AshwinParkar W/ Alumni Posts: 1 Security Scout

      How can I use my existing Log Analytics workspace?

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hi All,

       

      We have now enabled the Workstation to Computer Protection migration for emea and emea2 today (12 Sept 2018). Partners can do the migration for them and companies managed by them as per their convenience.

       

      Migration was also enabled for amer portal on 15 August 2018.

       

      And, we will enable migration for apac in October.

       

      PSB Byte Team

    • etomcat
      etomcat W/ Alumni Posts: 1,172 Firewall Master

      Dear Sirs,

       

      I wish to complain that F-Secure's plan for mass migration to FSAV PSB CP18 and the forced phase-out of FSAV PSB WKS 12.01 is not workable and unrealistic as of now!

       

      That's because FSAV PSB CP 18.5 is unable to properly support cloned computers, which are a major part of many business and educational (school) desktop fleets. The supposedly unique F-Secure computer identifiers are confused and endpoints start to kind of "rotate" in the PSB web portal display. Please see F-Secure support case no. xxxxxx for details.

       

      The above described problem does NOT affect FSAV PSB WKS 12.01 software, which thus remains an essential tool to maintain anti-virus protection in cloned endpoint business and academic environments.

       

      Therefore migration plans should be put on hold until the unique computer ID in PSB CP 18 can be made just as robust and truly unique as it was in PSB WKS 12.01.

       

      Thanks for your kind attention, Sincerely: Tamas Feher, Hungary.

       

      EDIT: Removed Case number details

    • etomcat
      etomcat W/ Alumni Posts: 1,172 Firewall Master

      Dear Fedool,

       

      > 18.14 will support it ... cloned computers support

       

      Thanks for the insightful information!

       

      However, I still feel FSAV PSB 12.01's mandatory replacement schedule should occur no less than 6 months after general release of the new PSB CP 18 major version, with official "monolithic" installer package support and proper cloned computer unique ID support.

       

      It would be irresponsible to set the milestone 6 months after the webinar, with the stumbling block technical problems solved maybe just 4 months before the deadline. It is important to understand that many PSB end-user customers are lacking in IT skills and/or IT personnel (.e.g schools) and they need time, even when the local partners do everything in their power to help with the conversion.

       

      The popularity of F-Secure PSB solution was built over several years and the PSB WKS 11/12 client is deeply ingrained in its sucess, so it shouldn't be thrown away easily.

       

      Thanks for your kind attention, Sincerely: Tamas Feher, Hungary.

    • Julio_Haken
      Julio_Haken W/ Alumni Posts: 5 Security Scout

      Hi Fedool,

       

      Good day,

       

      Regarding this issue, we have a client with cloned computers, and also using Endpoint Proxy . I'm interested in your offer to try the test version. How could I communicate with you directly?.

       

      Regards

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hi All,

       

      We have now enabled the Workstation to Computer Protection migration for APAC PSB3 today (28 Sept 2018). Partners can do the migration for them and companies managed by them as per their convenience.

       

      PSB Byte Team

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      The migration is proceeding smoothly. Over 200 partners have already migrated including some of the biggest ones.

      Note the small enhancement that allows Company and SEP to set the channel upgrade schedule  (after the SoP has selected a date) was just released.

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hi All,

       

      We have now enabled the Workstation to Computer Protection migration for EMEA3 portal today (22 Nov 2018). This means migration is now available on all the PSB portals. Partners can do the migration for them and companies managed by them as per their convenience.

       

       

      PSB Byte Team

    • Jan-Eric
      Jan-Eric W/ Member Posts: 9 Cyber Knight

      I get conflicts for Scheduled Scanning even if there is only one defined in the old profile. After deleting the old scanning instance and disabled it in the new profile I still get the same warning.

      scedule.png

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hi  Jan-Eric,

       

      Could you please share the portal on which you are facing this and also the SOP/SEP/company account so that we can investigate. 

       

      Regards,

      Team Byte

    • Jan-Eric
      Jan-Eric W/ Member Posts: 9 Cyber Knight
      Any other way of sending this information to you instead of posting it here in public?
    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Please contact customer care and mention this issue and this article.

    • miruben
      miruben W/ Alumni Posts: 1 Security Scout

      Hello F-Secure-Team,

       

      the automated random & silent update is a neat solution. Just wanted to ask, if I can manually trigger the upgrade on a single machine upfront, just to try out if things are working.

       

      Thanks & regards

      Michael

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Hello,

      My proposal to test the upgrade is:

      - launch the migration for your SOP: All profiles will be converted

      - Set a channel upgrade date manually for the full SOP (e.g. in March, but you can change later)

      - Pick a company that you want to use for testing (with one or a few computers)

      - Change the date so that this company will be channel upgraded the next day

       

      After that you may change the date of the SOP migration to happen faster, or you may want to start by migrating a few companies at specific dates. 

    • Larsa-NicOfTime
      Larsa-NicOfTime W/ Alumni Posts: 2 Security Scout

      Profile Migration has been going on for almost 6 days without being completed. How long can it take?

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hello

      ,

       

      The migration should definitely not take that long. Could you please contact support providing the details like the partner name, portal version and so on. 

       

      Once we get this information we will provide you the details for this long-running migration.

       

      Thank You

    • Larsa-NicOfTime
      Larsa-NicOfTime W/ Alumni Posts: 2 Security Scout

      Hi

       

      What emailadress should i send this information to?

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Hello,

       

      Profile migration typically takes minutes.

      Channel upgrades can take a few days depending on the number of subscriptions and how often the computers connect.

      Could you contact our support (https://www.f-secure.com/en/web/business_global/support/support-request )?

       

      Regards, Serge

       

    • ByteTeam
      ByteTeam W/ Alumni Posts: 26 Security Scout

      Hi, 

       

      Please follow this support link to provide migration details :  https://www.fsecure.com/en/web/business_global/support/support-request

       

      Thank You

       

       

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Update on the migration:

      - Forced migration to Computer Protection is (almost) complete. Migrated profiles are visible under the Computer Protection Profile tab. Profiles marked with conflict must be resolved as soon as possible. Make also sure that Windows Firewall are enabled on all computers.

      - Channel upgrade is configured to install the Computer Protection client version 19.1. The reason is that the version 19.2 requires the installation of a recent .net framework that created some issues with the upgrade process. The differences can be checked from release notes (https://community.f-secure.com/t5/Protection/Computer-Protection-change-log/td-p/100017/page/3)

      - Due to an error many computers were channel upgraded yesterday irrespective of the date configured. More info in: https://community.f-secure.com/t5/Business/Information-about-the-Channel/ta-p/115969

       

       

    • etomcat
      etomcat W/ Alumni Posts: 1,172 Firewall Master

      Dear SergeH,

       

      > Channel upgrade is configured to install the Computer Protection client version 19.1. The reason is that the version 19.2 requires the installation of a recent .net framework that created some issues with the upgrade process

       

      If a computer has channel-upgraded itself to PSB CP 19.1, will it further upgrade to CP 19.2 after a while or does it remain on version 19.1 indefinitely? (I'm asking because it seems remote FSDIAG collection is only available with CP 19.2.)

       

      I would also like to ask what percentage of the PSB computer fleet have you seen experience problems with CP 19.2 adoption (i.e. shortcomings of the .NET pre-requirement)?

       

      Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

    • maaretp
      maaretp W/ Alumni Posts: 62 W/ Former Staff

      Hi Tamas,

       

      19.1 will not stay as 19.1 indefinitely. We have not yet decided on the exact schedule we will be moving, and are also considering  taking people to 19.3 if our investigations on .NET version dependencies take us where we hope. We will inform on the schedules - right now we have decided we will not be moving forward on the releases for the upcoming two weeks.

       

            Maaret

    • SergeH
      SergeH W/ Partner, W/ Staff, W/ Product Leadership, W/ Article Coordinator Posts: 45 W/ Product Leadership

      Hello,

      We are fixing some issues and then we will upgrade the computers using 19.1. I do not have any confirmed schedule but my expectation is around 2 months.

       

      With the version 19.2, our rate of error during the upgrade from Workstation Security went up to about 5%.

       

      Regards,

      Serge

    • etomcat
      etomcat W/ Alumni Posts: 1,172 Firewall Master

      Dear SergeH,

       

      > Due to an error many computers were channel upgraded yesterday irrespective of the date configured. More info in: https://community.f-secure.com/t5/Business/Information-about-the-Channel/ta-p/115969

       

      I wish to ask if F-Secure Corp. will send warning e-mails about this issue to all PSB end-users sysadmins, delivered to their e-mail addresses found in the Account section of the webportal?

       

      (Currently the warning is available here in the community forum and in an e-mail sent to the partners and apparently to all who login to the PSB portal, as they see it in a red pop-up window. On the other hand some end-user sysadmins seldom log in to PSB portal, like once in 2 weeks ... or once in a leap year... and they assume it just it works due to automation. They wouldn't be informed according to the current disclosure scheme.)

       

      Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.